Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
drw_free_installer.17163939163819b153.exe

Overview

General Information

Sample name:drw_free_installer.17163939163819b153.exe
Analysis ID:1445894
MD5:6e3bc255dc7b79e452c66610c741eb95
SHA1:972d9adbec19dd1277b4329fa13641847ca18c87
SHA256:bdb74a31956e7c2ce7a3c6344ac7265d84b735c1038a390168f01d6d9fa43b3a
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

AI detected suspicious sample
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • drw_free_installer.17163939163819b153.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe" MD5: 6E3BC255DC7B79E452C66610C741EB95)
    • EDownloader.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_free_installer.17163939163819b153.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0 MD5: 8A250A75859FE52116E706A640E6D77C)
      • InfoForSetup.exe (PID: 7456 cmdline: /Uid "S-1-5-21-2246122658-3693405117-2476756634-1002" MD5: 99891AAA0E15B2A514A4FF5C9EC03F4D)
      • InfoForSetup.exe (PID: 7488 cmdline: /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Switzerland\",\"Pageid\":\"17163939163819b153\",\"Timezone\":\"GMT-05:00\"}" MD5: 99891AAA0E15B2A514A4FF5C9EC03F4D)
        • AliyunWrapExe.exe (PID: 7504 cmdline: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe MD5: F3B9A2D94682FEE26FC079BA1E0FB040)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 72.8% probability
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F15090 CreateFileW,CloseHandle,CryptAcquireContextW,CryptCreateHash,GetFileSize,ReadFile,CryptHashData,CloseHandle,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext,1_2_00F15090
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FD3A40 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,1_2_00FD3A40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FD3C80 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00FD3C80
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B4D40 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,2_2_6E2B4D40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B4B00 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,2_2_6E2B4B00
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F4D40 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_6C9F4D40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F4B00 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,3_2_6C9F4B00
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: -----BEGIN PUBLIC KEY-----1_2_00FA52D0
Source: EDownloader.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: mov dword ptr [esi+04h], 424D53FFh1_2_00FB12F0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: mov dword ptr [esi+04h], 424D53FFh2_2_6E2946B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: mov dword ptr [esi+04h], 424D53FFh3_2_6C9D46B0
Source: drw_free_installer.17163939163819b153.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: drw_free_installer.17163939163819b153.exeStatic PE information: certificate valid
Source: drw_free_installer.17163939163819b153.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrapExe.pdb source: AliyunWrapExe.exe, 00000004.00000002.2889436492.0000000000A43000.00000002.00000001.01000000.00000009.sdmp, AliyunWrapExe.exe, 00000004.00000000.1671805830.0000000000A43000.00000002.00000001.01000000.00000009.sdmp, AliyunWrapExe.exe.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\InfoForSetup.pdb source: drw_free_installer.17163939163819b153.exe, 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmp, InfoForSetup.exe, 00000002.00000002.1651145686.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000002.00000000.1647040740.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000002.1672647252.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000000.1668051537.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe.0.dr
Source: Binary string: D:\downloader2.0_drw\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdbP% source: InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdbP%.n source: InfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdb source: InfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\InfoForSetup.pdbT source: drw_free_installer.17163939163819b153.exe, 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmp, InfoForSetup.exe, 00000002.00000002.1651145686.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000002.00000000.1647040740.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000002.1672647252.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000000.1668051537.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe.0.dr
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE0C2E __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,1_2_00FE0C2E
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2BCD5B __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,2_2_6E2BCD5B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9FCD5B __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C9FCD5B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\SysWOW64\KERNELBASE.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\SysWOW64\KERNEL32.DLLJump to behavior
Source: global trafficHTTP traffic detected: GET /product/index.php?c=main&a=getstatus&pid=2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: track.easeus.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FAE0C0 recv,1_2_00FAE0C0
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 22 May 2024 16:07:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 21Connection: keep-aliveServer: ApacheContent-Encoding: gzipX-Via: 1.1 luoshan65:1 (Cdn Cache Server V2.0), 1.1 fra13:1 (Cdn Cache Server V2.0)X-Ws-Request-Id: 664e1822_kf98_16929-13800Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 00 00 21 df db f4 01 00 00 00 Data Ascii: 3!
Source: global trafficHTTP traffic detected: GET /product/index.php?c=main&a=getstatus&pid=2 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: track.easeus.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: track.easeus.com
Source: global trafficDNS traffic detected: DNS query: easeusinfo.us-east-1.log.aliyuncs.com
Source: unknownHTTP traffic detected: POST /logstores/logstore_drw_ip/shards/lb HTTP/1.1Host:easeusinfo.us-east-1.log.aliyuncs.comUser-Agent: log-c-lite_0.1.0Accept: */*Content-Type:application/x-protobufx-log-apiversion:0.6.0x-log-compresstype:lz4x-log-signaturemethod:hmac-sha1Date:Wed, 22 May 2024 16:06:59 GMTContent-MD5:A1955387E255B9FDEE28F34DF281DDF5Content-Length:248x-log-bodyrawsize:255Authorization:LOG LTAIBDHwLKKvsH19:wEJEW14HDW8fOSJPTmTMg59xCU0=Data Raw: f7 44 0a b7 01 08 a3 b0 b8 b2 06 12 17 0a 09 54 69 6d 65 73 74 61 6d 70 12 0a 31 37 31 36 33 39 34 30 31 35 12 17 0a 06 57 69 6e 64 6f 77 12 0d 57 65 62 5f 49 6e 73 74 61 6c 6c 65 72 12 20 0a 08 41 63 74 69 76 69 74 79 12 14 52 65 73 75 6c 74 5f 52 75 6e 22 00 f2 22 5b 0a 09 41 74 74 72 69 62 75 74 65 12 4e 7b 22 43 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 50 61 67 65 69 64 22 3a 22 77 00 f0 00 33 39 31 36 33 38 31 39 62 31 35 33 22 2c 22 97 00 f0 48 7a 6f 6e 65 22 3a 22 47 4d 54 2d 30 35 3a 30 30 22 7d 1a 2e 53 2d 31 2d 35 2d 32 31 2d 32 32 34 36 31 32 32 36 35 38 2d 33 36 39 33 34 30 35 31 31 37 2d 32 34 37 36 37 35 36 36 33 34 2d 31 30 30 32 32 13 0a 0c 50 72 6f 64 75 63 74 00 62 61 64 20 12 03 64 72 77 Data Ascii: DTimestamp1716394015WindowWeb_Installer ActivityResult_Run""[AttributeN{"Country":"Switzerland","Pageid":"w39163819b153","Hzone":"GMT-05:00"}.S-1-5-21-2246122658-3693405117-2476756634-10022Productbad drw
Source: InfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.drString found in binary or memory: http://./logstores//shards/lbContent-Type:application/x-protobufx-log-apiversion:0.6.0x-log-compress
Source: InitConfigure.ini.0.drString found in binary or memory: http://baidu.com
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://baidu.com7
Source: EDownloader.exe, 00000001.00000003.1670012501.00000000024BE000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1670232846.00000000024BA000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1670305223.00000000024BB000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1704847679.00000000024BB000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1704792281.00000000024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://baidu.comJ
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://baidu.comq
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: InfoForSetup.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: InitConfigure.ini.0.drString found in binary or memory: http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exe
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exe9
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://download3.easeus.com/drw/drw16.2.0.0_free_x.exe
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://download3.easeus.com/drw/drw16.2.0.0_trial_x.exe
Source: AliyunWrapExe.exe, 00000004.00000002.2889967549.0000000001600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb
Source: AliyunWrapExe.exe, 00000004.00000002.2889967549.0000000001600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb76756634-1002
Source: drw_free_installer.17163939163819b153.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_action_table
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infos
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infosfP
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmp, AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000124E000.00000004.00000020.00020000.00000000.sdmp, AliyunConfig.ini.0.drString found in binary or memory: http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=23
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=27
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000124E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2C:
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2K
Source: drw_free_installer.17163939163819b153.exe, AliyunWrap.dll.0.dr, EDownloader.exe.0.dr, AliyunWrapExe.exe.0.dr, InfoForSetup.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://yiwo.easeus.com/
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: http://yiwo.easeus.com/api/index.php/Home/index/licenseAgreement?lang=
Source: InfoForSetup.exe, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr, EDownloader.exe.0.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: InfoForSetup.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://download.easeus.com/free/drw_free.exe
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.easeus.com/free/drw_free.exeni
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://download.easeus.com/trial/drw_trial.exe
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://update.easeus.com/update/drw_eng/drw.ini
Source: EDownloader.exe.0.drString found in binary or memory: https://www.baidu.com/
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://www.easeus.com/datarecoverywizard/history.php?lang=
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easeus.com/datarecoverywizard/history.php?lang=inst
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://www.easeus.com/download-offline.html
Source: EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drString found in binary or memory: https://www.easeus.com/privacy.htm?lang=
Source: EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easeus.com/privacy.htm?lang=/histor
Source: EDownloader.exe, EDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.drString found in binary or memory: https://www.google.com/
Source: EDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.drString found in binary or memory: https://www.google.com/https://www.baidu.com/GMT
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405461
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4AB50 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_00F4AB50
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FD3A40 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,1_2_00FD3A40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B4B00 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,2_2_6E2B4B00
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F4B00 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,3_2_6C9F4B00
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2792B0 SetEvent,CloseHandle,_memset,_memset,_memset,GetCurrentProcess,OpenProcessToken,CreateProcessAsUserW,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,2_2_6E2792B0
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F26110 ExitWindowsEx,1_2_00F26110
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00406B150_2_00406B15
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_004072EC0_2_004072EC
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00404C9E0_2_00404C9E
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F701B01_2_00F701B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F742A01_2_00F742A0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4C22B1_2_00F4C22B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F903201_2_00F90320
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F524501_2_00F52450
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F912201_2_00F91220
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F396C01_2_00F396C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F8E0601_2_00F8E060
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F141F01_2_00F141F0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F642D01_2_00F642D0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F182601_2_00F18260
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F422401_2_00F42240
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3E3E01_2_00F3E3E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F163901_2_00F16390
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF84E11_2_00FF84E1
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F384701_2_00F38470
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF64261_2_00FF6426
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FEC40D1_2_00FEC40D
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F6A5B01_2_00F6A5B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F246C01_2_00F246C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F206A01_2_00F206A0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F6E7A01_2_00F6E7A0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F1C7801_2_00F1C780
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3C7101_2_00F3C710
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F2C8201_2_00F2C820
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FFA8291_2_00FFA829
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3E9F01_2_00F3E9F0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F929E01_2_00F929E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FEE9091_2_00FEE909
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F16AA01_2_00F16AA0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F40A801_2_00F40A80
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF8BD91_2_00FF8BD9
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F6EB601_2_00F6EB60
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F30CA01_2_00F30CA0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE4E731_2_00FE4E73
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F26F501_2_00F26F50
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FCEF401_2_00FCEF40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F7507C1_2_00F7507C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F8D0501_2_00F8D050
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FA11501_2_00FA1150
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F231101_2_00F23110
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F6D2E01_2_00F6D2E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3B2B01_2_00F3B2B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FEF2841_2_00FEF284
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F7D3E01_2_00F7D3E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F393301_2_00F39330
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FD93201_2_00FD9320
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FDB4D01_2_00FDB4D0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F2F4601_2_00F2F460
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F2D5901_2_00F2D590
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F835901_2_00F83590
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F115001_2_00F11500
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F436B01_2_00F436B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F936701_2_00F93670
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F8D8801_2_00F8D880
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3B8601_2_00F3B860
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F338101_2_00F33810
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3D9B01_2_00F3D9B0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF599E1_2_00FF599E
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F459301_2_00F45930
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FFBAE21_2_00FFBAE2
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F8FAC01_2_00F8FAC0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F17A501_2_00F17A50
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F55A201_2_00F55A20
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F51B601_2_00F51B60
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3FC801_2_00F3FC80
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F73C801_2_00F73C80
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F37C401_2_00F37C40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F11D301_2_00F11D30
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F91D101_2_00F91D10
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F3DEF01_2_00F3DEF0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF5EE21_2_00FF5EE2
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F23EA01_2_00F23EA0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4BE701_2_00F4BE70
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F7DE501_2_00F7DE50
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_003457A72_2_003457A7
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E277FF02_2_6E277FF0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2A6D402_2_6E2A6D40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B9DBC2_2_6E2B9DBC
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2D0DFD2_2_6E2D0DFD
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2BDB102_2_6E2BDB10
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E278B902_2_6E278B90
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2D08B92_2_6E2D08B9
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2AC8C02_2_6E2AC8C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B69F02_2_6E2B69F0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2D14F52_2_6E2D14F5
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2AF5302_2_6E2AF530
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2C65662_2_6E2C6566
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2D25612_2_6E2D2561
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2A72102_2_6E2A7210
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2812702_2_6E281270
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2D03752_2_6E2D0375
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2C43832_2_6E2C4383
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2C33902_2_6E2C3390
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2760702_2_6E276070
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2770E02_2_6E2770E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B81002_2_6E2B8100
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F9DBC3_2_6C9F9DBC
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA10DFD3_2_6CA10DFD
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9E6D403_2_6C9E6D40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9B7FF03_2_6C9B7FF0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA108B93_2_6CA108B9
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9EC8C03_2_6C9EC8C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F69F03_2_6C9F69F0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9B8B903_2_6C9B8B90
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9FDB103_2_6C9FDB10
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA114F53_2_6CA114F5
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9EF5303_2_6C9EF530
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA125613_2_6CA12561
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA065663_2_6CA06566
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9B70E03_2_6C9B70E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9B60703_2_6C9B6070
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F81003_2_6C9F8100
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9E72103_2_6C9E7210
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9C12703_2_6C9C1270
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA043833_2_6CA04383
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA033903_2_6CA03390
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA103753_2_6CA10375
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A3DA694_2_00A3DA69
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9C9940 appears 197 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9C8F00 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E289A20 appears 219 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9F3910 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9C9A20 appears 221 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E288F00 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E2B3910 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E289940 appears 197 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E2BFB78 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6E289060 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9FFB78 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: String function: 6C9C9060 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00F12580 appears 151 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00FA8030 appears 237 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00FE543C appears 66 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00F12120 appears 169 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00F1BB00 appears 253 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00FA7FA0 appears 188 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00F18860 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00F96A40 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: String function: 00FDC8E3 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: String function: 00A3A544 appears 33 times
Source: drw_free_installer.17163939163819b153.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: sus23.winEXE@9/35@2/2
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FD0610 GetLastError,_strerror,_strncpy,FormatMessageA,_strrchr,_strrchr,GetLastError,SetLastError,1_2_00FD0610
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F16280 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_00F16280
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404722
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F45480 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,1_2_00F45480
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F71690 CreateFileW,GetFileSize,ReadFile,CloseHandle,FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource,CreateFileW,GetFileSize,ReadFile,CloseHandle,_memset,CreateDIBSection,CharNextW,__wcstoui64,1_2_00F71690
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\index[1].htmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeMutant created: \Sessions\1\BaseNamedObjects\DRW_Installer
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeMutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\C$$USERS$user$APPDATA$LOCAL$TEMP$DOWNLOADER_EASEUS$2.0.0$2FREE$ALIYUN$ALIYUNCONFIG.INI
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeMutant created: \Sessions\1\BaseNamedObjects\Global\C$$USERS$user$APPDATA$LOCAL$TEMP$DOWNLOADER_EASEUS$2.0.0$2FREE$ALIYUN$DATAFILE.INI
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile created: C:\Users\user\AppData\Local\Temp\nstF03.tmpJump to behavior
Source: drw_free_installer.17163939163819b153.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: drw_free_installer.17163939163819b153.exeString found in binary or memory: resource/install_bg_1.png
Source: drw_free_installer.17163939163819b153.exeString found in binary or memory: resource/install_bg_3.png
Source: drw_free_installer.17163939163819b153.exeString found in binary or memory: resource/install_bg_4.png
Source: drw_free_installer.17163939163819b153.exeString found in binary or memory: resource/install_bg_5.png
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile read: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe "C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe"
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_free_installer.17163939163819b153.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe /Uid "S-1-5-21-2246122658-3693405117-2476756634-1002"
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Switzerland\",\"Pageid\":\"17163939163819b153\",\"Timezone\":\"GMT-05:00\"}"
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_free_installer.17163939163819b153.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe /Uid "S-1-5-21-2246122658-3693405117-2476756634-1002"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Switzerland\",\"Pageid\":\"17163939163819b153\",\"Timezone\":\"GMT-05:00\"}"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.ExeJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: aliyunwrap.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile written: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Korean.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
Source: drw_free_installer.17163939163819b153.exeStatic PE information: certificate valid
Source: drw_free_installer.17163939163819b153.exeStatic file information: File size 2654624 > 1048576
Source: drw_free_installer.17163939163819b153.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrapExe.pdb source: AliyunWrapExe.exe, 00000004.00000002.2889436492.0000000000A43000.00000002.00000001.01000000.00000009.sdmp, AliyunWrapExe.exe, 00000004.00000000.1671805830.0000000000A43000.00000002.00000001.01000000.00000009.sdmp, AliyunWrapExe.exe.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\InfoForSetup.pdb source: drw_free_installer.17163939163819b153.exe, 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmp, InfoForSetup.exe, 00000002.00000002.1651145686.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000002.00000000.1647040740.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000002.1672647252.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000000.1668051537.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe.0.dr
Source: Binary string: D:\downloader2.0_drw\main\EDownloader\Release\EDownloader.pdb source: EDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdbP% source: InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdbP%.n source: InfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\AliyunWrap.pdb source: InfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr
Source: Binary string: F:\testProject\AliyunLog\Code\UserInfoCollect\Release\InfoForSetup.pdbT source: drw_free_installer.17163939163819b153.exe, 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmp, InfoForSetup.exe, 00000002.00000002.1651145686.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000002.00000000.1647040740.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000002.1672647252.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe, 00000003.00000000.1668051537.000000000034A000.00000002.00000001.01000000.00000006.sdmp, InfoForSetup.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F816C0 LoadLibraryW,GetProcAddress,CoCreateInstance,1_2_00F816C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F7CAB6 push 8B000001h; iretd 1_2_00F7CABB
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE2BE6 push ecx; ret 1_2_00FE2BF9
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FA52D0 push ecx; mov dword ptr [esp], 00000000h1_2_00FA52D1
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE5481 push ecx; ret 1_2_00FE5494
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_003434AD push ecx; ret 2_2_003434C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2BFBBD push ecx; ret 2_2_6E2BFBD0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2C0329 push ecx; ret 2_2_6E2C033C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9FFBBD push ecx; ret 3_2_6C9FFBD0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA00329 push ecx; ret 3_2_6CA0033C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A3A589 push ecx; ret 4_2_00A3A59C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A38506 push ecx; ret 4_2_00A38519
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrap.dllJump to dropped file
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeJump to dropped file
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeJump to dropped file
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeFile created: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F14B80 IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,1_2_00F14B80
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F14C60 IsIconic,CallWindowProcW,1_2_00F14C60
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F54DE0 IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,1_2_00F54DE0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F537C0 IsIconic,1_2_00F537C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F49760 GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos,1_2_00F49760
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F53BB0 IsIconic,GetWindowRect,OffsetRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,1_2_00F53BB0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4BE70 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,GetTickCount,SetFocus,GetTickCount,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,1_2_00F4BE70
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4BE70 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,GetTickCount,SetFocus,GetTickCount,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,1_2_00F4BE70
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F4BE70 IsIconic,ScreenToClient,SendMessageW,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SendMessageW,_TrackMouseEvent,GetTickCount,SendMessageW,SetFocus,GetTickCount,SetFocus,GetTickCount,GetTickCount,SetFocus,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,1_2_00F4BE70
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_00341060 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00341060
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-98714
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeAPI coverage: 4.5 %
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeAPI coverage: 7.5 %
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeAPI coverage: 7.3 %
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE0C2E __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,1_2_00FE0C2E
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2BCD5B __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,2_2_6E2BCD5B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9FCD5B __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,3_2_6C9FCD5B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F176C0 GetSystemInfo,GetVersionExW,LoadLibraryA,GetProcAddress,FreeLibrary,1_2_00F176C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\SysWOW64\KERNELBASE.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeFile opened: C:\Windows\SysWOW64\KERNEL32.DLLJump to behavior
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: InfoForSetup.exe, 00000002.00000002.1652984754.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: InfoForSetup.exe, 00000003.00000002.1674237816.0000000001018000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeAPI call chain: ExitProcess graph end nodegraph_0-3285
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeAPI call chain: ExitProcess graph end nodegraph_1-98677
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FDADFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FDADFF
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F816C0 LoadLibraryW,GetProcAddress,CoCreateInstance,1_2_00F816C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FF81D5 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_00FF81D5
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FDADFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FDADFF
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FDAD69 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00FDAD69
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FE302D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00FE302D
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FDB13F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00FDB13F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_0034286C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0034286C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_00347AFE __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,2_2_00347AFE
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_0034415B SetUnhandledExceptionFilter,2_2_0034415B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_00342186 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00342186
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2CFE05 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E2CFE05
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B8C52 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E2B8C52
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2B90CA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E2B90CA
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F8C52 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C9F8C52
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6CA0FE05 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CA0FE05
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9F90CA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C9F90CA
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A374A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00A374A2
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A40886 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,4_2_00A40886
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A39864 SetUnhandledExceptionFilter,4_2_00A39864
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: 4_2_00A37718 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00A37718
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E2798D0 _memset,_memset,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,2_2_6E2798D0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetTimeZoneInformation,_memset,GetLocaleInfoW,1_2_00F396C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,1_2_00FEC0B8
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_00FEC1E0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_00FEC179
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,1_2_00FEC21C
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetLocaleInfoA,1_2_00FE43CC
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: _memset,GetLocaleInfoW,1_2_00F3C710
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetLocaleInfoA,1_2_00FF28C0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,1_2_00FE2BFA
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,1_2_00FE8B1D
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00FEAFA9
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __time64,_memset,GetLocaleInfoW,1_2_00F26F50
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,1_2_00FEB617
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,1_2_00FEB86F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,1_2_00FEBCC3
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_2_00FEBDDA
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,1_2_00FEBEE6
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,1_2_00FEBE72
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,1_2_00FF3E4F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,1_2_00FF3E1B
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00FF3F8E
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: GetLocaleInfoA,2_2_00347D4F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: GetLocaleInfoA,2_2_6E2CD8E6
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: GetLocaleInfoA,3_2_6CA0D8E6
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exeCode function: GetLocaleInfoA,4_2_00A41874
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F96A40 CloseHandle,GetLocalTime,_memset,GetCurrentThreadId,__snprintf,_vswprintf_s,OutputDebugStringA,1_2_00F96A40
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F15AA0 _memset,GetUserNameW,_memset,_memset,LookupAccountNameW,IsValidSid,GetSidIdentifierAuthority,swprintf,swprintf,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,swprintf,1_2_00F15AA0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00F396C0 GetTimeZoneInformation,_memset,GetLocaleInfoW,1_2_00F396C0
Source: C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FBA1D0 _memset,__wcstoui64,__wcstoui64,getsockname,WSAGetLastError,_strncpy,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,1_2_00FBA1D0
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FAD810 _memset,_memset,_strncmp,_strncmp,htons,bind,bind,htons,bind,_memset,getsockname,WSAGetLastError,htons,WSAGetLastError,1_2_00FAD810
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exeCode function: 1_2_00FB5E30 bind,WSAGetLastError,1_2_00FB5E30
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E28F680 _memset,_memset,_strncmp,_strncmp,htons,bind,htons,htons,bind,_memset,getsockname,WSAGetLastError,htons,htons,htons,WSAGetLastError,2_2_6E28F680
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E29D420 _memset,_strncpy,__wcstoui64,__wcstoui64,_strncpy,getsockname,WSAGetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,2_2_6E29D420
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 2_2_6E299280 bind,WSAGetLastError,2_2_6E299280
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9DD420 _memset,_strncpy,__wcstoui64,__wcstoui64,_strncpy,getsockname,WSAGetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,3_2_6C9DD420
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9CF680 _memset,_memset,_strncmp,_strncmp,htons,bind,htons,htons,bind,_memset,getsockname,WSAGetLastError,htons,htons,htons,WSAGetLastError,3_2_6C9CF680
Source: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exeCode function: 3_2_6C9D9280 bind,WSAGetLastError,3_2_6C9D9280

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		3
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
Input Capture		2
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		3
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
Valid Accounts		1
Valid Accounts		2
Obfuscated Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Input Capture		2
Encrypted Channel		Exfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Access Token Manipulation		1
DLL Side-Loading		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin Shares1
Clipboard Data		4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Process Injection		1
Masquerading		NTDS15
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Valid Accounts		LSA Secrets21
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Access Token Manipulation		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
drw_free_installer.17163939163819b153.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrap.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://curl.haxx.se/docs/http-cookies.html0%URL Reputationsafe
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=270%Avira URL Cloudsafe
https://update.easeus.com/update/drw_eng/drw.ini0%Avira URL Cloudsafe
http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/0%Avira URL Cloudsafe
https://download.easeus.com/trial/drw_trial.exe0%Avira URL Cloudsafe
http://baidu.com0%Avira URL Cloudsafe
https://www.easeus.com/privacy.htm?lang=0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2K0%Avira URL Cloudsafe
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb76756634-10020%Avira URL Cloudsafe
http://download3.easeus.com/drw/drw16.2.0.0_free_x.exe0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infos0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=230%Avira URL Cloudsafe
http://baidu.com70%Avira URL Cloudsafe
https://www.google.com/https://www.baidu.com/GMT0%Avira URL Cloudsafe
http://baidu.comq0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_action_table0%Avira URL Cloudsafe
https://curl.haxx.se/docs/http-cookies.html#0%Avira URL Cloudsafe
https://www.easeus.com/datarecoverywizard/history.php?lang=inst0%Avira URL Cloudsafe
https://download.easeus.com/free/drw_free.exeni0%Avira URL Cloudsafe
http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb0%Avira URL Cloudsafe
https://download.easeus.com/free/drw_free.exe0%Avira URL Cloudsafe
https://www.easeus.com/privacy.htm?lang=/histor0%Avira URL Cloudsafe
https://www.easeus.com/download-offline.html0%Avira URL Cloudsafe
http://download3.easeus.com/drw/drw16.2.0.0_trial_x.exe0%Avira URL Cloudsafe
http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/0%Avira URL Cloudsafe
http://baidu.comJ0%Avira URL Cloudsafe
https://www.easeus.com/datarecoverywizard/history.php?lang=0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2C:0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infosfP0%Avira URL Cloudsafe
http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exe0%Avira URL Cloudsafe
http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=20%Avira URL Cloudsafe
https://www.google.com/0%Avira URL Cloudsafe
http://./logstores//shards/lbContent-Type:application/x-protobufx-log-apiversion:0.6.0x-log-compress0%Avira URL Cloudsafe
http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exe90%Avira URL Cloudsafe
http://yiwo.easeus.com/api/index.php/Home/index/licenseAgreement?lang=0%Avira URL Cloudsafe
http://yiwo.easeus.com/0%Avira URL Cloudsafe
https://www.baidu.com/0%Avira URL Cloudsafe
http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
track.easeus.com.whecloud.com
163.171.128.150
truefalse
    		unknown
    easeusinfo.us-east-1.log.aliyuncs.com
    		47.252.97.212
    		truefalse
      		unknown
      track.easeus.com
      		unknown
      		unknownfalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2false
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://download3.easeus.com/drw/drw16.2.0.0_free_x.exeEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infosEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://baidu.comInitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lb76756634-1002AliyunWrapExe.exe, 00000004.00000002.2889967549.0000000001600000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://update.easeus.com/update/drw_eng/drw.iniEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2KAliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=27AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://download.easeus.com/trial/drw_trial.exeEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.easeus.com/privacy.htm?lang=EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://nsis.sf.net/NSIS_ErrorErrordrw_free_installer.17163939163819b153.exefalse
        • URL Reputation: safe
        		unknown
        http://baidu.com7EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=23AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000129A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.google.com/https://www.baidu.com/GMTEDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_action_tableEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://download.easeus.com/free/drw_free.exeniEDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://baidu.comqEDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.easeus.com/datarecoverywizard/history.php?lang=instEDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://curl.haxx.se/docs/http-cookies.htmlInfoForSetup.exe, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.dr, EDownloader.exe.0.drfalse
        • URL Reputation: safe
        		unknown
        https://curl.haxx.se/docs/http-cookies.html#InfoForSetup.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_drw_ip/shards/lbAliyunWrapExe.exe, 00000004.00000002.2889967549.0000000001600000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://download.easeus.com/free/drw_free.exeEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://baidu.comJEDownloader.exe, 00000001.00000003.1670012501.00000000024BE000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1670232846.00000000024BA000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1670305223.00000000024BB000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1704847679.00000000024BB000.00000004.00000020.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000003.1704792281.00000000024BA000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.easeus.com/download-offline.htmlEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.easeus.com/privacy.htm?lang=/historEDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://download3.easeus.com/drw/drw16.2.0.0_trial_x.exeEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.easeus.com/datarecoverywizard/history.php?lang=EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php/?a=statistics&p_type=m_drw_user_base_infosfPEDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exeEDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=2C:AliyunWrapExe.exe, 00000004.00000002.2889749147.000000000124E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://./logstores//shards/lbContent-Type:application/x-protobufx-log-apiversion:0.6.0x-log-compressInfoForSetup.exe, 00000002.00000002.1653255235.000000006E2D3000.00000002.00000001.01000000.00000007.sdmp, InfoForSetup.exe, 00000003.00000002.1675072188.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrapExe.exe, 00000004.00000002.2890588150.000000006CA13000.00000002.00000001.01000000.00000007.sdmp, AliyunWrap.dll.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://yiwo.easeus.com/api/index.php/Home/index/licenseAgreement?lang=EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.google.com/EDownloader.exe, EDownloader.exe, 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe, 00000001.00000000.1642539347.0000000001006000.00000002.00000001.01000000.00000004.sdmp, EDownloader.exe.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://download3.easeus.com/drw/drw16.2.0.0_ad_google_trial_x.exe9EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://yiwo.easeus.com/EDownloader.exe, 00000001.00000003.1643557910.0000000002460000.00000004.00000800.00020000.00000000.sdmp, EDownloader.exe, 00000001.00000002.2889462577.0000000000666000.00000004.00000020.00020000.00000000.sdmp, InitConfigure.ini.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.baidu.com/EDownloader.exe.0.drfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        47.252.97.212
        		easeusinfo.us-east-1.log.aliyuncs.comUnited States
        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
        163.171.128.150
        		track.easeus.com.whecloud.comEuropean Union
        		54994QUANTILNETWORKSUSfalse

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1445894
        Start date and time:2024-05-22 18:06:04 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 7m 0s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:drw_free_installer.17163939163819b153.exe
        Detection:SUS
        Classification:sus23.winEXE@9/35@2/2
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 80
        • Number of non-executed functions: 249
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: drw_free_installer.17163939163819b153.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        47.252.97.212DRW14.0_Trial.exeGet hashmaliciousUnknownBrowse
        • easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_windrw_ip/shards/lb
        163.171.128.150https://www--wellsfargo--com--2x49329d48d6c.wsipv6.com/Get hashmaliciousUnknownBrowse
          https://www--wellsfargo--com--mx49329d48d6c.wsipv6.com/Get hashmaliciousUnknownBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            easeusinfo.us-east-1.log.aliyuncs.comDRW14.0_Trial.exeGet hashmaliciousUnknownBrowse
            • 47.252.97.212
            track.easeus.com.whecloud.comtestfile2.exeGet hashmaliciousUnknownBrowse
            • 163.171.132.220

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCFRA.0038253.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 47.243.134.243
            waybillDoc_20052024.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 47.243.134.243
            https://mte-reguje.onrender.com/?scn=29023&ble=statistics&em=314387306_160807Get hashmaliciousPhisherBrowse
            • 47.254.144.66
            zDAH4anUtC.elfGet hashmaliciousUnknownBrowse
            • 47.88.168.114
            fa10576.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 47.243.134.243
            SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
            • 47.88.4.215
            Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
            • 47.243.134.243
            loader.exeGet hashmaliciousCobaltStrikeBrowse
            • 8.219.94.174
            loader.exeGet hashmaliciousCobaltStrikeBrowse
            • 8.219.94.174
            setup#U67e5#U8be2#U7248.exeGet hashmaliciousUnknownBrowse
            • 47.75.18.205
            QUANTILNETWORKSUSbR9Ri9cFkm.elfGet hashmaliciousUnknownBrowse
            • 220.242.145.244
            http://0.0.0mail3.cryptonight.net/Get hashmaliciousUnknownBrowse
            • 163.171.137.177
            http://0fileserver.cryptonight.net/Get hashmaliciousUnknownBrowse
            • 163.171.137.177
            http://caoca.2826864149.workers.dev/Get hashmaliciousUnknownBrowse
            • 163.171.131.248
            http://cctv.qmimi.workers.dev/Get hashmaliciousUnknownBrowse
            • 163.171.131.248
            http://cdnheicloudeuorg-1015.iaku-1.workers.dev/Get hashmaliciousUnknownBrowse
            • 163.171.131.248
            http://cdnheicloudeuorg-1015.iaku-1.workers.dev/Get hashmaliciousUnknownBrowse
            • 163.171.131.248
            3rFz8BnDmn.elfGet hashmaliciousMiraiBrowse
            • 116.254.200.248
            X7oMmXD99L.elfGet hashmaliciousMiraiBrowse
            • 220.242.145.224
            SecuriteInfo.com.Trojan.DownLoader40.40259.3271.29415.exeGet hashmaliciousUnknownBrowse
            • 157.185.170.144

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\index[1].htm

            Download File
            Process:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:V:V
            MD5:CFCD208495D565EF66E7DFF9F98764DA
            SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
            SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
            SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
            Malicious:false
            Reputation:high, very likely benign file
            Preview:0

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Arabic.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):5654
            Entropy (8bit):5.191098703346186
            Encrypted:false
            SSDEEP:96:SD8jLrznJvUw/UOA1forwTmWREtKNlWAWSwjHWDv947B3sc9oC36rDE6YRAYJS:SD8jLrznJvUw/Up1A1WREtKrx9wSDv28
            MD5:B334764EB0A1069F6BA04C8E1F088CD0
            SHA1:94937BE84E853031683E426886FE1861F0B397ED
            SHA-256:D9A87257F203A80489756B8B31628FFF8D10AAB229D20A637A083059233DC54C
            SHA-512:2E643CF3E089A20495E85441FC2904555C5C87BC15118C1136860736F295EAC00D5D761ECD12D01B5A017757B04325A394CA50FCB147A854028835BD9B6D0810
            Malicious:false
            Reputation:low
            Preview:[string]..InstallerName=%1 .........ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=..... ......InstallRecommend=%1 .......LicenseTps= %1 ... .... .......LicenseClick=....... ..... EaseUS..CustomInstall=....... .........Languge=.......InstallationPath =.... .........AgreeExperience=........ ... ........ .. ...... ..... ..... .........Downloading=.... ....... .... .............WaitTime=(.. ....... ........ .... %1m %2s.)..Installing =..........DownloadFailed=... .........CheckNet=...... ...... .. ..... .........DownloadOffline=..... ... .......Retry=..... ..........StartNow=.... ......Later=.......StartNowTips=...........................InstallFailed=... .........InstallFailedTip

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Chinese.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):3835
            Entropy (8bit):6.29016396880312
            Encrypted:false
            SSDEEP:96:Sz9rI59jSvRD27+2OWesAWSwjsR74e/W2AdQ3oS+XruV/:Sz9rEjYRD27+2OWG9w4YDKV/
            MD5:FD6CA501ED9A613A5094EB4C92C1A847
            SHA1:DD0FB0EDD4ABDA1A3F6367086D99BFE5661B6B6A
            SHA-256:4637C9C3FF511C3F15CB482C5A3EE42A3237D26AD002B2FCC3FF467E7A10B99F
            SHA-512:3DF1A140ECD3E75F5B61CCB5018ED823F4619F8A32931E3A8D2244B998E76F724BB5C699C487C6B4077934CA14F832A68A47BA0469780D912C162B51EA335351
            Malicious:false
            Reputation:low
            Preview:[string]..InstallerName=%1.....ProductName=........RecommendProductName=Mobimover..InstallNow=......InstallRecommend=..%1..LicenseTps=........ %1..LicenseClick= EaseUS .......CustomInstall=......Languge=....InstallationPath =......AgreeExperience=..............Downloading=.............WaitTime= (.... %1m %2s...Installing =.........DownloadFailed=......CheckNet=..........DownloadOffline=......Retry=....StartNow=......Later=......StartNowTips=...........InstallFailed=......InstallFailedTips=......................Restart=......btn_Restartnow=......lb_RestartText=.............lb_RestartTip=.........................FailedSolveSteps=........RestartSt

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\ChineseTrad.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):3906
            Entropy (8bit):6.304017277626276
            Encrypted:false
            SSDEEP:96:Ah2hiHlqOeXvZaqzSSwjXvCewCqIqQsrTIMTl5rTXOLX9PBq8:i2hODkvZawhwWDCqIcrRvk9Jq8
            MD5:FE7AD6D1DD07AEAFEECE921ECB23F3E7
            SHA1:86E74EBDE9C8C6E90E64A757DAF12FD69B75E4EB
            SHA-256:7EF907A793D9087AA804A688BDDDECF33A76011E4D820E7332533C070277507F
            SHA-512:6F854D16E4828842713A58AE0E15ABDFC01B9DF85E5CC8ABB4BBD07FC5B6988584EB767E3639510C9B7698A70D38341014517D90EB8FD63E7F10E77EFE10DF4C
            Malicious:false
            Reputation:low
            Preview:[string] ..InstallerName=%1.....ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=......InstallRecommend=..%1..LicenseTps=........%1 ..LicenseClick=......CustomInstall=......Languge=....InstallationPath =......AgreeExperience=..............Downloading=.............WaitTime= ..... %1m %2s....Installing =........DownloadFailed=......CheckNet=..........DownloadOffline=......Retry=......StartNow=......Later=....StartNowTips=...........InstallFailed=......InstallFailedTips=........................Restart=......btn_Restartnow=........lb_RestartText=...............lb_RestartTip=...........................FailedSolveSteps=.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Danish.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4234
            Entropy (8bit):4.9732153426133765
            Encrypted:false
            SSDEEP:96:SZnzwqTQqZCR9s7ZFcZeoAWSwjVbHg6F4f0CMBhYah/6CC7Pd2Wp3:SZzTTQqZCR9an9wJHz00n3BCwWp3
            MD5:EB6CB6A1EA028CAC7AE61DADC568C2F9
            SHA1:7DA5B3E2F2F3FE326BC5EB4F073DB2B46F3381AF
            SHA-256:4524116093969EE206FA4F04D84346349ED551B4D7B87D4206E9A12D32AF5D61
            SHA-512:1FF642BDAE2E7519EB0BA3802718146DB9440BD7356F363F51CEA82193E0222C01504D726D49588F4B523E8BB112068408C2EBBB8A669705499D4342A430F7DA
            Malicious:false
            Reputation:low
            Preview:[string]..InstallerName=%1 Installer..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Installer nu..InstallRecommend=Installer %1..LicenseTps=Jeg har l.st og accepteret %1..LicenseClick=EaseUS licensaftale..CustomInstall=Installationsindstillinger..Languge=Sprog..InstallationPath =Installationsvej..AgreeExperience=Enig at deltage i Customer Experience Improvement Programmet..Downloading=Downloader, vent venligst.....WaitTime=(det forventes at vente i %1m %2s.)..Installing =Installerer, vent venligst.....DownloadFailed=Download mislykkedes..CheckNet=Kontroller netv.rksforbindelsen...DownloadOffline=Download offline..Retry=Fors.g igen..StartNow=Start nu..Later=Senere..StartNowTips=Vil du starte programmet nu?..InstallFailed=Installation mislykkedes..InstallFailedTips=Download offline for at f. fuld installationspakke eller genstart pc'en for at pr.ve igen...Restart=Genstart..btn_Restartnow=Genstart nu..lb_RestartText=Sikker p. at genstarte pc'en

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Dutch.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4503
            Entropy (8bit):4.93018089287948
            Encrypted:false
            SSDEEP:96:SSBYgKiCsYTaFnSZJcNzSSwjbutYZ5+e0ukUk6TG5hWTZPALH8E2LmX7:Sopka54cdhwetYZh0NlKYLHgyr
            MD5:E4E098A3E165FC5ECB4CB806B7E6E9D8
            SHA1:3384368FCFED720E743ABE5D4DA5F358BE22A11C
            SHA-256:3FE882930B7C5299290AE6C0C20AE065BD915984B381436B1C3D1D1CBFC67127
            SHA-512:76F6B463708AB529838AF6E66664B56D3E4959DFE82DBB9ECF9CB8EEAB63617DD8A7C8773ECA4B2A1703F19475A1E0AF31C6E992CB52F823DE29CDE16798A677
            Malicious:false
            Reputation:low
            Preview:[string]..InstallerName=%1 Installatiewizard..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Nu Installeren..InstallRecommend=Installeer %1..LicenseTps=%1 gelezen en ga er mee akkoord..LicenseClick=EaseUS Licentie Overeenkomst..CustomInstall=Installatie-instellingen..Languge=Taal..InstallationPath =Installatiepad..AgreeExperience=Ik wil deelnemen aan het klanttevredenheidsonderzoek..Downloading=Downloaden, even geduld a.u.b......WaitTime= (Er wordt verwacht dat er wordt gewacht op %1m %2s.)..Installing =Installeren.....DownloadFailed=Downloaden Mislukt..CheckNet=Controleer de netwerkverbinding..DownloadOffline=In Browser Downloaden..Retry=Opnieuw Proberen..StartNow=Nu Beginnen..Later=Later..StartNowTips=Wilt u het programma nu starten?..InstallFailed=Installatie Mislukt..InstallFailedTips=Download offline om het volledige installatiepakket te krijgen of start de pc opnieuw op om het opnieuw te proberen...Restart=Opnieuw Opstarten..btn_Restartnow=Sta

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1263112
            Entropy (8bit):6.600651467754926
            Encrypted:false
            SSDEEP:24576:JisJdAcuXY/WQjkLxNEl5DYjwuoJ039NzO0lQHoR8lOuLkdNoQv:PjYzhQHou8qkboQv
            MD5:8A250A75859FE52116E706A640E6D77C
            SHA1:473C36D9D80173636FAEEB0AE4AE9E047E4E9D8B
            SHA-256:823AB6955052EF34218559B53D4F15224B5A850B532672FA33A7634DC74981DC
            SHA-512:4B519B1DE8F6647A5CBBDA11084D096E8BBFE8F694F4FDA0E0F244B477F3F15C143254B044B046302AC79B136377894027D9BAA2D4BA67ED38F5A55F480A44B4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.1Z{._.{._.{._.\.1.z._....|._.r..._._.r...4._.r....._.\.2.v._.\.$.`._.{.^..._.e....._.r...8._.e...z._.r...z._.Rich{._.........PE..L......e.................F...................`....@.......................................@.................................D............................*..........g...............................L..@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....\...0...4..................@....rsrc................@..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EasyLog.log

            Download File
            Process:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe
            File Type:JSON data
            Category:dropped
            Size (bytes):294
            Entropy (8bit):5.553752885599058
            Encrypted:false
            SSDEEP:6:tICb6qwNwT0gwWLwgOXLgGYjJz46uBShYRf6LDSrVhH/WEs70f1H770fy:KMQgjwgOXyJzJexRfKcHrdtHMK
            MD5:D25FFA955789F2DF613B239901D8CE62
            SHA1:EF880E097BB1E5289BF9CED898EF58DCCC65275C
            SHA-256:CBD0F2436CFF7BF3A2A93A88391EDA70889DA487D20F368FA1F78083AD2BBF7D
            SHA-512:6BA150FAEDE05C06A27F66754E47F69C484DAE062AB08ECA740B1924B1175B15AD26FA97FE2A70079543BFF9D7DE3649DD9D250EBF227C5DCE94925E19C583D6
            Malicious:false
            Preview:[7444]-12:06:52:991 ParseCmdLine param=EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_free_installer.17163939163819b153.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0...[7444]-12:06:53:397 Install recomand return=259..[7444]-12:06:55:491 Install recomand return=259..

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\French.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4738
            Entropy (8bit):4.9952395764331605
            Encrypted:false
            SSDEEP:96:SLmzQ90jiP1LkucYPdSwjHstWF6s/CUcYZb90O+9EPgsVHYfg:SLme0AhRc0gwLUWosqU0uY8kg
            MD5:1737B0DE1DA74E1D45285479CE66E556
            SHA1:9FF6A57D9186F3AAE00E4C307959FF7CA24C118A
            SHA-256:201229433F78F5CB87A9357921F34CAA2820B2917FF572E82A57D31DB5774E46
            SHA-512:DBDFB1DE474EEA240D1797DC35143F7258F6EC19C4A74F2C47645CD4A4253654975B90D9BBFCB202CC33D3BF872BB2FB967AA7AAC5A25C6991DEC794C184C9A1
            Malicious:false
            Preview:[string]..InstallerName=%1 Installateur..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Installer maintenant..InstallRecommend=Installer %1..LicenseTps=J'ai lu et accept. le %1..LicenseClick=contrat de licence d'EaseUS..CustomInstall=Param.tres d'installation..Languge=La langue..InstallationPath =Chemin d'installation..AgreeExperience=J'accepte de participer au programme d.am.lioration d'exp.rience d'utilisateur..Downloading=T.l.chargement, veuillez patienter.....WaitTime= (il est pr.vu d'attendre %1m %2s.)..Installing =Installation en cours .....DownloadFailed=Echec du t.l.chargement..CheckNet=Veuillez v.rifier la connexion r.seau...DownloadOffline=T.l.charger hors ligne..Retry=R.essayer..StartNow=D.marrer..Later=Plus tard..StartNowTips=Voulez-vous d.marrer le programme maintenant?..InstallFailed=L'installation a .chou...InstallFailedTips=T.l.charger hors ligne pour obtenir le package d'installation complet ou red.marrer le P

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\German.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4711
            Entropy (8bit):4.942043533856361
            Encrypted:false
            SSDEEP:96:ShppFF6wxWsMj8rSzSSwjnf7lWMpOKuFjDPuz09tKTNa2hTMYOOtD2W:ShpLF9xWzwrIhwbxFpOKuL24W
            MD5:DECAA2CBBACCAE2A64C588243FBD6435
            SHA1:851020B5CD91A24720A2A61CC75108106679C618
            SHA-256:4FFD51F20C76EE5D6CBAF16EA2AB9D0A0B0491E710C42D548724D5B5AAF3D55F
            SHA-512:3B1EA0DEE1AABB64D9335B6FA7C62F6EA4D57DA94D37085D3D5D0E995FE9BF5A7F34FE4946D874850C595800BEE00E38E054BB47923014AB596AD00B1C06BED2
            Malicious:false
            Preview:[string]..InstallerName=%1 Installationsprogramm..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Jetzt installieren..InstallRecommend=Install %1..LicenseTps=Ich habe die %1 gelesen und akzeptiere sie..LicenseClick=EaseUS Lizenzvereinbarung..CustomInstall=Installationseinstellungen..Languge=Sprache..InstallationPath =Installationspfad..AgreeExperience=Ich m.chte am Programm zur Verbesserung der Benutzerfreundlichkeit teilnehmen..Downloading=Wird heruntergeladen, bitte warten.....WaitTime= (es wird erwartet, dass Sie f.r %1m %2s warten.)..Installing =Installieren.....DownloadFailed=Download Fehlgeschlagen..CheckNet=Bitte .berpr.fen Sie Ihre Internetverbindung...DownloadOffline=Offline Download..Retry=Erneut versuchen..StartNow=Jetzt starten..Later=Sp.ter..StartNowTips=M.chten Sie jetzt das Programm starten?..InstallFailed=Installation fehlgeschlagen..InstallFailedTips=Laden Sie offline herunter, um vollst.ndiges Installationspaket zu erhalten,

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Indonesian.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4274
            Entropy (8bit):4.952172846989875
            Encrypted:false
            SSDEEP:96:S1swSU1kpYKS7jioPAWSwja5G0JnjivGqTQ0UpJVCqk2O:S17kpYtio49waOv2p7dO
            MD5:38629FAB2999407FE8FA2DBABB097B57
            SHA1:692493408FC72747128B5678C8E5140C8C59B49E
            SHA-256:13F413DBFCBC4537D83F77E34EF0C9FA868BFA07792E990F4E94526CCEB79848
            SHA-512:1AA8283F315617C12F2BF79F1BEEC98C7319FD26A507A566B4F1130067E468817373D71EF35C2B8BBABD60E304A467F06FEBE14FF5496871CDA80E6EDCD3A70B
            Malicious:false
            Preview:[string]..InstallerName=%1 Menginstal..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Instal sekarang..InstallRecommend=Menginstal %1..LicenseTps=Saya telah membaca dan menerima %1..LicenseClick=perjanjian lisensi EaseUS..CustomInstall=Pengaturan instalasi..Languge=Bahasa..InstallationPath =Jalur instalasi..AgreeExperience=Setuju untuk berpartisipasi dalam Program peningkatan pengalaman Custmer..Downloading=Mengunduh, harap tunggu...WaitTime= (Diperkirakan menunggu selama %1m %2s.)..Installing =Instalasi.....DownloadFailed=Download gagal..CheckNet=Periksa koneksi jaringan...DownloadOffline=Download secara Offline..Retry=Coba lagi..StartNow=Mulai sekarang..Later=Kemudian..StartNowTips=Ingin Mulai Program Sekarang?..InstallFailed=Instalasi gagal..InstallFailedTips=Unduh offline untuk mendapatkan paket instalasi lengkap atau restart PC untuk mencoba lagi...Restart=Restart..btn_Restartnow=Restart sekarang..lb_RestartText=Tentu Mulai Ulang PC Sekarang?

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\InitConfigure.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Generic INItialization configuration [Language]
            Category:dropped
            Size (bytes):4153
            Entropy (8bit):6.043636147359956
            Encrypted:false
            SSDEEP:96:w+Pa4QWnrxj0yJLVDLGWCiB5LOQbwcx1vy2Mim7+rUUM0b:Ba4QWnrayJLVf2iB1O+wA2imKUUJb
            MD5:B71A433376606884D121F5017D0B58F2
            SHA1:338C2ECCC9D45AEA410650302DC2D6ED5C27B24D
            SHA-256:3833439CF03C0151A53B05E080878D39C36C28F68CBFCD2B6673A7B4ACB3BC0D
            SHA-512:8B4AC6C2EDDCC774EAE8224DFF2E3A618A041E0DC0241CF8F469CE53E771DA28BF9836DF46AEEAD0162172B58B67B71007DFC1BCEE05D8BFDE5A41F2BEACD32A
            Malicious:false
            Preview:[Product]..;LanguageType=English,....,Portugu.s,Fran.ais,Espa.ol,Deutsch,Nederlands,Italiano,.....;...............ProductID=2 ..ProductName=DRW..ProductExtentPath=EaseUS Data Recovery Wizard..ProductEventName=EaseUS_Data_Recovery_Wizard ..;..ID..RecommendProductID=1 ..;....ID..ProductProcess=DRW.exe,DRWUI.exe,EURawImg.exe,EuOfficeRepairWin32.exe..FreeVersionName=free..TrialVersionName=trial ..productContrastPage=0 ..;....... 1....0.....HasRecommendProduct=0 ..;.......,1....0.....homepage=normolPage..;....tbHomePage ebcHomePage ,normolPage ..InstallPath=EaseUS\EaseUS Data Recovery Wizard..;........BackUpPath=C:\Program Files..;......BProgramFilesPath=1..;.....program files 1. 0...InstallProgramFilesPath=C:\Program Files..;...program files.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Italian.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4364
            Entropy (8bit):4.874617869709843
            Encrypted:false
            SSDEEP:96:Stfvy/ZuHm5toQv+W7RwwjAooPiqEHHS7qN2OhIoHb2Ww:StfvyBuHm5td+WFwwEqo7ICWw
            MD5:AF930A64DA61B99CB120C8A3222456EB
            SHA1:2B5F3F2EC77F649AABBC6CF40FE7DD337152E9EE
            SHA-256:1287CD9E6626EC2081379694A309578C1D83BCA25B2C621D1A5D4608CD7AF9BF
            SHA-512:4E7672D00C62CE1C7C437B99EAEC0FE48FAB3586E3D2AC8AB2A294FB30D30D52436AC7CE339023C6E3D56A4774F4ADD5C4B398568E087D3D930C8C63FD816CC6
            Malicious:false
            Preview:[string]..InstallerName=Installazione di %1..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Installa Ora..InstallRecommend=Installare %1..LicenseTps=Ho letto e accetto le %1..LicenseClick=condizioni di licenza di EaseUS..CustomInstall=Impostazioni di installazione..Languge=Lingua..InstallationPath =Percorso..AgreeExperience=Acconsento di partecipare al programma raccolta statistiche anonime uso programma...Downloading=Download in corso, prego attendere.....WaitTime=(Ci vorrebero %1m %2s.)..Installing =Installando.....DownloadFailed=Scarica Fallita..CheckNet=Controlla la connessione di rete...DownloadOffline=Scarica Offline..Retry=Riprova..StartNow=Inizia Ora..Later=Pi. Tardi..StartNowTips=Avvia ora il programma?..InstallFailed=Installazione Fallita..InstallFailedTips=Scaricare offline per ottenere il pacchetto di installazione completo o riavviare il PC per riprovare...Restart=Riavvia..btn_Restartnow=Riavvia ora..lb_RestartText=Sei sicuro di voler

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Japanese.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):5152
            Entropy (8bit):5.791494327764329
            Encrypted:false
            SSDEEP:96:Sg+plo5HSr7ddPb/L+2YZ+wjRFDueZGTkR+xfST5voSTENTS/xFRi:Sg+I5HWXTLsZ+wTCNEvphtpFRi
            MD5:76E3CFD74C8A8C99CCD461F17CBABD4D
            SHA1:6200D3958A80AE2E7F10134256AD27EBE7037212
            SHA-256:64EFC20036A6CAD10DDBDB014444C55B6DB93A481EE5FE84210DEB2377918BB8
            SHA-512:3E69FF59296D8D36EC52C6FBA37252CA2E648BB51ABA0BDFE51FD8B2C341C4A9CE2722F372704706D9A34A40F1F38D90898ECD66FE3FBA0DE394A1457214C75E
            Malicious:false
            Preview:[string]..InstallerName=%1 .........ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=.............InstallRecommend=%1..........LicenseTps=...............%1..LicenseClick=EaseUS..............CustomInstall=..........Languge=....InstallationPath =.........AgreeExperience=.............................Downloading=..........................WaitTime= (......: %1m %2s)..Installing =.........DownloadFailed=...............CheckNet=...................DownloadOffline=..............Retry=.......StartNow=........Later=....StartNowTips=..................InstallFailed=.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Korean.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4550
            Entropy (8bit):6.037034351000263
            Encrypted:false
            SSDEEP:96:SezghdCE00TFTU54eSsdv3FTA3PwjHW66N51SPTyMp5bSK1cFOm2W32:Sezghu48PZ3G3PwhIwmIhT/W32
            MD5:81C343D7615A71FFA127E317C98B357E
            SHA1:F0B469E102E13384C063AA78C454ABE83233698E
            SHA-256:7E8E799B95A5E6F5AA8A18ACB78E6454E634AE52A4615F7A0B0740A51766A26F
            SHA-512:B8C8E35C4CFC609ABA55548489063D2EACB310805A0922DDF63507BF8FC084C983690DC7CE82D373C78A896EAC2EF4EAF92EE666D37DE8E5FC0B62C10D8E896C
            Malicious:false
            Preview:[string]..InstallerName=%1 ....ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=.. ....InstallRecommend=%1 ....LicenseTps=.. .. .. %1..LicenseClick=EaseUS .... ....CustomInstall=.. ....Languge=....InstallationPath =.. ....AgreeExperience=... .. .. .... ... ........Downloading=.... ..... ... ... .........WaitTime= ( %1m %2s .. ... ... ......)..Installing =.. ......DownloadFailed=.... ....CheckNet=........ ... .........DownloadOffline=.... ......Retry=.....StartNow=.. ....Later=.....StartNowTips=.. ..... ........?..InstallFailed=.. ....InstallFailedTips=.. .. .... .... ...... ....... PC. .. .... .. ...

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\LanguageTransfor.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):325
            Entropy (8bit):5.079622313957315
            Encrypted:false
            SSDEEP:6:5Qk+Jg+Ycc38A7XO4vo6xqrk3Eymec1iYlEJEHhuB3QRFLVGpteMKnnQex/:u/QP7XOqxqaiKXB3QRFJCLoQu/
            MD5:FFE692A67871185785EC705B1CC12C81
            SHA1:06A12BFFDFF33024A7B8798BDCDCDA1FD7255BCC
            SHA-256:373BEC6E7976324FF879C2988BAB772C69336D7BCB9A32386A6021568350A824
            SHA-512:7ECDB5A4E625370888FB3A827CB668E934E29CA764177FCA04E4EB620BEC2B664FE498C0E9E73288BF977006EABA9618A4DC5A169E0FC5588A0874D9E6BB6C50
            Malicious:false
            Preview:;...........[Language]..English=en..Japanese=jp..German=de..French=fr..Spanish=sp..Portuguese=pobr..Italian=ita..Dutch=dut..ChineseTrad=cht..Chinese=ch..Danish=Den..Swedish=Swe..Polish=Pol..Arabic=Arb..Korean=Kor..Russian=Rus..Norwegian=Nor..Indonesian=Ind..turkish=Tuk..Mungarian=Mun..Thai=Tha..Malay=Mas..

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Malay.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4341
            Entropy (8bit):4.887667630289714
            Encrypted:false
            SSDEEP:96:SBlXdu0pCYpBPvGZ4I9Bj1cV20jFkDdETlRnCyPlT0lJc2qk2T:SBlX9CYpxvGr7pcV20j9ChWrdT
            MD5:534A5DFA634D7B7DF7A581D4E1D08F78
            SHA1:2C2AD2EF1DFBAFB69EDBA2F1EA7EFA152420DBA0
            SHA-256:984E71C01CB1C2DFB260AE1C0F764F6BDF91E4F523F5DC4161B3D19456993CBB
            SHA-512:7D4B6D6CCE8A6C7BF18803F69988FC54D80DD30E48DBB5336C587CEA8BC74CE1E553E1E549D43A2C2B6A2BA4D3538552DF4C5A684818A7E7EE63DB466C96EAE2
            Malicious:false
            Preview:[string]..InstallerName=%1 pemasang..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Pasang sekarang..InstallRecommend=Pasang %1..LicenseTps=Saya telah membaca dan menerima %1..LicenseClick=Perjanjian Lesen EaseUS..CustomInstall=Tetapan pemasangan..Languge=Bahasa..InstallationPath=Laluan Pemasangan..AgreeExperience=Bersetuju untuk menyertai Program Peningkatan Pengalaman Pelanggan..Downloading=Sedang Memuat turun..Installing=Memuat turun, sila tunggu...DownloadFailed=Muat turun gagal..WaitTime= (Ia dijangka menunggu selama %1m %2s.)..CheckNet=Sila periksa sambungan rangkaian...DownloadOffline=Muat turun Luar Talian..Retry=Cuba lagi..StartNow=Mulakan sekarang..Later=Kemudian..StartNowTips=Ingin Memulakan Program Sekarang?..InstallFailed=Pemasangan gagal..InstallFailedTips=Muat turun di luar talian untuk mendapatkan pakej pemasangan penuh atau mulakan semula PC untuk mencuba lagi...Restart=Mulakan semula PC..btn_Restartnow=Mulakan semula sekarang..lb

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Mungarian.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):5647
            Entropy (8bit):5.242008838233848
            Encrypted:false
            SSDEEP:96:St824dcCSfLhwjAWSwjbKkkRFgr0ZOE636z/WUsQ0d28SYSQnP1m/T66i/v2pm:St8HdPSf1wc9wfKkk7m6br7sGDP6tFX3
            MD5:35331ED66C059568C54865EF7D41087C
            SHA1:480FBFA2C4265C526B148A9725994C1C687355BD
            SHA-256:F55A35E6D3CCC944D4C264E34244A127BCE54079621CAB25D9E8E53CC1F9AC07
            SHA-512:70BD95CE94C32FCF5E252AA9762BA6BE8112D4F8FDD1172B3588246FA4A5E7C91E18179228BF9A5204FEF1D30563E7C69B1E1E0829310933A18B1478BF7F4199
            Malicious:false
            Preview:[string]..InstallerName=%1 telep.tse..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Felszerel most..InstallRecommend=%1 telep.t.se..LicenseTps=Elolvastam .s elfogadtam %1..LicenseClick=EaseUS licencszerz.d.st..CustomInstall=Telep.t.si be.ll.t.sok..Languge=Nyelv..InstallationPath =Telep.t.si .tvonal..AgreeExperience=Meg.llapodnak abban, hogy r.szt vegyenek custmer tapasztalat jav.t. program..Downloading=Let.lt.s, k.rj.k, v.rjon...WaitTime= (V.rhat.an %1p %2s.)..Installing =Telep.t.se.....DownloadFailed=Let.lt.s nem siker.lt..CheckNet=Ellen.rizze a h.l.zati kapcsolatot...DownloadOffline=Let.lt.s offline..Retry=.jra..StartNow=Elkezd most..Later=K.s.bb..StartNowTips=Szeretne most elind.tani a programot?..InstallFailed=Telep.t.s nem siker.lt..InstallFailedTips=T.ltse le offline .llapotban a teljes telep.t.csomag el.r.s.hez, vagy ind.tsa .jra a sz.m.t.g.pet, hogy .jra megpr.b.lja...Restart=Ind.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Norwegian.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4331
            Entropy (8bit):4.986041692080868
            Encrypted:false
            SSDEEP:96:SZW6SqbvTbksATWSwj52UhqTk5Fgr0ZOE636z/WUsQ0d2l:SZNvv/kNT9wiTYm6br7sGl
            MD5:74F6E38B2B7AC3893B1AB6C092B854D1
            SHA1:583B35335D479E9E3BC6B412A7CAE52FC1B3D3BF
            SHA-256:9692FECB48E8745F26C235C8925F106E56E862CD1B7B8CA8C84B8CB751B7A748
            SHA-512:0464BE71E6EEAC902346D1A5119612D7BDE62D2EFCB15D4A14CF88814294358E69BA592CFD5F4B86EEB72FE3E3A9C2EDF61510AE16B16CA5D0A591DBB416E0AF
            Malicious:false
            Preview:[string]..InstallerName=%1 Installer..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Installer n...InstallRecommend=Installer %1..LicenseTps=Jeg har lest og akseptert %1..LicenseClick=EaseUS Lisensavtale..CustomInstall=Installasjonsinnstillinger..Languge=Spr.k..InstallationPath =Installasjonsvei..AgreeExperience=Godta . delta i Customer Experience Improvement Program..Downloading=Laster ned, vennligst vent.....WaitTime= (Det forventes . vente i %1m %2s.)..Installing =Installerer .....DownloadFailed=Nedlasting mislyktes..CheckNet=Vennligst sjekk nettverksforbindelsen...DownloadOffline=Last ned frakoblet..Retry=Pr.v igjen..StartNow=Start n...Later=Senere..StartNowTips=Vil du starte programmet n.?..InstallFailed=Installasjonen mislyktes..InstallFailedTips=Last ned offline for . f. full installasjonspakke eller start PC p. nytt for . pr.ve igjen...Restart=Restart..btn_Restartnow=Start p. nytt n...lb_RestartText=Sikker p. . starte PCen p.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Polish.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4649
            Entropy (8bit):5.225222333646186
            Encrypted:false
            SSDEEP:96:SF1TP6QlypRZ6ZBZeZI451OueAWSwjQQZmZIIPKZ34V6bgI7ginVQoZnFNR2X0:SF1jVane3yt1Bp9w/K/O5LjFNm0
            MD5:DEF85351F7FDA76B962D6DE5F86F5FE5
            SHA1:C47F43BCD9FF278429297B559E9103642C4A7EFC
            SHA-256:E833E96EA0E4568FDDF90386AFDFF3F9BED6EA643FAF9EE6BC0938BE71344294
            SHA-512:0A9FD9F708B7EECA12ED9F361B379EB1C89571E06679E06DC4DAA4A4694B29B25F69ADA42A8133CE8E067383B1A6579A320D91E543521EF9F555D17FBD9C01D4
            Malicious:false
            Preview:[string]..InstallerName=%1 Instalacja..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Zainstaluj teraz..InstallRecommend=Instalacja %1..LicenseTps=Przeczyta.em i zaakceptowa.em %1..LicenseClick=umow. licencyjn. EaseUS..CustomInstall=Ustawienia instalacji..Languge=J.zyk..InstallationPath =.cie.ka instalacji..AgreeExperience=Zgadzam si. na uczestnictwo w programie poprawy jako.ci obs.ugi klienta..Downloading=Pobieranie, prosz. czeka....WaitTime= (Oczekuje si., .e b.dzie czeka. %1m %2s.)..Installing =Instalowanie.....DownloadFailed=Pobieranie nie poWiod.o si...CheckNet=Prosz. sprawdzi. po..czenie sieciowe...DownloadOffline=Pobierz w trybie offline..Retry=Pon.w pr.b...StartNow=Zacznij teraz..Later=P..niej..StartNowTips=Chcesz rozpocz.. program teraz?..InstallFailed=Instalacja nie poWiod.a si...InstallFailedTips=Pobierz offline, aby uzyska. pe.ny pakiet instalacyjny lub uruchom ponownie komputer, aby spr.bowa. ponowni

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Portuguese.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4433
            Entropy (8bit):4.991097438110485
            Encrypted:false
            SSDEEP:96:SB3g+ctNMPGfSfzSSwjE+EBTZkCSZOkZK2M8:SB3g+ctyPGfehwI7SM8
            MD5:7DA92400736262F4E3032DC4B977AB39
            SHA1:B08A564C2F4138714614DBE436673B724C9FA2B0
            SHA-256:E22707B2E0E21C3DF87F7F85EDA9A3E76F98BDB76EDD3ED07CD19DBFA2CDC967
            SHA-512:132E55942B2F4C638B32EE51FE5C1510E83F8D290076D4BBC86B5D6797B47C844D66C5EB84E14C98DC4912F0F5D4B1339B59B239C8E5C6404387E991728997BA
            Malicious:false
            Preview:[string]..InstallerName=Instalador de %1..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Instalar Agora..InstallRecommend=Instalar %1..LicenseTps=Eu li e aceito %1..LicenseClick=Contrato de Licen.a da EaseUS..CustomInstall=Configura..o de instalar..Languge=L.ngua..InstallationPath =Caminho de instalar..AgreeExperience=Concordar em participar do Programa de Melhoria da Experi.ncia do Cliente..Downloading=Baixando, aguarde.....WaitTime=(espera-se esperar %1m %2s.)..Installing =Instalando.....DownloadFailed=Falha no Download..CheckNet=Verifique a conex.o de rede...DownloadOffline=Baixar off-line..Retry=Tente novamente..StartNow=Iniciar Agora..Later=Mais Tarde..StartNowTips=Quer iniciar o programa agora?..InstallFailed=Instala..o Falhada..InstallFailedTips=Fa.a o download offline para obter o pacote de instala..o completo ou reinicie o PC para tentar novamente...Restart=Reiniciar..btn_Restartnow=Reiniciar Agora..lb_RestartText=Tem certeza que

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Russian.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):6500
            Entropy (8bit):5.159362915190586
            Encrypted:false
            SSDEEP:96:SeKiY2bqUw9sKzwYYNaum9E+DmAWSwj4hwRt5P6dSRR/0plczz22W7:SeKP2WU6s1fm3DB9wLRt5zvW7
            MD5:5AFE8AE210DFF6FB6962030283B9EF2A
            SHA1:F5F5DBB648466DF9F3D5CEB8C7770BFD7E2D5880
            SHA-256:043B705D2B019574E7BEF57BD2DDA9E916BB85C56E4B375DDB5F5C06AB21B936
            SHA-512:5607D47174D444E9CC1EB3DA0EF97773BF8B28096380DBD8C6AD1C3E0D0102D092A9B43661F48192E05CB09CACC51E4D5DDB98BF2E15C0FEF92B19ABDC61243F
            Malicious:false
            Preview:[string]..InstallerName=%1 ...........ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=.......... ........InstallRecommend=......... %1..LicenseTps=. ........ . ...... ............ %1..LicenseClick=.......... EaseUS..CustomInstall=......... ...........Languge=......InstallationPath =.... ...........AgreeExperience=....... ....... . ......... ......... ..... custmer..Downloading=........, ............WaitTime= (......... ..... ........ %1m %2s.)..Installing =..............DownloadFailed=.... ... ..........CheckNet=......... ....... ..............DownloadOffline=....... .........Retry=...........StartNow=...... ........Later=.......StartNowTips=......... .........

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Spanish.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4495
            Entropy (8bit):4.949457770160705
            Encrypted:false
            SSDEEP:96:SBc+r7UFtIbJuLdswj6cXj0g1diD/riG+LyG5L:SBaTIbMBswOc0V0L
            MD5:BBB23BFC6347B444DC4E53D72988040B
            SHA1:ED205392DF5999EBBD0A36BEA3EBCA1A2F33D2C3
            SHA-256:8EBEB0AC321D81F5C5E5B5E157C554350CC224BB7222A1C97EFFC8FF987AC9C2
            SHA-512:6EA1B732B6AAEABEAAE47630768972448BB34CC548B4F19C70ADBCE1D27FC01647B85749D0CD31682B823339D775CD9F4A6DDB7F35A643526C052FB8982112B9
            Malicious:false
            Preview:[string]..InstallerName=Instalador de %1..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Instalar ahora..InstallRecommend=Instalar %1..LicenseTps=He le.do y acepto %1..LicenseClick=el acuerdo de licencia de EaseUS..CustomInstall=Configuraci.n de la instalaci.n..Languge=Idioma..InstallationPath =Ruta..AgreeExperience=Acepto unirme al Programa para la mejora de la experiencia del usuario..Downloading=Descargando, por favor espere.....WaitTime= (se espera %1m %2s.)..Installing =Instalando......DownloadFailed=Descarga fallida..CheckNet=Compruebe la conexi.n de red...DownloadOffline=Descargar fuera de l.nea..Retry=Reintentar..StartNow=Ejecutarlo ahora..Later=M.s tarde..StartNowTips=.Quiere abrir el programa ahora?..InstallFailed=Instalaci.n fallida..InstallFailedTips=Descargar sin conexi.n para obtener el paquete de instalaci.n completo o reiniciar el PC para intentarlo de nuevo...Restart=Reiniciar..btn_Restartnow=Reiniciar ahora..lb_RestartTex

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Swedish.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4333
            Entropy (8bit):5.034197413624276
            Encrypted:false
            SSDEEP:96:SZwHa+6hR1wQmZBdwRuypKAWSwjH6BFvbaQJsIWTAz/4QRPaW2/:SZwHa+YRSjBwRuI19wj6LPIArjPY/
            MD5:2C206DD32AAE28D37379B6C3996705F3
            SHA1:BA777AA9E71E6C9974785B6B5FF1BFE761F4938F
            SHA-256:E708764646CC998C00D5CB4A916E9EC28DBA59C1A9DFDFF39EC4214EC2A65DAF
            SHA-512:54B1589121AD89CEFBF62F512FE5C82DAC21342D3F27428AD9CF93B7A6B0CB2C7EC42658C8748F8F33B2DCE18E2D6079BEA33F53DED20D7A938C13B37C50DF80
            Malicious:false
            Preview:[string]..InstallerName=%1 Installer..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Installera nu..InstallRecommend=Installera %1..LicenseTps=Jag har l.st och godk.nt %1..LicenseClick=EaseUS licensavtal..CustomInstall=Installationsinst.llningar..Languge=Spr.k..InstallationPath =Installationsv.gen..AgreeExperience=Enas om att delta i programmet Customer Experience Improvement..Downloading=H.mtar, v.nligen v.nta.....WaitTime= (Det f.rv.ntas v.nta i %1m %2s.)..Installing =Installerar.....DownloadFailed=H.mtning misslyckades..CheckNet=Kontrollera n.tverksanslutningen...DownloadOffline=H.mta offline..Retry=F.rs.k..StartNow=B.rja nu..Later=Senare..StartNowTips=Vill du b.rja programmet nu?..InstallFailed=Installation misslyckades..InstallFailedTips=Ladda ner offline f.r att f. fullt installationspaket eller starta om datorn f.r att f.rs.ka igen...Restart=Omstart..btn_Restartnow=Starta om nu..lb_RestartText=.r du s.ker p. att star

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Thai.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):8489
            Entropy (8bit):4.542747482857118
            Encrypted:false
            SSDEEP:192:S2isCjfllQjHl5U5oG151wWeo5ysNkQd5f8F7ZtVIn3tyK/e+3Zvi+MyWWjwz8Is:UsC7lCjHl5U5oG151wWeo5ysGQd5f8FK
            MD5:6E1EDD82F7D13D4A811982392466C002
            SHA1:4A6F3C8C945D485E6EAAD7DE6F334CFC8033B352
            SHA-256:69394BA3B1F01C4218E169A6E16B56C2C857BA9B0D7B1FD57FA808249E68793B
            SHA-512:F19B3DC3D96F9E88A77BE9EB726DB353E803EDDCADB55072935FBCCD51DB6B9B34FFEAAE1EE294CC12E1FE9AF0BFC3B821E2ECF79DB63E46E0F86D30A79517A4
            Malicious:false
            Preview:[string]..InstallerName=.......... %1..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=.................InstallRecommend=....... %1..LicenseTps=................... %1 ......LicenseClick=...................... EaseUS..CustomInstall=......................Languge=......InstallationPath=...................AgreeExperience=................................................Downloading=.............. ..................WaitTime=(.................. %1m %2s)..Installing=..............DownloadFailed=...........

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\Turkish.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4661
            Entropy (8bit):5.247656049357231
            Encrypted:false
            SSDEEP:96:SRDS3w7OzmLmtnqEWAe/z4/8KGGrztkxwOhiT8HMHZaEATP5+eTu482+:SR23w6zLtnHWAF/8KGG/tkwa0sEukg+
            MD5:0A80A0D0AC19F97D6133DC156499DC0B
            SHA1:29F54F8925E47CA22EECC1E65A698F5331D76E53
            SHA-256:29499DA747B2FA0CC759DE34D085682256912F4AB27E3ED64ACEE2F2474E355E
            SHA-512:899C54C48C19E8E8966DB086737DBA3C4A04916A339239BD5D9D3A4682B65140E670AAC29B736E5ACFCC60C493E9A0ABD713756AEDA2F7C7E7972A3C58C7E679
            Malicious:false
            Preview:[string]..InstallerName=%1 Y.kleyicisi..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=.imdi Y.kle..InstallRecommend=%1 Y.kle..LicenseTps=%1 okudum ve kabul ediyorum..LicenseClick=EaseUS Lisans S.zle.mesi'ni..CustomInstall=Y.kleme ayarlar...Languge=Dil..InstallationPath =Kurulum Yolu..AgreeExperience=M..teri Deneyimi .yile.tirme Program.na kat.lmay. kabul ediyorum..Downloading=.ndiriliyor, l.tfen bekleyin...WaitTime= (%1m %2s kadar beklenmesi bekleniyor.)..Installing =Y.kleniyor..DownloadFailed=.ndirme Ba.ar.s.z Oldu..CheckNet=L.tfen a. ba.lant.s.n. g.zden ge.irin...DownloadOffline=.evrimd... .ndir..Retry=Yeniden Dene..StartNow=.imdi Ba.lat..Later=Sonra..StartNowTips=.imdi Program. Ba.latmak .stiyor Musunuz?..InstallFailed=Kurulum Ba.ar.s.z Oldu..InstallFailedTips=Tam kurulum paketini almak i.in .evrimd... indirin veya tekrar denemek i.in PC'yi yeniden ba.lat.n...Restart=Yeniden Ba.lat..btn_Rest

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunConfig.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:modified
            Size (bytes):1396
            Entropy (8bit):3.918776434151241
            Encrypted:false
            SSDEEP:24:Ql5qoJthHI/J+kgb2X9EpsCXp46VeWKsG2LjeAWv/613QMQsKZSqyE:jgoEkbX9ESYDG2LjeHujTgyE
            MD5:42CFF8F654B455F29054F6FC887D6A98
            SHA1:49284E5BCD85D5C4148C958132C04BC3A95F8377
            SHA-256:FDCF2A6B26CE55C7D3C9E2BBEC7983C732A46A3107E57A1C4A74C957F31D9426
            SHA-512:0A0F2751874C62F5C9400EB80212C9FF6731E9E1FDF6E62CE1B2392AB8BDDA0D89B1D461C29934A87634DF0D0D203A61F32A3B695CB955660FCBF65EC20FB4E1
            Malicious:false
            Preview:......[.C.o.n.f.i.g.].....L.O.G.E.N.D.P.O.I.N.T.=.W.k.Z.o.T.m.R.G.c.F.h.S.b.n.B.r.U.X.p.C.N.F.R.H.M.T.R.k.b.H.A.1.T.l.d.o.a.V.I.y.d.z.F.a.R.m.M.x.Y.W.1.O.N.U.5.X.c.G.l.N.a.k.E.5.....A.C.C.E.S.S.K.E.Y.I.D.=.V.k.V.a.U.1.F.s.T.l.Z.T.a.1.Z.U.U.0.d.S.T.l.V.6.Q.j.B.N.b.U.1.3.W.j.N.o.U.F.V.U.M.D.k.=.....A.C.C.E.S.S.K.E.Y.S.E.C.R.E.T.=.V.1.d.4.T.2.Q.w.O.U.d.a.R.n.B.O.U.k.V.a.T.1.d.q.T.m.9.T.b.E.Z.1.V.G.p.G.U.2.V.r.W.k.t.Z.M.V.J.D.Y.z.A.x.W.G.F.G.T.l.d.h.b.V.J.o.V.1.d.0.T.m.V.R.P.T.0.=.....P.R.O.J.E.C.T.N.A.M.E.=.V.2.x.k.R.2.V.s.c.F.l.W.b.n.B.o.V.n.p.W.d.F.l.u.Y.z.l.Q.U.T.0.9.....L.O.G.S.T.O.R.E.N.A.M.E.=.W.W.t.j.N.W.J.t.T.X.p.V.b.l.p.q.Y.l.Z.a.b.V.d.r.a.E.t.N.M.W.d.5.Y.k.h.j.P.Q.=.=.....L.O.G.S.T.O.R.E.N.A.M.E.2.=.W.W.t.j.N.W.J.t.T.X.p.V.b.l.p.q.Y.l.Z.a.b.V.d.r.a.E.t.N.M.W.d.5.T.l.h.a.a.F.d.F.R.T.k.=.....b.A.l.l.o.w.S.e.n.d.I.n.f.o.=.1.....b.A.u.t.o.A.d.d.U.i.d.=.1.....b.A.u.t.o.A.d.d.T.i.m.e.s.t.a.m.p.=.1.....b.G.e.n.e.r.a.t.e.T.e.s.t.I.n.f.o.=.1.....n.b.L.i.m.i.t.K.e.y.v.a.l.u.e.M.a.x.L.e.n.

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrap.dll

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):494088
            Entropy (8bit):6.701938599658677
            Encrypted:false
            SSDEEP:12288:YaK0OuDBlYPIj/q9DQsEfExtrlp87pMaIPuboWMlyF0Ps:W9DeuBc/IPu8WMAF0Ps
            MD5:58968E221F2522D98DBFE7574D0C44AA
            SHA1:424B55216F2C832202C01363E013546380F5312A
            SHA-256:265170E701EC453B13249E7A4E4F401B87FAE79442CCE77060213EBCD03828C0
            SHA-512:9BBA6FFBEC9B6D3DE7B530B056098465A54B66494DB7E7CA82E8C98802FB5A1CB500F5D505387F2A33FB9A42A533D5838B1125EF14AFAD11285410652C6F07B5
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[@...!.K.!.K.!.K.nfK.!.K.YtK_!.K.YeK.!.K8.K.!.K.!.K.!.K.YsK. .K.YzK.!.K.YbK.!.K.YaK.!.KRich.!.K........PE..L......]...........!.........>......)........0......................................p.....@.................................H........`...............`...*...p..07.. 3..................................@............0...............................text............................... ..`.rdata.......0......."..............@..@.data....E..........................@....rsrc........`......................@..@.reloc...D...p...F..................@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):110088
            Entropy (8bit):6.438187182004648
            Encrypted:false
            SSDEEP:1536:A554a+kMgHZ73LkUluTbDJgX+oLENoN2CraI9WkF1X8OEdlg5BaAUH7jfrxZM:TswTbD6LLraInhEdlg5BJUHXf8
            MD5:F3B9A2D94682FEE26FC079BA1E0FB040
            SHA1:FF9E89FBCB6939095ECFA34438D9E6EBF9AD6FB4
            SHA-256:CDC9EE419589B8E378B030A5180B12CF4E1FC2FA132DBAF0E961ADBE3C782E55
            SHA-512:40BAA3D59EB931EEAB583ECBD4526031BC8D455192D69C3F87B9220EBAAB194A2922E4A3E9E36DB3A587F56961C0686B81BCEC8382AC02F968F31B566581BBBD
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i....,...,...,...,...,...,...,...,...,...,...,.2|,...,...,...,...,...,...,...,Rich...,................PE..L......].....................l.......z.......0....@.......................................@.................................0e..x........................*...........1..............................`V..@............0..l............................text............................... ..`.rdata...=...0...>..................@..@.data...`-...p.......V..............@....rsrc................h..............@..@.reloc...............j..............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

            Download File
            Process:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:modified
            Size (bytes):88
            Entropy (8bit):3.173026079624601
            Encrypted:false
            SSDEEP:3:QMk7lOLGZlx+lLmlqqxxQXxlEr7lgl4e9:QlsWlYJmwq3QXjElgl4Q
            MD5:2BA1128174977822E604DB728E8BE71C
            SHA1:414E06CFD3A747A4B6CB315FB8318FD57C989D82
            SHA-256:8AC9C8EACF08C21B37F83663DD54F6625A500A0F40826DBE9F2137923E4DD87B
            SHA-512:C873C844317606F6EB11B33A459CFD0A1A610A2DBD0EC8E0E76BD9E9B262953657C42FAC797B3E6E737F90604A31213577FAC1DBA8359AD42F8F0A8C00FF9C30
            Malicious:false
            Preview:......[.H.E.A.D._.D.A.T.A.].....T.O.T.A.L.C.O.U.N.T.=.1.....S.T.A.R.T.I.N.D.E.X.=.0.....

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):67592
            Entropy (8bit):6.539401493696455
            Encrypted:false
            SSDEEP:768:CVyp8XwXEXrjOgRXvLH4IE3jDnIoiiBbIADgykhUMId50BLbCYiHDLlGAMxkEy/:CECwXShvLYIE3nnInie2khc50k7jex2/
            MD5:99891AAA0E15B2A514A4FF5C9EC03F4D
            SHA1:FAF215763908A9A6B8413C7E40293FE4BE9BFE7B
            SHA-256:505AB42F0F376A4D8576BBEC9CFDCE43DEABE168356DEE760000319A73E72611
            SHA-512:36F6D66987506A938FAA7503E0FA3A6CF76AA9CA6A30EA7CB7E80D058CF203EAE152EF97B2329BA83BB18FC70430A2E00E9AA1F408E94B132813B4BF741697DE
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....S..S..S..:S!.S..+S..S..=ST.S#..S..S..SJ.S..4S..S../S..SRich..S........PE..L......].....................N......M'............@.......................... .......7....@.................................t...<........................*..........@...................................@............................................text............................... ..`.rdata..@(.......*..................@..@.data...............................@....rsrc...............................@..@.reloc.."...........................@..B................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\tempInfo.web

            Download File
            Process:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:V:V
            MD5:CFCD208495D565EF66E7DFF9F98764DA
            SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
            SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
            SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
            Malicious:false
            Preview:0

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\downloader.ico

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:MS Windows icon resource - 10 icons, 16x16, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
            Category:dropped
            Size (bytes):66622
            Entropy (8bit):7.200049591188769
            Encrypted:false
            SSDEEP:1536:PEJFQHJXdXtM6LJWEXIVUpjSICCIV1A7vku:PEJFQHFltM6sEXIVUpjfIA7vN
            MD5:E7BA7ED202773284C3DD85E4162C38D3
            SHA1:7467DA2D1455C5AF1419DA18FEAE2CB5C3558A3D
            SHA-256:AA4DF8B6F5BC456121EAFD03857098E56A4357A2BAE7CDD651CAFD2CFD78AC7D
            SHA-512:87DCA3BCEF8B309A501FFE3EEFB5B20194DCF3B9729F024577F3D57DC025643E556C5C01797606483590E5DBD28502425C5F603A0077CC2E4561DDDD0322EFC1
            Malicious:false
            Preview:..............(....... ..............00......h...............h....... ..............00.................... .h....'.. .... .....>,..00.... ..%...<........ ......b..(....... ..........................................................................................................FF.....F.lf@...l|f.........`...............f..~~...@...~....g..w..`.....@......@....n`.......@....FFF...............?..........................................................(... ...@......................................................................................................................d..............g.t`............llf.d..........g..lf.F@.......~..v.lln.@.....N..l.v.f|f@..........ll.l.`...........lf.|`..........|...f@.......g.n.l||.`......|.|l~.n.@........n.n...p...........~...V............`.g...........@.......w|..f`..h.........t....F....y..x...V............`............~..............@.....~........`.........................~.~............................p.....

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\english.ini

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Unicode text, UTF-8 text, with CRLF line terminators
            Category:dropped
            Size (bytes):4030
            Entropy (8bit):4.974804558492645
            Encrypted:false
            SSDEEP:96:SZ6f0DyqeVb0WLgWSwjzRipWaP3TtIW5aJx6dxkBEs2W2:SZ6f0DylqW09wvUp/vBogUuW2
            MD5:514C7CFA0101EAE70994AFD3FA7801C3
            SHA1:BD6249FE023542C5BE1180B76343E4E220BE7148
            SHA-256:A6237A06959F1BF65FC2B3E77AE509D3BCA1713340227B7FBB66E28DA4F84404
            SHA-512:D889FFD4495EC023394D1170B97BF40FAD9FF202B36500FE85D6620CC08E3C42580CAF6992C09817646A93D253CFECE8E94B66B14E6EEE5CEFCE3F91B5FA4919
            Malicious:false
            Preview:[string]..InstallerName=%1 Installer..ProductName=EaseUS Data Recovery Wizard..RecommendProductName=Mobimover..InstallNow=Install Now..InstallRecommend=Install %1..LicenseTps=I have read and accepted %1..LicenseClick=EaseUS License Agreement..CustomInstall=Installation settings..Languge=Language..InstallationPath =Installation Path..AgreeExperience=Agree to participate in Customer Experience Improvement Program..Downloading=Downloading, please wait...WaitTime= (It is expected to wait for %1m %2s.)..Installing =Installing, please wait...DownloadFailed=Download Failed..CheckNet=Please check the network connection...DownloadOffline=Download Offline..Retry=Retry..StartNow=Start Now..Later=Later..StartNowTips=Want To Start Program Now?..InstallFailed=Installation Failed..InstallFailedTips=Download offline to get full installation package or restart PC to try again...Restart=Restart PC..btn_Restartnow=Restart now..lb_RestartText=Sure to Restart PC Now?..lb_RestartTip=In most cases, progr

            C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\skin.zip

            Download File
            Process:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
            Category:dropped
            Size (bytes):1499226
            Entropy (8bit):7.9845663401363405
            Encrypted:false
            SSDEEP:24576:ieUyKyJthS35e64nQFQBKkou5O7lvEqY97Xk+8rgbSQj/4DTFHtkr68ft8Zpy:5U5ypEd4QAKkA5R+AgmU/4HFNkr18O
            MD5:784C6F9B53521F4CB115532F49B67A36
            SHA1:7DCD0E24B7940156FC5BE4EDB185A57A030B45EF
            SHA-256:A0951464134E2AF94ECD389EA9C0F3D784BAE909F60EB2F45D7764B4DBDE7A73
            SHA-512:88851E60A1EC3974558B45E422B2A6B412A2A87603E9A1A61BA5491D2C8475C269F29164DD25AC7A3C72D0AD190437E0DC93C02C6A9F2C85BA599C89ED315F21
            Malicious:false
            Preview:PK.........Y.W..1Pd...........bg.png..+.q..?....lY!...Nd..V+.g=...rP..F6R.Ma.\.EqQ..\...J..v..\...F).G.......O.....|?..j..e2...`R......W..&.......\NHd..i#...1...).@V&@.Fh.i..q.<KX..J.m..%f...K...@.]....y...8.V..,F.'.s.|.So..k...r........U.Q..X...T..D.c.wj#d....gDTS.=z...G..=z......>.q9.;a..2..n.A...CR.~.\......8b..........E.BG...9..# ..K.g.7.H.SG@......OPK.........Y.W..W7............configpage.xml.X...@.^.S.u.... &?...D..1!.....i.......nbt.eaL...x{.Q\....B.......7....x.ym..2.il;..T.$K.S.i..:....mi[..v.P..q.U,....K.....7......o...........6'.b.W.2...)....H.../.1;C4nt...A............`c...S..6..,0.d'..ff..nH.....G&.FKB`"l.2.......,.M.v..._.c.!?..q.f6.........{.Ug..3..8.&u9.&.J....-.6(H@..Y..d.;J....J-q......x*.......t........Y.hn..u0.e0.8....>.@.&..EQ........j1n.p9g....s....k.l..6s..>r.&....Eh..j..S.Gz..e...)...I.}/..b.K!..[..6./.d0.4..EC.1.V.khc...4.(}.._`.{.D..Rv,.G.g.......r....UfY.j......c).,Mq..(..>...n._..s.Y..U.S.`

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):7.99146778985103
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:drw_free_installer.17163939163819b153.exe
            File size:2'654'624 bytes
            MD5:6e3bc255dc7b79e452c66610c741eb95
            SHA1:972d9adbec19dd1277b4329fa13641847ca18c87
            SHA256:bdb74a31956e7c2ce7a3c6344ac7265d84b735c1038a390168f01d6d9fa43b3a
            SHA512:8f79aff54a92394ee1098c92b7bb0880369cdacf0aa482475edb47857838687eb06ec2f33075eb2343c54284d8cf8ccf6e50cbe4a96ed36f63321796eb1f8562
            SSDEEP:49152:e/jU67vjsddEhjFGNS9LXQOjOQKK6bxM1vehddPa46JFUxkVxq6ZBcMucAtL:2U67vYUhjjV5OdbOUhDPWTUq9cMPOL
            TLSH:F2C533092380D11BEC8484318FDD34B52A966D234CE65E53A305FFAC73956DABC52BAF
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h.........

            File Icon

            Icon Hash:33336d693b2b1f0e

            Static PE Info

            General

            Entrypoint:0x40338f
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x5A6FED3C [Tue Jan 30 03:57:48 2018 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:b34f154ec913d2d2c435cbd644e91687

            Authenticode Signature

            Signature Valid:true
            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
            Signature Validation Error:The operation completed successfully
            Error Number:0
            Not Before, Not After
            • 21/09/2022 01:00:00 02/12/2024 23:59:59
            Subject Chain
            • CN="CHENGDU YIWO Tech Development Co., Ltd.", O="CHENGDU YIWO Tech Development Co., Ltd.", L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN, SERIALNUMBER=91510107765360104N, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u6b66\u4faf\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u56db\u5ddd\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
            Version:3
            Thumbprint MD5:65C6F555EF8DAC075EB0C1097C43862C
            Thumbprint SHA-1:E044E920D56ECE15D7A21DD058651A3F2166CFD6
            Thumbprint SHA-256:65178EE438BD0ECB878802F6229C71E6497627671344247DA9FCF37C1DAF74BC
            Serial:03BD221937F2D796FA7029547B190301

            Entrypoint Preview

            Instruction
            sub esp, 000002D4h
            push ebx
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebx, ebx
            push 00008001h
            mov dword ptr [esp+14h], ebx
            mov dword ptr [esp+10h], 0040A2E0h
            mov dword ptr [esp+1Ch], ebx
            call dword ptr [004080A8h]
            call dword ptr [004080A4h]
            and eax, BFFFFFFFh
            cmp ax, 00000006h
            mov dword ptr [00434EECh], eax
            je 00007FBEBC9171D3h
            push ebx
            call 00007FBEBC91A485h
            cmp eax, ebx
            je 00007FBEBC9171C9h
            push 00000C00h
            call eax
            mov esi, 004082B0h
            push esi
            call 00007FBEBC91A3FFh
            push esi
            call dword ptr [00408150h]
            lea esi, dword ptr [esi+eax+01h]
            cmp byte ptr [esi], 00000000h
            jne 00007FBEBC9171ACh
            push 0000000Ah
            call 00007FBEBC91A458h
            push 00000008h
            call 00007FBEBC91A451h
            push 00000006h
            mov dword ptr [00434EE4h], eax
            call 00007FBEBC91A445h
            cmp eax, ebx
            je 00007FBEBC9171D1h
            push 0000001Eh
            call eax
            test eax, eax
            je 00007FBEBC9171C9h
            or byte ptr [00434EEFh], 00000040h
            push ebp
            call dword ptr [00408044h]
            push ebx
            call dword ptr [004082A0h]
            mov dword ptr [00434FB8h], eax
            push ebx
            lea eax, dword ptr [esp+34h]
            push 000002B4h
            push eax
            push ebx
            push 0042B208h
            call dword ptr [00408188h]
            push 0040A2C8h

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x450000x10d40.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x2857980x2a08
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x66270x68008c030dfed318c62753a7b0d60218279bFalse0.6642503004807693data6.452235553722483IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x2aff80x600939516377e7577b622eb1ffdc4b5db4aFalse0.517578125data4.03532418489749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .ndata0x350000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x450000x10d400x10e007bbd1f2fb3b11360c391d2f92105e8b7False0.7578559027777778data7.140371794785311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x453400xa1b0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9976323927328953
            RT_ICON0x4f4f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3817427385892116
            RT_ICON0x51a980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4978893058161351
            RT_ICON0x52b400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.3744669509594883
            RT_ICON0x539e80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.45126353790613716
            RT_ICON0x542900x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.43353658536585366
            RT_ICON0x548f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.5086705202312138
            RT_ICON0x54e600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6640070921985816
            RT_ICON0x552c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.5389784946236559
            RT_ICON0x555b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.6351351351351351
            RT_DIALOG0x556d80x100dataEnglishUnited States0.5234375
            RT_DIALOG0x557d80x11cdataEnglishUnited States0.6056338028169014
            RT_DIALOG0x558f80x60dataEnglishUnited States0.7291666666666666
            RT_GROUP_ICON0x559580x92dataEnglishUnited States0.6232876712328768
            RT_MANIFEST0x559f00x349XML 1.0 document, ASCII text, with very long lines (841), with no line terminatorsEnglishUnited States0.5517241379310345

            Imports

            DLLImport
            KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
            USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
            SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
            ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 22, 2024 18:06:57.971183062 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:06:57.976280928 CEST8049731163.171.128.150192.168.2.4
            May 22, 2024 18:06:57.976356983 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:06:57.981725931 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:06:58.032262087 CEST8049731163.171.128.150192.168.2.4
            May 22, 2024 18:07:00.235943079 CEST8049731163.171.128.150192.168.2.4
            May 22, 2024 18:07:00.236167908 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:07:00.315388918 CEST4973280192.168.2.447.252.97.212
            May 22, 2024 18:07:00.320439100 CEST804973247.252.97.212192.168.2.4
            May 22, 2024 18:07:00.320518970 CEST4973280192.168.2.447.252.97.212
            May 22, 2024 18:07:00.321517944 CEST4973280192.168.2.447.252.97.212
            May 22, 2024 18:07:00.379908085 CEST804973247.252.97.212192.168.2.4
            May 22, 2024 18:07:00.814599037 CEST804973247.252.97.212192.168.2.4
            May 22, 2024 18:07:00.814964056 CEST4973280192.168.2.447.252.97.212
            May 22, 2024 18:07:00.820382118 CEST804973247.252.97.212192.168.2.4
            May 22, 2024 18:07:00.820452929 CEST4973280192.168.2.447.252.97.212
            May 22, 2024 18:08:00.235618114 CEST8049731163.171.128.150192.168.2.4
            May 22, 2024 18:08:00.235713005 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:08:47.686907053 CEST4973180192.168.2.4163.171.128.150
            May 22, 2024 18:08:47.773823977 CEST8049731163.171.128.150192.168.2.4

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 22, 2024 18:06:57.853413105 CEST4915253192.168.2.41.1.1.1
            May 22, 2024 18:06:57.891168118 CEST53491521.1.1.1192.168.2.4
            May 22, 2024 18:07:00.295173883 CEST5126653192.168.2.41.1.1.1
            May 22, 2024 18:07:00.304367065 CEST53512661.1.1.1192.168.2.4
            May 22, 2024 18:07:26.479660988 CEST53631501.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            May 22, 2024 18:06:57.853413105 CEST192.168.2.41.1.1.10x106bStandard query (0)track.easeus.comA (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.295173883 CEST192.168.2.41.1.1.10x28f2Standard query (0)easeusinfo.us-east-1.log.aliyuncs.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            May 22, 2024 18:06:57.891168118 CEST1.1.1.1192.168.2.40x106bNo error (0)track.easeus.comtrack.easeus.com.whecloud.comCNAME (Canonical name)IN (0x0001)false
            May 22, 2024 18:06:57.891168118 CEST1.1.1.1192.168.2.40x106bNo error (0)track.easeus.com.whecloud.com163.171.128.150A (IP address)IN (0x0001)false
            May 22, 2024 18:06:57.891168118 CEST1.1.1.1192.168.2.40x106bNo error (0)track.easeus.com.whecloud.com163.171.128.241A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.212A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.15A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.9A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.13A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.12A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.8A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.10A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.14A (IP address)IN (0x0001)false
            May 22, 2024 18:07:00.304367065 CEST1.1.1.1192.168.2.40x28f2No error (0)easeusinfo.us-east-1.log.aliyuncs.com47.252.97.11A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • track.easeus.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.449731163.171.128.150807504C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe
            TimestampBytes transferredDirectionData
            May 22, 2024 18:06:57.981725931 CEST317OUTGET /product/index.php?c=main&a=getstatus&pid=2 HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
            Host: track.easeus.com
            Connection: Keep-Alive
            May 22, 2024 18:07:00.235943079 CEST330INHTTP/1.1 200 OK
            Date: Wed, 22 May 2024 16:07:00 GMT
            Content-Type: text/html; charset=UTF-8
            Content-Length: 21
            Connection: keep-alive
            Server: Apache
            Content-Encoding: gzip
            X-Via: 1.1 luoshan65:1 (Cdn Cache Server V2.0), 1.1 fra13:1 (Cdn Cache Server V2.0)
            X-Ws-Request-Id: 664e1822_kf98_16929-13800
            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 00 00 21 df db f4 01 00 00 00
            Data Ascii: 3!


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.44973247.252.97.212807504C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe
            TimestampBytes transferredDirectionData
            May 22, 2024 18:07:00.321517944 CEST697OUTPOST /logstores/logstore_drw_ip/shards/lb HTTP/1.1
            Host:easeusinfo.us-east-1.log.aliyuncs.com
            User-Agent: log-c-lite_0.1.0
            Accept: */*
            Content-Type:application/x-protobuf
            x-log-apiversion:0.6.0
            x-log-compresstype:lz4
            x-log-signaturemethod:hmac-sha1
            Date:Wed, 22 May 2024 16:06:59 GMT
            Content-MD5:A1955387E255B9FDEE28F34DF281DDF5
            Content-Length:248
            x-log-bodyrawsize:255
            Authorization:LOG LTAIBDHwLKKvsH19:wEJEW14HDW8fOSJPTmTMg59xCU0=
            Data Raw: f7 44 0a b7 01 08 a3 b0 b8 b2 06 12 17 0a 09 54 69 6d 65 73 74 61 6d 70 12 0a 31 37 31 36 33 39 34 30 31 35 12 17 0a 06 57 69 6e 64 6f 77 12 0d 57 65 62 5f 49 6e 73 74 61 6c 6c 65 72 12 20 0a 08 41 63 74 69 76 69 74 79 12 14 52 65 73 75 6c 74 5f 52 75 6e 22 00 f2 22 5b 0a 09 41 74 74 72 69 62 75 74 65 12 4e 7b 22 43 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 50 61 67 65 69 64 22 3a 22 77 00 f0 00 33 39 31 36 33 38 31 39 62 31 35 33 22 2c 22 97 00 f0 48 7a 6f 6e 65 22 3a 22 47 4d 54 2d 30 35 3a 30 30 22 7d 1a 2e 53 2d 31 2d 35 2d 32 31 2d 32 32 34 36 31 32 32 36 35 38 2d 33 36 39 33 34 30 35 31 31 37 2d 32 34 37 36 37 35 36 36 33 34 2d 31 30 30 32 32 13 0a 0c 50 72 6f 64 75 63 74 00 62 61 64 20 12 03 64 72 77
            Data Ascii: DTimestamp1716394015WindowWeb_Installer ActivityResult_Run""[AttributeN{"Country":"Switzerland","Pageid":"w39163819b153","Hzone":"GMT-05:00"}.S-1-5-21-2246122658-3693405117-2476756634-10022Productbad drw
            May 22, 2024 18:07:00.814599037 CEST242INHTTP/1.1 200 OK
            Server: AliyunSLS
            Content-Length: 0
            Connection: keep-alive
            Access-Control-Allow-Origin: *
            Date: Wed, 22 May 2024 16:07:00 GMT
            x-log-append-meta: true
            x-log-time: 1716394020
            x-log-requestid: 664E1824168D3193949D30DC


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:12:06:52
            Start date:22/05/2024
            Path:C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\drw_free_installer.17163939163819b153.exe"
            Imagebase:0x400000
            File size:2'654'624 bytes
            MD5 hash:6E3BC255DC7B79E452C66610C741EB95
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:12:06:52
            Start date:22/05/2024
            Path:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_free_installer.17163939163819b153.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
            Imagebase:0xf10000
            File size:1'263'112 bytes
            MD5 hash:8A250A75859FE52116E706A640E6D77C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            Reputation:low
            Has exited:false

            General

            Target ID:2
            Start time:12:06:53
            Start date:22/05/2024
            Path:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
            Wow64 process (32bit):true
            Commandline: /Uid "S-1-5-21-2246122658-3693405117-2476756634-1002"
            Imagebase:0x340000
            File size:67'592 bytes
            MD5 hash:99891AAA0E15B2A514A4FF5C9EC03F4D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:12:06:55
            Start date:22/05/2024
            Path:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
            Wow64 process (32bit):true
            Commandline: /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Switzerland\",\"Pageid\":\"17163939163819b153\",\"Timezone\":\"GMT-05:00\"}"
            Imagebase:0x340000
            File size:67'592 bytes
            MD5 hash:99891AAA0E15B2A514A4FF5C9EC03F4D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:4
            Start time:12:06:55
            Start date:22/05/2024
            Path:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe
            Imagebase:0xa30000
            File size:110'088 bytes
            MD5 hash:F3B9A2D94682FEE26FC079BA1E0FB040
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:12.8%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:20.7%
              Total number of Nodes:1315
              Total number of Limit Nodes:18
              execution_graph 3065 4015c1 3085 402c41 3065->3085 3068 405c3a 4 API calls 3080 4015d1 3068->3080 3069 401631 3071 401663 3069->3071 3072 401636 3069->3072 3070 405bbc CharNextW 3070->3080 3074 401423 24 API calls 3071->3074 3091 401423 3072->3091 3083 40165b 3074->3083 3079 40164a SetCurrentDirectoryW 3079->3083 3080->3069 3080->3070 3081 4015fa 3080->3081 3082 401617 GetFileAttributesW 3080->3082 3095 40588b 3080->3095 3103 40586e CreateDirectoryW 3080->3103 3081->3080 3098 4057f1 CreateDirectoryW 3081->3098 3082->3080 3086 402c4d 3085->3086 3087 4062dc 17 API calls 3086->3087 3088 402c6e 3087->3088 3089 4015c8 3088->3089 3090 40654e 5 API calls 3088->3090 3089->3068 3090->3089 3092 405322 24 API calls 3091->3092 3093 401431 3092->3093 3094 4062ba lstrcpynW 3093->3094 3094->3079 3106 406694 GetModuleHandleA 3095->3106 3099 405842 GetLastError 3098->3099 3100 40583e 3098->3100 3099->3100 3101 405851 SetFileSecurityW 3099->3101 3100->3081 3101->3100 3102 405867 GetLastError 3101->3102 3102->3100 3104 405882 GetLastError 3103->3104 3105 40587e 3103->3105 3104->3105 3105->3080 3107 4066b0 3106->3107 3108 4066ba GetProcAddress 3106->3108 3112 406624 GetSystemDirectoryW 3107->3112 3110 405892 3108->3110 3110->3080 3111 4066b6 3111->3108 3111->3110 3113 406646 wsprintfW LoadLibraryExW 3112->3113 3113->3111 3489 401e49 3497 402c1f 3489->3497 3491 401e4f 3492 402c1f 17 API calls 3491->3492 3493 401e5b 3492->3493 3494 401e72 EnableWindow 3493->3494 3495 401e67 ShowWindow 3493->3495 3496 402ac5 3494->3496 3495->3496 3498 4062dc 17 API calls 3497->3498 3499 402c34 3498->3499 3499->3491 3500 40264a 3501 402c1f 17 API calls 3500->3501 3505 402659 3501->3505 3502 4026a3 ReadFile 3502->3505 3512 402796 3502->3512 3503 405e33 ReadFile 3503->3505 3505->3502 3505->3503 3506 4026e3 MultiByteToWideChar 3505->3506 3507 402798 3505->3507 3509 402709 SetFilePointer MultiByteToWideChar 3505->3509 3510 4027a9 3505->3510 3505->3512 3513 405e91 SetFilePointer 3505->3513 3506->3505 3522 406201 wsprintfW 3507->3522 3509->3505 3511 4027ca SetFilePointer 3510->3511 3510->3512 3511->3512 3514 405ead 3513->3514 3517 405ec5 3513->3517 3515 405e33 ReadFile 3514->3515 3516 405eb9 3515->3516 3516->3517 3518 405ef6 SetFilePointer 3516->3518 3519 405ece SetFilePointer 3516->3519 3517->3505 3518->3517 3519->3518 3520 405ed9 3519->3520 3521 405e62 WriteFile 3520->3521 3521->3517 3522->3512 3526 4016cc 3527 402c41 17 API calls 3526->3527 3528 4016d2 GetFullPathNameW 3527->3528 3529 4016ec 3528->3529 3535 40170e 3528->3535 3531 4065fd 2 API calls 3529->3531 3529->3535 3530 401723 GetShortPathNameW 3532 402ac5 3530->3532 3533 4016fe 3531->3533 3533->3535 3536 4062ba lstrcpynW 3533->3536 3535->3530 3535->3532 3536->3535 3537 40234e 3538 402c41 17 API calls 3537->3538 3539 40235d 3538->3539 3540 402c41 17 API calls 3539->3540 3541 402366 3540->3541 3542 402c41 17 API calls 3541->3542 3543 402370 GetPrivateProfileStringW 3542->3543 2879 4038d0 2880 4038e8 2879->2880 2881 4038da CloseHandle 2879->2881 2886 403915 2880->2886 2881->2880 2887 403923 2886->2887 2888 4038ed 2887->2888 2889 403928 FreeLibrary GlobalFree 2887->2889 2890 4059cc 2888->2890 2889->2888 2889->2889 2926 405c97 2890->2926 2893 4059f4 DeleteFileW 2923 4038f9 2893->2923 2894 405a0b 2895 405b2b 2894->2895 2940 4062ba lstrcpynW 2894->2940 2895->2923 2969 4065fd FindFirstFileW 2895->2969 2897 405a31 2898 405a44 2897->2898 2899 405a37 lstrcatW 2897->2899 2941 405bdb lstrlenW 2898->2941 2900 405a4a 2899->2900 2903 405a5a lstrcatW 2900->2903 2905 405a65 lstrlenW FindFirstFileW 2900->2905 2903->2905 2905->2895 2919 405a87 2905->2919 2908 405984 5 API calls 2911 405b66 2908->2911 2910 405b0e FindNextFileW 2912 405b24 FindClose 2910->2912 2910->2919 2913 405b80 2911->2913 2914 405b6a 2911->2914 2912->2895 2916 405322 24 API calls 2913->2916 2917 405322 24 API calls 2914->2917 2914->2923 2916->2923 2920 405b77 2917->2920 2918 4059cc 60 API calls 2918->2919 2919->2910 2919->2918 2921 405322 24 API calls 2919->2921 2945 4062ba lstrcpynW 2919->2945 2946 405984 2919->2946 2954 405322 2919->2954 2965 406080 MoveFileExW 2919->2965 2922 406080 36 API calls 2920->2922 2921->2910 2922->2923 2975 4062ba lstrcpynW 2926->2975 2928 405ca8 2976 405c3a CharNextW CharNextW 2928->2976 2931 4059ec 2931->2893 2931->2894 2933 405cef lstrlenW 2934 405cfa 2933->2934 2938 405cbe 2933->2938 2935 405b8f 3 API calls 2934->2935 2937 405cff GetFileAttributesW 2935->2937 2936 4065fd 2 API calls 2936->2938 2937->2931 2938->2931 2938->2933 2938->2936 2939 405bdb 2 API calls 2938->2939 2939->2933 2940->2897 2942 405be9 2941->2942 2943 405bfb 2942->2943 2944 405bef CharPrevW 2942->2944 2943->2900 2944->2942 2944->2943 2945->2919 2995 405d8b GetFileAttributesW 2946->2995 2949 4059a7 DeleteFileW 2952 4059ad 2949->2952 2950 40599f RemoveDirectoryW 2950->2952 2951 4059b1 2951->2919 2952->2951 2953 4059bd SetFileAttributesW 2952->2953 2953->2951 2955 40533d 2954->2955 2964 4053df 2954->2964 2956 405359 lstrlenW 2955->2956 2998 4062dc 2955->2998 2958 405382 2956->2958 2959 405367 lstrlenW 2956->2959 2961 405395 2958->2961 2962 405388 SetWindowTextW 2958->2962 2960 405379 lstrcatW 2959->2960 2959->2964 2960->2958 2963 40539b SendMessageW SendMessageW SendMessageW 2961->2963 2961->2964 2962->2961 2963->2964 2964->2919 2966 4060a1 2965->2966 2967 406094 2965->2967 2966->2919 3027 405f06 2967->3027 2970 406613 FindClose 2969->2970 2971 405b50 2969->2971 2970->2971 2971->2923 2972 405b8f lstrlenW CharPrevW 2971->2972 2973 405b5a 2972->2973 2974 405bab lstrcatW 2972->2974 2973->2908 2974->2973 2975->2928 2977 405c57 2976->2977 2980 405c69 2976->2980 2979 405c64 CharNextW 2977->2979 2977->2980 2978 405c8d 2978->2931 2982 40654e 2978->2982 2979->2978 2980->2978 2991 405bbc 2980->2991 2985 40655b 2982->2985 2983 4065d1 2984 4065d6 CharPrevW 2983->2984 2988 4065f7 2983->2988 2984->2983 2985->2983 2986 4065c4 CharNextW 2985->2986 2987 405bbc CharNextW 2985->2987 2989 4065b0 CharNextW 2985->2989 2990 4065bf CharNextW 2985->2990 2986->2983 2986->2985 2987->2985 2988->2938 2989->2985 2990->2986 2992 405bc2 2991->2992 2993 405bd8 2992->2993 2994 405bc9 CharNextW 2992->2994 2993->2980 2994->2992 2996 405990 2995->2996 2997 405d9d SetFileAttributesW 2995->2997 2996->2949 2996->2950 2996->2951 2997->2996 3011 4062e9 2998->3011 2999 406534 3000 40654a 2999->3000 3022 4062ba lstrcpynW 2999->3022 3000->2956 3002 406502 lstrlenW 3002->3011 3005 4062dc 10 API calls 3005->3002 3006 406417 GetSystemDirectoryW 3006->3011 3008 40642a GetWindowsDirectoryW 3008->3011 3009 40654e 5 API calls 3009->3011 3010 4064a5 lstrcatW 3010->3011 3011->2999 3011->3002 3011->3005 3011->3006 3011->3008 3011->3009 3011->3010 3012 40645e SHGetSpecialFolderLocation 3011->3012 3013 4062dc 10 API calls 3011->3013 3015 406188 3011->3015 3020 406201 wsprintfW 3011->3020 3021 4062ba lstrcpynW 3011->3021 3012->3011 3014 406476 SHGetPathFromIDListW CoTaskMemFree 3012->3014 3013->3011 3014->3011 3023 406127 3015->3023 3018 4061ec 3018->3011 3019 4061bc RegQueryValueExW RegCloseKey 3019->3018 3020->3011 3021->3011 3022->3000 3024 406136 3023->3024 3025 40613a 3024->3025 3026 40613f RegOpenKeyExW 3024->3026 3025->3018 3025->3019 3026->3025 3028 405f36 3027->3028 3029 405f5c GetShortPathNameW 3027->3029 3054 405db0 GetFileAttributesW CreateFileW 3028->3054 3030 405f71 3029->3030 3031 40607b 3029->3031 3030->3031 3033 405f79 wsprintfA 3030->3033 3031->2966 3035 4062dc 17 API calls 3033->3035 3034 405f40 CloseHandle GetShortPathNameW 3034->3031 3036 405f54 3034->3036 3037 405fa1 3035->3037 3036->3029 3036->3031 3055 405db0 GetFileAttributesW CreateFileW 3037->3055 3039 405fae 3039->3031 3040 405fbd GetFileSize GlobalAlloc 3039->3040 3041 406074 CloseHandle 3040->3041 3042 405fdf 3040->3042 3041->3031 3056 405e33 ReadFile 3042->3056 3047 406012 3049 405d15 4 API calls 3047->3049 3048 405ffe lstrcpyA 3050 406020 3048->3050 3049->3050 3051 406057 SetFilePointer 3050->3051 3063 405e62 WriteFile 3051->3063 3054->3034 3055->3039 3057 405e51 3056->3057 3057->3041 3058 405d15 lstrlenA 3057->3058 3059 405d56 lstrlenA 3058->3059 3060 405d5e 3059->3060 3061 405d2f lstrcmpiA 3059->3061 3060->3047 3060->3048 3061->3060 3062 405d4d CharNextA 3061->3062 3062->3059 3064 405e80 GlobalFree 3063->3064 3064->3041 3544 401b53 3545 402c41 17 API calls 3544->3545 3546 401b5a 3545->3546 3547 402c1f 17 API calls 3546->3547 3548 401b63 wsprintfW 3547->3548 3549 402ac5 3548->3549 3550 401956 3551 402c41 17 API calls 3550->3551 3552 40195d lstrlenW 3551->3552 3553 402592 3552->3553 3554 4014d7 3555 402c1f 17 API calls 3554->3555 3556 4014dd Sleep 3555->3556 3558 402ac5 3556->3558 3559 403d58 3560 403d70 3559->3560 3561 403eab 3559->3561 3560->3561 3562 403d7c 3560->3562 3563 403efc 3561->3563 3564 403ebc GetDlgItem GetDlgItem 3561->3564 3566 403d87 SetWindowPos 3562->3566 3567 403d9a 3562->3567 3565 403f56 3563->3565 3573 401389 2 API calls 3563->3573 3645 404231 3564->3645 3569 40427d SendMessageW 3565->3569 3590 403ea6 3565->3590 3566->3567 3570 403db7 3567->3570 3571 403d9f ShowWindow 3567->3571 3601 403f68 3569->3601 3574 403dd9 3570->3574 3575 403dbf DestroyWindow 3570->3575 3571->3570 3572 403ee6 SetClassLongW 3576 40140b 2 API calls 3572->3576 3577 403f2e 3573->3577 3578 403dde SetWindowLongW 3574->3578 3579 403def 3574->3579 3627 4041ba 3575->3627 3576->3563 3577->3565 3582 403f32 SendMessageW 3577->3582 3578->3590 3580 403e66 3579->3580 3581 403dfb GetDlgItem 3579->3581 3631 404298 3580->3631 3585 403e2b 3581->3585 3586 403e0e SendMessageW IsWindowEnabled 3581->3586 3582->3590 3583 40140b 2 API calls 3583->3601 3584 4041bc DestroyWindow EndDialog 3584->3627 3589 403e30 3585->3589 3592 403e38 3585->3592 3594 403e7f SendMessageW 3585->3594 3595 403e4b 3585->3595 3586->3585 3586->3590 3588 4041eb ShowWindow 3588->3590 3589->3580 3628 40420a 3589->3628 3591 4062dc 17 API calls 3591->3601 3592->3589 3592->3594 3593 404231 18 API calls 3593->3601 3594->3580 3597 403e53 3595->3597 3598 403e68 3595->3598 3600 40140b 2 API calls 3597->3600 3599 40140b 2 API calls 3598->3599 3599->3589 3600->3589 3601->3583 3601->3584 3601->3590 3601->3591 3601->3593 3602 404231 18 API calls 3601->3602 3618 4040fc DestroyWindow 3601->3618 3603 403fe3 GetDlgItem 3602->3603 3604 404000 ShowWindow EnableWindow 3603->3604 3605 403ff8 3603->3605 3648 404253 EnableWindow 3604->3648 3605->3604 3607 40402a EnableWindow 3612 40403e 3607->3612 3608 404043 GetSystemMenu EnableMenuItem SendMessageW 3609 404073 SendMessageW 3608->3609 3608->3612 3609->3612 3611 403d39 18 API calls 3611->3612 3612->3608 3612->3611 3649 404266 SendMessageW 3612->3649 3650 4062ba lstrcpynW 3612->3650 3614 4040a2 lstrlenW 3615 4062dc 17 API calls 3614->3615 3616 4040b8 SetWindowTextW 3615->3616 3617 401389 2 API calls 3616->3617 3617->3601 3619 404116 CreateDialogParamW 3618->3619 3618->3627 3620 404149 3619->3620 3619->3627 3621 404231 18 API calls 3620->3621 3622 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3621->3622 3623 401389 2 API calls 3622->3623 3624 40419a 3623->3624 3624->3590 3625 4041a2 ShowWindow 3624->3625 3626 40427d SendMessageW 3625->3626 3626->3627 3627->3588 3627->3590 3629 404211 3628->3629 3630 404217 SendMessageW 3628->3630 3629->3630 3630->3580 3632 40435b 3631->3632 3633 4042b0 GetWindowLongW 3631->3633 3632->3590 3633->3632 3634 4042c5 3633->3634 3634->3632 3635 4042f2 GetSysColor 3634->3635 3636 4042f5 3634->3636 3635->3636 3637 404305 SetBkMode 3636->3637 3638 4042fb SetTextColor 3636->3638 3639 404323 3637->3639 3640 40431d GetSysColor 3637->3640 3638->3637 3641 40432a SetBkColor 3639->3641 3642 404334 3639->3642 3640->3639 3641->3642 3642->3632 3643 404347 DeleteObject 3642->3643 3644 40434e CreateBrushIndirect 3642->3644 3643->3644 3644->3632 3646 4062dc 17 API calls 3645->3646 3647 40423c SetDlgItemTextW 3646->3647 3647->3572 3648->3607 3649->3612 3650->3614 3651 401f58 3652 402c41 17 API calls 3651->3652 3653 401f5f 3652->3653 3654 4065fd 2 API calls 3653->3654 3655 401f65 3654->3655 3657 401f76 3655->3657 3658 406201 wsprintfW 3655->3658 3658->3657 3659 402259 3660 402c41 17 API calls 3659->3660 3661 40225f 3660->3661 3662 402c41 17 API calls 3661->3662 3663 402268 3662->3663 3664 402c41 17 API calls 3663->3664 3665 402271 3664->3665 3666 4065fd 2 API calls 3665->3666 3667 40227a 3666->3667 3668 40228b lstrlenW lstrlenW 3667->3668 3669 40227e 3667->3669 3671 405322 24 API calls 3668->3671 3670 405322 24 API calls 3669->3670 3673 402286 3669->3673 3670->3673 3672 4022c9 SHFileOperationW 3671->3672 3672->3669 3672->3673 3674 4046db 3675 404711 3674->3675 3676 4046eb 3674->3676 3678 404298 8 API calls 3675->3678 3677 404231 18 API calls 3676->3677 3679 4046f8 SetDlgItemTextW 3677->3679 3680 40471d 3678->3680 3679->3675 3681 40175c 3682 402c41 17 API calls 3681->3682 3683 401763 3682->3683 3684 405ddf 2 API calls 3683->3684 3685 40176a 3684->3685 3685->3685 3686 401d5d GetDlgItem GetClientRect 3687 402c41 17 API calls 3686->3687 3688 401d8f LoadImageW SendMessageW 3687->3688 3689 402ac5 3688->3689 3690 401dad DeleteObject 3688->3690 3690->3689 3691 4022dd 3692 4022e4 3691->3692 3695 4022f7 3691->3695 3693 4062dc 17 API calls 3692->3693 3694 4022f1 3693->3694 3696 405920 MessageBoxIndirectW 3694->3696 3696->3695 3697 405461 3698 405482 GetDlgItem GetDlgItem GetDlgItem 3697->3698 3699 40560b 3697->3699 3742 404266 SendMessageW 3698->3742 3701 405614 GetDlgItem CreateThread CloseHandle 3699->3701 3702 40563c 3699->3702 3701->3702 3704 405667 3702->3704 3705 405653 ShowWindow ShowWindow 3702->3705 3706 40568c 3702->3706 3703 4054f2 3709 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3703->3709 3707 4056c7 3704->3707 3711 4056a1 ShowWindow 3704->3711 3712 40567b 3704->3712 3744 404266 SendMessageW 3705->3744 3708 404298 8 API calls 3706->3708 3707->3706 3717 4056d5 SendMessageW 3707->3717 3723 40569a 3708->3723 3715 405567 3709->3715 3716 40554b SendMessageW SendMessageW 3709->3716 3713 4056c1 3711->3713 3714 4056b3 3711->3714 3718 40420a SendMessageW 3712->3718 3720 40420a SendMessageW 3713->3720 3719 405322 24 API calls 3714->3719 3721 40557a 3715->3721 3722 40556c SendMessageW 3715->3722 3716->3715 3717->3723 3724 4056ee CreatePopupMenu 3717->3724 3718->3706 3719->3713 3720->3707 3726 404231 18 API calls 3721->3726 3722->3721 3725 4062dc 17 API calls 3724->3725 3727 4056fe AppendMenuW 3725->3727 3728 40558a 3726->3728 3729 40571b GetWindowRect 3727->3729 3730 40572e TrackPopupMenu 3727->3730 3731 405593 ShowWindow 3728->3731 3732 4055c7 GetDlgItem SendMessageW 3728->3732 3729->3730 3730->3723 3734 405749 3730->3734 3735 4055b6 3731->3735 3736 4055a9 ShowWindow 3731->3736 3732->3723 3733 4055ee SendMessageW SendMessageW 3732->3733 3733->3723 3737 405765 SendMessageW 3734->3737 3743 404266 SendMessageW 3735->3743 3736->3735 3737->3737 3738 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3737->3738 3740 4057a7 SendMessageW 3738->3740 3740->3740 3741 4057d0 GlobalUnlock SetClipboardData CloseClipboard 3740->3741 3741->3723 3742->3703 3743->3732 3744->3704 3745 401563 3746 402a6b 3745->3746 3749 406201 wsprintfW 3746->3749 3748 402a70 3749->3748 3750 4023e4 3751 402c41 17 API calls 3750->3751 3752 4023f6 3751->3752 3753 402c41 17 API calls 3752->3753 3754 402400 3753->3754 3767 402cd1 3754->3767 3757 402ac5 3758 402438 3760 402444 3758->3760 3761 402c1f 17 API calls 3758->3761 3759 402c41 17 API calls 3763 40242e lstrlenW 3759->3763 3762 402463 RegSetValueExW 3760->3762 3764 403116 31 API calls 3760->3764 3761->3760 3765 402479 RegCloseKey 3762->3765 3763->3758 3764->3762 3765->3757 3768 402cec 3767->3768 3771 406155 3768->3771 3772 406164 3771->3772 3773 402410 3772->3773 3774 40616f RegCreateKeyExW 3772->3774 3773->3757 3773->3758 3773->3759 3774->3773 3775 404367 lstrcpynW lstrlenW 3776 401968 3777 402c1f 17 API calls 3776->3777 3778 40196f 3777->3778 3779 402c1f 17 API calls 3778->3779 3780 40197c 3779->3780 3781 402c41 17 API calls 3780->3781 3782 401993 lstrlenW 3781->3782 3783 4019a4 3782->3783 3784 4019e5 3783->3784 3788 4062ba lstrcpynW 3783->3788 3786 4019d5 3786->3784 3787 4019da lstrlenW 3786->3787 3787->3784 3788->3786 3789 402868 3790 402c41 17 API calls 3789->3790 3791 40286f FindFirstFileW 3790->3791 3792 402882 3791->3792 3793 402897 3791->3793 3797 406201 wsprintfW 3793->3797 3795 4028a0 3798 4062ba lstrcpynW 3795->3798 3797->3795 3798->3792 3799 403968 3800 403973 3799->3800 3801 403977 3800->3801 3802 40397a GlobalAlloc 3800->3802 3802->3801 3803 40166a 3804 402c41 17 API calls 3803->3804 3805 401670 3804->3805 3806 4065fd 2 API calls 3805->3806 3807 401676 3806->3807 3174 40176f 3175 402c41 17 API calls 3174->3175 3176 401776 3175->3176 3177 401796 3176->3177 3178 40179e 3176->3178 3234 4062ba lstrcpynW 3177->3234 3235 4062ba lstrcpynW 3178->3235 3181 40179c 3185 40654e 5 API calls 3181->3185 3182 4017a9 3183 405b8f 3 API calls 3182->3183 3184 4017af lstrcatW 3183->3184 3184->3181 3204 4017bb 3185->3204 3186 4065fd 2 API calls 3186->3204 3187 4017f7 3188 405d8b 2 API calls 3187->3188 3188->3204 3190 4017cd CompareFileTime 3190->3204 3191 40188d 3193 405322 24 API calls 3191->3193 3192 401864 3194 405322 24 API calls 3192->3194 3203 401879 3192->3203 3196 401897 3193->3196 3194->3203 3195 4062ba lstrcpynW 3195->3204 3214 403116 3196->3214 3199 4018be SetFileTime 3201 4018d0 FindCloseChangeNotification 3199->3201 3200 4062dc 17 API calls 3200->3204 3202 4018e1 3201->3202 3201->3203 3205 4018e6 3202->3205 3206 4018f9 3202->3206 3204->3186 3204->3187 3204->3190 3204->3191 3204->3192 3204->3195 3204->3200 3211 405920 MessageBoxIndirectW 3204->3211 3213 405db0 GetFileAttributesW CreateFileW 3204->3213 3207 4062dc 17 API calls 3205->3207 3208 4062dc 17 API calls 3206->3208 3209 4018ee lstrcatW 3207->3209 3210 401901 3208->3210 3209->3210 3212 405920 MessageBoxIndirectW 3210->3212 3211->3204 3212->3203 3213->3204 3215 40312f 3214->3215 3216 40315d 3215->3216 3239 403347 SetFilePointer 3215->3239 3236 403331 3216->3236 3220 4032ca 3222 40330c 3220->3222 3227 4032ce 3220->3227 3221 40317a GetTickCount 3223 4018aa 3221->3223 3230 4031c9 3221->3230 3225 403331 ReadFile 3222->3225 3223->3199 3223->3201 3224 403331 ReadFile 3224->3230 3225->3223 3226 403331 ReadFile 3226->3227 3227->3223 3227->3226 3228 405e62 WriteFile 3227->3228 3228->3227 3229 40321f GetTickCount 3229->3230 3230->3223 3230->3224 3230->3229 3231 403244 MulDiv wsprintfW 3230->3231 3233 405e62 WriteFile 3230->3233 3232 405322 24 API calls 3231->3232 3232->3230 3233->3230 3234->3181 3235->3182 3237 405e33 ReadFile 3236->3237 3238 403168 3237->3238 3238->3220 3238->3221 3238->3223 3239->3216 3808 4027ef 3809 4027f6 3808->3809 3812 402a70 3808->3812 3810 402c1f 17 API calls 3809->3810 3811 4027fd 3810->3811 3813 40280c SetFilePointer 3811->3813 3813->3812 3814 40281c 3813->3814 3816 406201 wsprintfW 3814->3816 3816->3812 3817 4043f0 3818 404408 3817->3818 3822 404522 3817->3822 3823 404231 18 API calls 3818->3823 3819 40458c 3820 404656 3819->3820 3821 404596 GetDlgItem 3819->3821 3828 404298 8 API calls 3820->3828 3824 4045b0 3821->3824 3825 404617 3821->3825 3822->3819 3822->3820 3826 40455d GetDlgItem SendMessageW 3822->3826 3827 40446f 3823->3827 3824->3825 3831 4045d6 SendMessageW LoadCursorW SetCursor 3824->3831 3825->3820 3832 404629 3825->3832 3850 404253 EnableWindow 3826->3850 3830 404231 18 API calls 3827->3830 3838 404651 3828->3838 3834 40447c CheckDlgButton 3830->3834 3854 40469f 3831->3854 3836 40463f 3832->3836 3837 40462f SendMessageW 3832->3837 3833 404587 3851 40467b 3833->3851 3848 404253 EnableWindow 3834->3848 3836->3838 3839 404645 SendMessageW 3836->3839 3837->3836 3839->3838 3843 40449a GetDlgItem 3849 404266 SendMessageW 3843->3849 3845 4044b0 SendMessageW 3846 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3845->3846 3847 4044cd GetSysColor 3845->3847 3846->3838 3847->3846 3848->3843 3849->3845 3850->3833 3852 404689 3851->3852 3853 40468e SendMessageW 3851->3853 3852->3853 3853->3819 3857 4058e6 ShellExecuteExW 3854->3857 3856 404605 LoadCursorW SetCursor 3856->3825 3857->3856 3858 401a72 3859 402c1f 17 API calls 3858->3859 3860 401a7b 3859->3860 3861 402c1f 17 API calls 3860->3861 3862 401a20 3861->3862 3863 401573 3864 401583 ShowWindow 3863->3864 3865 40158c 3863->3865 3864->3865 3866 402ac5 3865->3866 3867 40159a ShowWindow 3865->3867 3867->3866 3868 402df3 3869 402e05 SetTimer 3868->3869 3870 402e1e 3868->3870 3869->3870 3871 402e73 3870->3871 3872 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3870->3872 3872->3871 3873 401cf3 3874 402c1f 17 API calls 3873->3874 3875 401cf9 IsWindow 3874->3875 3876 401a20 3875->3876 3877 4014f5 SetForegroundWindow 3878 402ac5 3877->3878 3879 402576 3880 402c41 17 API calls 3879->3880 3881 40257d 3880->3881 3884 405db0 GetFileAttributesW CreateFileW 3881->3884 3883 402589 3884->3883 3143 401b77 3144 401bc8 3143->3144 3146 401b84 3143->3146 3147 401bf2 GlobalAlloc 3144->3147 3148 401bcd 3144->3148 3145 4022e4 3150 4062dc 17 API calls 3145->3150 3146->3145 3152 401b9b 3146->3152 3149 4062dc 17 API calls 3147->3149 3158 401c0d 3148->3158 3164 4062ba lstrcpynW 3148->3164 3149->3158 3151 4022f1 3150->3151 3165 405920 3151->3165 3162 4062ba lstrcpynW 3152->3162 3155 401bdf GlobalFree 3155->3158 3157 401baa 3163 4062ba lstrcpynW 3157->3163 3160 401bb9 3169 4062ba lstrcpynW 3160->3169 3162->3157 3163->3160 3164->3155 3166 405935 3165->3166 3167 405981 3166->3167 3168 405949 MessageBoxIndirectW 3166->3168 3167->3158 3168->3167 3169->3158 3885 404a78 3886 404aa4 3885->3886 3887 404a88 3885->3887 3889 404ad7 3886->3889 3890 404aaa SHGetPathFromIDListW 3886->3890 3896 405904 GetDlgItemTextW 3887->3896 3892 404ac1 SendMessageW 3890->3892 3893 404aba 3890->3893 3891 404a95 SendMessageW 3891->3886 3892->3889 3895 40140b 2 API calls 3893->3895 3895->3892 3896->3891 3897 4024f8 3907 402c81 3897->3907 3900 402c1f 17 API calls 3901 40250b 3900->3901 3902 402533 RegEnumValueW 3901->3902 3903 402527 RegEnumKeyW 3901->3903 3905 40288b 3901->3905 3904 402548 RegCloseKey 3902->3904 3903->3904 3904->3905 3908 402c41 17 API calls 3907->3908 3909 402c98 3908->3909 3910 406127 RegOpenKeyExW 3909->3910 3911 402502 3910->3911 3911->3900 3912 40167b 3913 402c41 17 API calls 3912->3913 3914 401682 3913->3914 3915 402c41 17 API calls 3914->3915 3916 40168b 3915->3916 3917 402c41 17 API calls 3916->3917 3918 401694 MoveFileW 3917->3918 3919 4016a7 3918->3919 3925 4016a0 3918->3925 3921 4065fd 2 API calls 3919->3921 3923 402250 3919->3923 3920 401423 24 API calls 3920->3923 3922 4016b6 3921->3922 3922->3923 3924 406080 36 API calls 3922->3924 3924->3925 3925->3920 3926 401e7d 3927 402c41 17 API calls 3926->3927 3928 401e83 3927->3928 3929 402c41 17 API calls 3928->3929 3930 401e8c 3929->3930 3931 402c41 17 API calls 3930->3931 3932 401e95 3931->3932 3933 402c41 17 API calls 3932->3933 3934 401e9e 3933->3934 3935 401423 24 API calls 3934->3935 3936 401ea5 3935->3936 3943 4058e6 ShellExecuteExW 3936->3943 3938 401ee7 3939 406745 5 API calls 3938->3939 3941 40288b 3938->3941 3940 401f01 CloseHandle 3939->3940 3940->3941 3943->3938 3944 4019ff 3945 402c41 17 API calls 3944->3945 3946 401a06 3945->3946 3947 402c41 17 API calls 3946->3947 3948 401a0f 3947->3948 3949 401a16 lstrcmpiW 3948->3949 3950 401a28 lstrcmpW 3948->3950 3951 401a1c 3949->3951 3950->3951 3952 401000 3953 401037 BeginPaint GetClientRect 3952->3953 3954 40100c DefWindowProcW 3952->3954 3956 4010f3 3953->3956 3957 401179 3954->3957 3958 401073 CreateBrushIndirect FillRect DeleteObject 3956->3958 3959 4010fc 3956->3959 3958->3956 3960 401102 CreateFontIndirectW 3959->3960 3961 401167 EndPaint 3959->3961 3960->3961 3962 401112 6 API calls 3960->3962 3961->3957 3962->3961 3963 401503 3964 40150b 3963->3964 3966 40151e 3963->3966 3965 402c1f 17 API calls 3964->3965 3965->3966 3967 402104 3968 402c41 17 API calls 3967->3968 3969 40210b 3968->3969 3970 402c41 17 API calls 3969->3970 3971 402115 3970->3971 3972 402c41 17 API calls 3971->3972 3973 40211f 3972->3973 3974 402c41 17 API calls 3973->3974 3975 402129 3974->3975 3976 402c41 17 API calls 3975->3976 3978 402133 3976->3978 3977 402172 CoCreateInstance 3982 402191 3977->3982 3978->3977 3979 402c41 17 API calls 3978->3979 3979->3977 3980 401423 24 API calls 3981 402250 3980->3981 3982->3980 3982->3981 3983 402484 3984 402c81 17 API calls 3983->3984 3985 40248e 3984->3985 3986 402c41 17 API calls 3985->3986 3987 402497 3986->3987 3988 4024a2 RegQueryValueExW 3987->3988 3991 40288b 3987->3991 3989 4024c8 RegCloseKey 3988->3989 3990 4024c2 3988->3990 3989->3991 3990->3989 3994 406201 wsprintfW 3990->3994 3994->3989 3115 401f06 3116 402c41 17 API calls 3115->3116 3117 401f0c 3116->3117 3118 405322 24 API calls 3117->3118 3119 401f16 3118->3119 3130 4058a3 CreateProcessW 3119->3130 3122 401f3f CloseHandle 3126 40288b 3122->3126 3125 401f31 3127 401f41 3125->3127 3128 401f36 3125->3128 3127->3122 3138 406201 wsprintfW 3128->3138 3131 401f1c 3130->3131 3132 4058d6 CloseHandle 3130->3132 3131->3122 3131->3126 3133 406745 WaitForSingleObject 3131->3133 3132->3131 3134 40675f 3133->3134 3135 406771 GetExitCodeProcess 3134->3135 3139 4066d0 3134->3139 3135->3125 3138->3122 3140 4066ed PeekMessageW 3139->3140 3141 4066e3 DispatchMessageW 3140->3141 3142 4066fd WaitForSingleObject 3140->3142 3141->3140 3142->3134 3170 401389 3172 401390 3170->3172 3171 4013fe 3172->3171 3173 4013cb MulDiv SendMessageW 3172->3173 3173->3172 3995 40190c 3996 401943 3995->3996 3997 402c41 17 API calls 3996->3997 3998 401948 3997->3998 3999 4059cc 67 API calls 3998->3999 4000 401951 3999->4000 4001 40230c 4002 402314 4001->4002 4006 40231a 4001->4006 4003 402c41 17 API calls 4002->4003 4003->4006 4004 402328 4005 402336 4004->4005 4008 402c41 17 API calls 4004->4008 4009 402c41 17 API calls 4005->4009 4006->4004 4007 402c41 17 API calls 4006->4007 4007->4004 4008->4005 4010 40233f WritePrivateProfileStringW 4009->4010 4011 401f8c 4012 402c41 17 API calls 4011->4012 4013 401f93 4012->4013 4014 406694 5 API calls 4013->4014 4015 401fa2 4014->4015 4016 402026 4015->4016 4017 401fbe GlobalAlloc 4015->4017 4017->4016 4018 401fd2 4017->4018 4019 406694 5 API calls 4018->4019 4020 401fd9 4019->4020 4021 406694 5 API calls 4020->4021 4022 401fe3 4021->4022 4022->4016 4026 406201 wsprintfW 4022->4026 4024 402018 4027 406201 wsprintfW 4024->4027 4026->4024 4027->4016 4028 40238e 4029 4023c1 4028->4029 4030 402396 4028->4030 4032 402c41 17 API calls 4029->4032 4031 402c81 17 API calls 4030->4031 4034 40239d 4031->4034 4033 4023c8 4032->4033 4039 402cff 4033->4039 4036 4023d5 4034->4036 4037 402c41 17 API calls 4034->4037 4038 4023ae RegDeleteValueW RegCloseKey 4037->4038 4038->4036 4040 402d0c 4039->4040 4041 402d13 4039->4041 4040->4036 4041->4040 4043 402d44 4041->4043 4044 406127 RegOpenKeyExW 4043->4044 4045 402d72 4044->4045 4046 402d98 RegEnumKeyW 4045->4046 4047 402daf RegCloseKey 4045->4047 4048 402dd0 RegCloseKey 4045->4048 4050 402d44 6 API calls 4045->4050 4053 402dc3 4045->4053 4046->4045 4046->4047 4049 406694 5 API calls 4047->4049 4048->4053 4051 402dbf 4049->4051 4050->4045 4052 402de0 RegDeleteKeyW 4051->4052 4051->4053 4052->4053 4053->4040 3240 40338f SetErrorMode GetVersion 3241 4033ce 3240->3241 3242 4033d4 3240->3242 3243 406694 5 API calls 3241->3243 3244 406624 3 API calls 3242->3244 3243->3242 3245 4033ea lstrlenA 3244->3245 3245->3242 3246 4033fa 3245->3246 3247 406694 5 API calls 3246->3247 3248 403401 3247->3248 3249 406694 5 API calls 3248->3249 3250 403408 3249->3250 3251 406694 5 API calls 3250->3251 3252 403414 #17 OleInitialize SHGetFileInfoW 3251->3252 3330 4062ba lstrcpynW 3252->3330 3255 403460 GetCommandLineW 3331 4062ba lstrcpynW 3255->3331 3257 403472 3258 405bbc CharNextW 3257->3258 3259 403497 CharNextW 3258->3259 3260 4035c1 GetTempPathW 3259->3260 3271 4034b0 3259->3271 3332 40335e 3260->3332 3262 4035d9 3263 403633 DeleteFileW 3262->3263 3264 4035dd GetWindowsDirectoryW lstrcatW 3262->3264 3342 402edd GetTickCount GetModuleFileNameW 3263->3342 3265 40335e 12 API calls 3264->3265 3268 4035f9 3265->3268 3266 405bbc CharNextW 3266->3271 3268->3263 3270 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3268->3270 3269 403647 3272 4036fe ExitProcess OleUninitialize 3269->3272 3282 405bbc CharNextW 3269->3282 3313 4036ea 3269->3313 3273 40335e 12 API calls 3270->3273 3271->3266 3274 4035ac 3271->3274 3275 4035aa 3271->3275 3276 403834 3272->3276 3277 403714 3272->3277 3280 40362b 3273->3280 3427 4062ba lstrcpynW 3274->3427 3275->3260 3278 4038b8 ExitProcess 3276->3278 3279 40383c GetCurrentProcess OpenProcessToken 3276->3279 3284 405920 MessageBoxIndirectW 3277->3284 3286 403854 LookupPrivilegeValueW AdjustTokenPrivileges 3279->3286 3287 403888 3279->3287 3280->3263 3280->3272 3294 403666 3282->3294 3285 403722 ExitProcess 3284->3285 3286->3287 3290 406694 5 API calls 3287->3290 3293 40388f 3290->3293 3291 4036c4 3296 405c97 18 API calls 3291->3296 3292 40372a 3295 40588b 5 API calls 3292->3295 3297 4038a4 ExitWindowsEx 3293->3297 3300 4038b1 3293->3300 3294->3291 3294->3292 3298 40372f lstrcatW 3295->3298 3299 4036d0 3296->3299 3297->3278 3297->3300 3301 403740 lstrcatW 3298->3301 3302 40374b lstrcatW lstrcmpiW 3298->3302 3299->3272 3428 4062ba lstrcpynW 3299->3428 3432 40140b 3300->3432 3301->3302 3302->3272 3304 403767 3302->3304 3306 403773 3304->3306 3307 40376c 3304->3307 3311 40586e 2 API calls 3306->3311 3309 4057f1 4 API calls 3307->3309 3308 4036df 3429 4062ba lstrcpynW 3308->3429 3312 403771 3309->3312 3314 403778 SetCurrentDirectoryW 3311->3314 3312->3314 3370 4039aa 3313->3370 3315 403793 3314->3315 3316 403788 3314->3316 3431 4062ba lstrcpynW 3315->3431 3430 4062ba lstrcpynW 3316->3430 3319 4062dc 17 API calls 3320 4037d2 DeleteFileW 3319->3320 3321 4037df CopyFileW 3320->3321 3327 4037a1 3320->3327 3321->3327 3322 403828 3323 406080 36 API calls 3322->3323 3325 40382f 3323->3325 3324 406080 36 API calls 3324->3327 3325->3272 3326 4062dc 17 API calls 3326->3327 3327->3319 3327->3322 3327->3324 3327->3326 3328 4058a3 2 API calls 3327->3328 3329 403813 CloseHandle 3327->3329 3328->3327 3329->3327 3330->3255 3331->3257 3333 40654e 5 API calls 3332->3333 3335 40336a 3333->3335 3334 403374 3334->3262 3335->3334 3336 405b8f 3 API calls 3335->3336 3337 40337c 3336->3337 3338 40586e 2 API calls 3337->3338 3339 403382 3338->3339 3435 405ddf 3339->3435 3439 405db0 GetFileAttributesW CreateFileW 3342->3439 3344 402f1d 3369 402f2d 3344->3369 3440 4062ba lstrcpynW 3344->3440 3346 402f43 3347 405bdb 2 API calls 3346->3347 3348 402f49 3347->3348 3441 4062ba lstrcpynW 3348->3441 3350 402f54 GetFileSize 3351 403050 3350->3351 3368 402f6b 3350->3368 3442 402e79 3351->3442 3353 403059 3355 403089 GlobalAlloc 3353->3355 3353->3369 3454 403347 SetFilePointer 3353->3454 3354 403331 ReadFile 3354->3368 3453 403347 SetFilePointer 3355->3453 3357 4030bc 3359 402e79 6 API calls 3357->3359 3359->3369 3360 403072 3362 403331 ReadFile 3360->3362 3361 4030a4 3363 403116 31 API calls 3361->3363 3364 40307d 3362->3364 3366 4030b0 3363->3366 3364->3355 3364->3369 3365 402e79 6 API calls 3365->3368 3366->3366 3367 4030ed SetFilePointer 3366->3367 3366->3369 3367->3369 3368->3351 3368->3354 3368->3357 3368->3365 3368->3369 3369->3269 3371 406694 5 API calls 3370->3371 3372 4039be 3371->3372 3373 4039c4 GetUserDefaultUILanguage 3372->3373 3374 4039d6 3372->3374 3455 406201 wsprintfW 3373->3455 3375 406188 3 API calls 3374->3375 3377 403a06 3375->3377 3379 403a25 lstrcatW 3377->3379 3380 406188 3 API calls 3377->3380 3378 4039d4 3456 403c80 3378->3456 3379->3378 3380->3379 3383 405c97 18 API calls 3384 403a57 3383->3384 3385 403aeb 3384->3385 3387 406188 3 API calls 3384->3387 3386 405c97 18 API calls 3385->3386 3388 403af1 3386->3388 3390 403a89 3387->3390 3389 403b01 LoadImageW 3388->3389 3391 4062dc 17 API calls 3388->3391 3392 403ba7 3389->3392 3393 403b28 RegisterClassW 3389->3393 3390->3385 3394 403aaa lstrlenW 3390->3394 3398 405bbc CharNextW 3390->3398 3391->3389 3397 40140b 2 API calls 3392->3397 3395 4036fa 3393->3395 3396 403b5e SystemParametersInfoW CreateWindowExW 3393->3396 3399 403ab8 lstrcmpiW 3394->3399 3400 403ade 3394->3400 3395->3272 3396->3392 3401 403bad 3397->3401 3402 403aa7 3398->3402 3399->3400 3403 403ac8 GetFileAttributesW 3399->3403 3404 405b8f 3 API calls 3400->3404 3401->3395 3406 403c80 18 API calls 3401->3406 3402->3394 3405 403ad4 3403->3405 3407 403ae4 3404->3407 3405->3400 3408 405bdb 2 API calls 3405->3408 3409 403bbe 3406->3409 3464 4062ba lstrcpynW 3407->3464 3408->3400 3411 403bca ShowWindow 3409->3411 3412 403c4d 3409->3412 3414 406624 3 API calls 3411->3414 3465 4053f5 OleInitialize 3412->3465 3416 403be2 3414->3416 3415 403c53 3417 403c57 3415->3417 3418 403c6f 3415->3418 3419 403bf0 GetClassInfoW 3416->3419 3421 406624 3 API calls 3416->3421 3417->3395 3425 40140b 2 API calls 3417->3425 3420 40140b 2 API calls 3418->3420 3422 403c04 GetClassInfoW RegisterClassW 3419->3422 3423 403c1a DialogBoxParamW 3419->3423 3420->3395 3421->3419 3422->3423 3424 40140b 2 API calls 3423->3424 3426 403c42 3424->3426 3425->3395 3426->3395 3427->3275 3428->3308 3429->3313 3430->3315 3431->3327 3433 401389 2 API calls 3432->3433 3434 401420 3433->3434 3434->3278 3436 405dec GetTickCount GetTempFileNameW 3435->3436 3437 405e22 3436->3437 3438 40338d 3436->3438 3437->3436 3437->3438 3438->3262 3439->3344 3440->3346 3441->3350 3443 402e82 3442->3443 3444 402e9a 3442->3444 3445 402e92 3443->3445 3446 402e8b DestroyWindow 3443->3446 3447 402ea2 3444->3447 3448 402eaa GetTickCount 3444->3448 3445->3353 3446->3445 3449 4066d0 2 API calls 3447->3449 3450 402eb8 CreateDialogParamW ShowWindow 3448->3450 3451 402edb 3448->3451 3452 402ea8 3449->3452 3450->3451 3451->3353 3452->3353 3453->3361 3454->3360 3455->3378 3457 403c94 3456->3457 3472 406201 wsprintfW 3457->3472 3459 403d05 3473 403d39 3459->3473 3461 403a35 3461->3383 3462 403d0a 3462->3461 3463 4062dc 17 API calls 3462->3463 3463->3462 3464->3385 3476 40427d 3465->3476 3467 405418 3471 40543f 3467->3471 3479 401389 3467->3479 3468 40427d SendMessageW 3469 405451 OleUninitialize 3468->3469 3469->3415 3471->3468 3472->3459 3474 4062dc 17 API calls 3473->3474 3475 403d47 SetWindowTextW 3474->3475 3475->3462 3477 404295 3476->3477 3478 404286 SendMessageW 3476->3478 3477->3467 3478->3477 3481 401390 3479->3481 3480 4013fe 3480->3467 3481->3480 3482 4013cb MulDiv SendMessageW 3481->3482 3482->3481 4054 40190f 4055 402c41 17 API calls 4054->4055 4056 401916 4055->4056 4057 405920 MessageBoxIndirectW 4056->4057 4058 40191f 4057->4058 4059 401491 4060 405322 24 API calls 4059->4060 4061 401498 4060->4061 4062 401d14 4063 402c1f 17 API calls 4062->4063 4064 401d1b 4063->4064 4065 402c1f 17 API calls 4064->4065 4066 401d27 GetDlgItem 4065->4066 4067 402592 4066->4067 4068 405296 4069 4052a6 4068->4069 4070 4052ba 4068->4070 4072 4052ac 4069->4072 4080 405303 4069->4080 4071 4052c2 IsWindowVisible 4070->4071 4078 4052d9 4070->4078 4073 4052cf 4071->4073 4071->4080 4075 40427d SendMessageW 4072->4075 4081 404bec SendMessageW 4073->4081 4074 405308 CallWindowProcW 4076 4052b6 4074->4076 4075->4076 4078->4074 4086 404c6c 4078->4086 4080->4074 4082 404c4b SendMessageW 4081->4082 4083 404c0f GetMessagePos ScreenToClient SendMessageW 4081->4083 4084 404c43 4082->4084 4083->4084 4085 404c48 4083->4085 4084->4078 4085->4082 4095 4062ba lstrcpynW 4086->4095 4088 404c7f 4096 406201 wsprintfW 4088->4096 4090 404c89 4091 40140b 2 API calls 4090->4091 4092 404c92 4091->4092 4097 4062ba lstrcpynW 4092->4097 4094 404c99 4094->4080 4095->4088 4096->4090 4097->4094 4098 402598 4099 4025c7 4098->4099 4100 4025ac 4098->4100 4102 4025fb 4099->4102 4103 4025cc 4099->4103 4101 402c1f 17 API calls 4100->4101 4108 4025b3 4101->4108 4105 402c41 17 API calls 4102->4105 4104 402c41 17 API calls 4103->4104 4106 4025d3 WideCharToMultiByte lstrlenA 4104->4106 4107 402602 lstrlenW 4105->4107 4106->4108 4107->4108 4109 40262f 4108->4109 4110 402645 4108->4110 4112 405e91 5 API calls 4108->4112 4109->4110 4111 405e62 WriteFile 4109->4111 4111->4110 4112->4109 4113 404c9e GetDlgItem GetDlgItem 4114 404cf0 7 API calls 4113->4114 4121 404f09 4113->4121 4115 404d93 DeleteObject 4114->4115 4116 404d86 SendMessageW 4114->4116 4117 404d9c 4115->4117 4116->4115 4119 404dd3 4117->4119 4120 4062dc 17 API calls 4117->4120 4118 404fed 4123 405099 4118->4123 4133 405046 SendMessageW 4118->4133 4156 404efc 4118->4156 4122 404231 18 API calls 4119->4122 4125 404db5 SendMessageW SendMessageW 4120->4125 4121->4118 4124 404f7a 4121->4124 4131 404bec 5 API calls 4121->4131 4128 404de7 4122->4128 4126 4050a3 SendMessageW 4123->4126 4127 4050ab 4123->4127 4124->4118 4130 404fdf SendMessageW 4124->4130 4125->4117 4126->4127 4135 4050c4 4127->4135 4136 4050bd ImageList_Destroy 4127->4136 4147 4050d4 4127->4147 4132 404231 18 API calls 4128->4132 4129 404298 8 API calls 4134 40528f 4129->4134 4130->4118 4131->4124 4137 404df5 4132->4137 4139 40505b SendMessageW 4133->4139 4133->4156 4140 4050cd GlobalFree 4135->4140 4135->4147 4136->4135 4141 404eca GetWindowLongW SetWindowLongW 4137->4141 4149 404ec4 4137->4149 4152 404e45 SendMessageW 4137->4152 4153 404e81 SendMessageW 4137->4153 4154 404e92 SendMessageW 4137->4154 4138 405243 4143 405255 ShowWindow GetDlgItem ShowWindow 4138->4143 4138->4156 4142 40506e 4139->4142 4140->4147 4144 404ee3 4141->4144 4148 40507f SendMessageW 4142->4148 4143->4156 4145 404f01 4144->4145 4146 404ee9 ShowWindow 4144->4146 4165 404266 SendMessageW 4145->4165 4164 404266 SendMessageW 4146->4164 4147->4138 4155 404c6c 4 API calls 4147->4155 4160 40510f 4147->4160 4148->4123 4149->4141 4149->4144 4152->4137 4153->4137 4154->4137 4155->4160 4156->4129 4157 405219 InvalidateRect 4157->4138 4158 40522f 4157->4158 4166 404ba7 4158->4166 4159 40513d SendMessageW 4163 405153 4159->4163 4160->4159 4160->4163 4162 4051c7 SendMessageW SendMessageW 4162->4163 4163->4157 4163->4162 4164->4156 4165->4121 4169 404ade 4166->4169 4168 404bbc 4168->4138 4170 404af7 4169->4170 4171 4062dc 17 API calls 4170->4171 4172 404b5b 4171->4172 4173 4062dc 17 API calls 4172->4173 4174 404b66 4173->4174 4175 4062dc 17 API calls 4174->4175 4176 404b7c lstrlenW wsprintfW SetDlgItemTextW 4175->4176 4176->4168 4177 40149e 4178 4022f7 4177->4178 4179 4014ac PostQuitMessage 4177->4179 4179->4178 4180 401c1f 4181 402c1f 17 API calls 4180->4181 4182 401c26 4181->4182 4183 402c1f 17 API calls 4182->4183 4184 401c33 4183->4184 4185 401c48 4184->4185 4186 402c41 17 API calls 4184->4186 4187 401c58 4185->4187 4188 402c41 17 API calls 4185->4188 4186->4185 4189 401c63 4187->4189 4190 401caf 4187->4190 4188->4187 4192 402c1f 17 API calls 4189->4192 4191 402c41 17 API calls 4190->4191 4193 401cb4 4191->4193 4194 401c68 4192->4194 4195 402c41 17 API calls 4193->4195 4196 402c1f 17 API calls 4194->4196 4197 401cbd FindWindowExW 4195->4197 4198 401c74 4196->4198 4201 401cdf 4197->4201 4199 401c81 SendMessageTimeoutW 4198->4199 4200 401c9f SendMessageW 4198->4200 4199->4201 4200->4201 4202 402aa0 SendMessageW 4203 402aba InvalidateRect 4202->4203 4204 402ac5 4202->4204 4203->4204 4205 402821 4206 402827 4205->4206 4207 402ac5 4206->4207 4208 40282f FindClose 4206->4208 4208->4207 4209 4043a1 lstrlenW 4210 4043c0 4209->4210 4211 4043c2 WideCharToMultiByte 4209->4211 4210->4211 4212 404722 4213 40474e 4212->4213 4214 40475f 4212->4214 4273 405904 GetDlgItemTextW 4213->4273 4216 40476b GetDlgItem 4214->4216 4222 4047ca 4214->4222 4218 40477f 4216->4218 4217 404759 4220 40654e 5 API calls 4217->4220 4221 404793 SetWindowTextW 4218->4221 4229 405c3a 4 API calls 4218->4229 4219 4048ae 4223 404a5d 4219->4223 4275 405904 GetDlgItemTextW 4219->4275 4220->4214 4225 404231 18 API calls 4221->4225 4222->4219 4222->4223 4226 4062dc 17 API calls 4222->4226 4228 404298 8 API calls 4223->4228 4230 4047af 4225->4230 4231 40483e SHBrowseForFolderW 4226->4231 4227 4048de 4232 405c97 18 API calls 4227->4232 4233 404a71 4228->4233 4234 404789 4229->4234 4235 404231 18 API calls 4230->4235 4231->4219 4236 404856 CoTaskMemFree 4231->4236 4237 4048e4 4232->4237 4234->4221 4240 405b8f 3 API calls 4234->4240 4238 4047bd 4235->4238 4239 405b8f 3 API calls 4236->4239 4276 4062ba lstrcpynW 4237->4276 4274 404266 SendMessageW 4238->4274 4242 404863 4239->4242 4240->4221 4245 40489a SetDlgItemTextW 4242->4245 4249 4062dc 17 API calls 4242->4249 4244 4047c3 4247 406694 5 API calls 4244->4247 4245->4219 4246 4048fb 4248 406694 5 API calls 4246->4248 4247->4222 4256 404902 4248->4256 4250 404882 lstrcmpiW 4249->4250 4250->4245 4253 404893 lstrcatW 4250->4253 4251 404943 4277 4062ba lstrcpynW 4251->4277 4253->4245 4254 40494a 4255 405c3a 4 API calls 4254->4255 4257 404950 GetDiskFreeSpaceW 4255->4257 4256->4251 4259 405bdb 2 API calls 4256->4259 4261 40499b 4256->4261 4260 404974 MulDiv 4257->4260 4257->4261 4259->4256 4260->4261 4262 404a0c 4261->4262 4263 404ba7 20 API calls 4261->4263 4264 404a2f 4262->4264 4266 40140b 2 API calls 4262->4266 4265 4049f9 4263->4265 4278 404253 EnableWindow 4264->4278 4268 404a0e SetDlgItemTextW 4265->4268 4269 4049fe 4265->4269 4266->4264 4268->4262 4271 404ade 20 API calls 4269->4271 4270 404a4b 4270->4223 4272 40467b SendMessageW 4270->4272 4271->4262 4272->4223 4273->4217 4274->4244 4275->4227 4276->4246 4277->4254 4278->4270 4279 4015a3 4280 402c41 17 API calls 4279->4280 4281 4015aa SetFileAttributesW 4280->4281 4282 4015bc 4281->4282 4283 4028ad 4284 402c41 17 API calls 4283->4284 4286 4028bb 4284->4286 4285 4028d1 4288 405d8b 2 API calls 4285->4288 4286->4285 4287 402c41 17 API calls 4286->4287 4287->4285 4289 4028d7 4288->4289 4311 405db0 GetFileAttributesW CreateFileW 4289->4311 4291 4028e4 4292 4028f0 GlobalAlloc 4291->4292 4293 402987 4291->4293 4294 402909 4292->4294 4295 40297e CloseHandle 4292->4295 4296 4029a2 4293->4296 4297 40298f DeleteFileW 4293->4297 4312 403347 SetFilePointer 4294->4312 4295->4293 4297->4296 4299 40290f 4300 403331 ReadFile 4299->4300 4301 402918 GlobalAlloc 4300->4301 4302 402928 4301->4302 4303 40295c 4301->4303 4305 403116 31 API calls 4302->4305 4304 405e62 WriteFile 4303->4304 4306 402968 GlobalFree 4304->4306 4309 402935 4305->4309 4307 403116 31 API calls 4306->4307 4310 40297b 4307->4310 4308 402953 GlobalFree 4308->4303 4309->4308 4310->4295 4311->4291 4312->4299 4313 401a30 4314 402c41 17 API calls 4313->4314 4315 401a39 ExpandEnvironmentStringsW 4314->4315 4316 401a4d 4315->4316 4318 401a60 4315->4318 4317 401a52 lstrcmpW 4316->4317 4316->4318 4317->4318 4319 402032 4320 402044 4319->4320 4321 4020f6 4319->4321 4322 402c41 17 API calls 4320->4322 4323 401423 24 API calls 4321->4323 4324 40204b 4322->4324 4325 402250 4323->4325 4326 402c41 17 API calls 4324->4326 4327 402054 4326->4327 4328 40206a LoadLibraryExW 4327->4328 4329 40205c GetModuleHandleW 4327->4329 4328->4321 4330 40207b 4328->4330 4329->4328 4329->4330 4339 406703 WideCharToMultiByte 4330->4339 4333 4020c5 4335 405322 24 API calls 4333->4335 4334 40208c 4336 401423 24 API calls 4334->4336 4337 40209c 4334->4337 4335->4337 4336->4337 4337->4325 4338 4020e8 FreeLibrary 4337->4338 4338->4325 4340 40672d GetProcAddress 4339->4340 4341 402086 4339->4341 4340->4341 4341->4333 4341->4334 4347 401735 4348 402c41 17 API calls 4347->4348 4349 40173c SearchPathW 4348->4349 4350 401757 4349->4350 4351 402a35 4352 402c1f 17 API calls 4351->4352 4353 402a3b 4352->4353 4354 402a72 4353->4354 4356 40288b 4353->4356 4357 402a4d 4353->4357 4355 4062dc 17 API calls 4354->4355 4354->4356 4355->4356 4357->4356 4359 406201 wsprintfW 4357->4359 4359->4356 4360 4014b8 4361 4014be 4360->4361 4362 401389 2 API calls 4361->4362 4363 4014c6 4362->4363 4364 401db9 GetDC 4365 402c1f 17 API calls 4364->4365 4366 401dcb GetDeviceCaps MulDiv ReleaseDC 4365->4366 4367 402c1f 17 API calls 4366->4367 4368 401dfc 4367->4368 4369 4062dc 17 API calls 4368->4369 4370 401e39 CreateFontIndirectW 4369->4370 4371 402592 4370->4371 4372 40283b 4373 402843 4372->4373 4374 402847 FindNextFileW 4373->4374 4377 402859 4373->4377 4375 4028a0 4374->4375 4374->4377 4378 4062ba lstrcpynW 4375->4378 4378->4377

              Executed Functions

              Function 0040338F Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 410stringfilecomCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 4 4033e4-4033f8 call 406624 lstrlenA 2->4 9 4033fa-403416 call 406694 * 3 4->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 30 4034b8-4034bd 28->30 31 4034bf-4034c3 28->31 38 403633-40364d DeleteFileW call 402edd 29->38 39 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->39 30->30 30->31 33 4034c5-4034c9 31->33 34 4034ca-4034ce 31->34 33->34 36 4034d4-4034da 34->36 37 40358d-40359a call 405bbc 34->37 43 4034f5-40352e 36->43 44 4034dc-4034e4 36->44 54 40359c-40359d 37->54 55 40359e-4035a4 37->55 56 403653-403659 38->56 57 4036fe-40370e ExitProcess OleUninitialize 38->57 39->38 52 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 39->52 50 403530-403535 43->50 51 40354b-403585 43->51 48 4034e6-4034e9 44->48 49 4034eb 44->49 48->43 48->49 49->43 50->51 58 403537-40353f 50->58 51->37 53 403587-40358b 51->53 52->38 52->57 53->37 60 4035ac-4035ba call 4062ba 53->60 54->55 55->28 61 4035aa 55->61 62 4036ee-4036f5 call 4039aa 56->62 63 40365f-40366a call 405bbc 56->63 64 403834-40383a 57->64 65 403714-403724 call 405920 ExitProcess 57->65 66 403541-403544 58->66 67 403546 58->67 71 4035bf 60->71 61->71 80 4036fa 62->80 84 4036b8-4036c2 63->84 85 40366c-4036a1 63->85 68 4038b8-4038c0 64->68 69 40383c-403852 GetCurrentProcess OpenProcessToken 64->69 66->51 66->67 67->51 81 4038c2 68->81 82 4038c6-4038ca ExitProcess 68->82 77 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 69->77 78 403888-403896 call 406694 69->78 71->29 77->78 92 4038a4-4038af ExitWindowsEx 78->92 93 403898-4038a2 78->93 80->57 81->82 86 4036c4-4036d2 call 405c97 84->86 87 40372a-40373e call 40588b lstrcatW 84->87 89 4036a3-4036a7 85->89 86->57 102 4036d4-4036ea call 4062ba * 2 86->102 100 403740-403746 lstrcatW 87->100 101 40374b-403765 lstrcatW lstrcmpiW 87->101 94 4036b0-4036b4 89->94 95 4036a9-4036ae 89->95 92->68 99 4038b1-4038b3 call 40140b 92->99 93->92 93->99 94->89 96 4036b6 94->96 95->94 95->96 96->84 99->68 100->101 101->57 105 403767-40376a 101->105 102->62 107 403773 call 40586e 105->107 108 40376c-403771 call 4057f1 105->108 115 403778-403786 SetCurrentDirectoryW 107->115 108->115 116 403793-4037bc call 4062ba 115->116 117 403788-40378e call 4062ba 115->117 121 4037c1-4037dd call 4062dc DeleteFileW 116->121 117->116 124 40381e-403826 121->124 125 4037df-4037ef CopyFileW 121->125 124->121 127 403828-40382f call 406080 124->127 125->124 126 4037f1-403811 call 406080 call 4062dc call 4058a3 125->126 126->124 136 403813-40381a CloseHandle 126->136 127->57 136->124
              APIs
              • SetErrorMode.KERNELBASE ref: 004033B2
              • GetVersion.KERNEL32 ref: 004033B8
              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
              • OleInitialize.OLE32(00000000), ref: 0040342F
              • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
              • GetCommandLineW.KERNEL32(downloader_easeus 2.0.0 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
              • CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000006,00000008,0000000A), ref: 00403498
                • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035EF
              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040360B
              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
              • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638
                • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,downloader_easeus 2.0.0 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
              • ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 004036FE
              • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
              • ExitProcess.KERNEL32 ref: 00403724
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403737
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403746
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403751
              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,0043F000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
              • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
              • CopyFileW.KERNEL32(00442800,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
              • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
              • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
              • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
              • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
              • ExitProcess.KERNEL32 ref: 004038CA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
              • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$downloader_easeus 2.0.0 Setup$~nsu
              • API String ID: 424501083-3762088908
              • Opcode ID: e25c0d018259e07605f9805bbd7d976b452919055f5c700ceff59a909ae8efef
              • Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
              • Opcode Fuzzy Hash: e25c0d018259e07605f9805bbd7d976b452919055f5c700ceff59a909ae8efef
              • Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E
              Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 513 4065fd-406611 FindFirstFileW 514 406613-40661c FindClose 513->514 515 40661e 513->515 516 406620-406621 514->516 515->516
              APIs
              • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00406608
              • FindClose.KERNEL32(00000000), ref: 00406614
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
              • Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
              • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
              • Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C
              Function 004039AA Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215stringregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 137 4039aa-4039c2 call 406694 140 4039c4-4039cf GetUserDefaultUILanguage call 406201 137->140 141 4039d6-403a0d call 406188 137->141 145 4039d4 140->145 147 403a25-403a2b lstrcatW 141->147 148 403a0f-403a20 call 406188 141->148 146 403a30-403a59 call 403c80 call 405c97 145->146 154 403aeb-403af3 call 405c97 146->154 155 403a5f-403a64 146->155 147->146 148->147 160 403b01-403b26 LoadImageW 154->160 161 403af5-403afc call 4062dc 154->161 155->154 156 403a6a-403a92 call 406188 155->156 156->154 166 403a94-403a98 156->166 164 403ba7-403baf call 40140b 160->164 165 403b28-403b58 RegisterClassW 160->165 161->160 179 403bb1-403bb4 164->179 180 403bb9-403bc4 call 403c80 164->180 169 403c76 165->169 170 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 165->170 167 403aaa-403ab6 lstrlenW 166->167 168 403a9a-403aa7 call 405bbc 166->168 174 403ab8-403ac6 lstrcmpiW 167->174 175 403ade-403ae6 call 405b8f call 4062ba 167->175 168->167 173 403c78-403c7f 169->173 170->164 174->175 178 403ac8-403ad2 GetFileAttributesW 174->178 175->154 182 403ad4-403ad6 178->182 183 403ad8-403ad9 call 405bdb 178->183 179->173 189 403bca-403be4 ShowWindow call 406624 180->189 190 403c4d-403c55 call 4053f5 180->190 182->175 182->183 183->175 197 403bf0-403c02 GetClassInfoW 189->197 198 403be6-403beb call 406624 189->198 195 403c57-403c5d 190->195 196 403c6f-403c71 call 40140b 190->196 195->179 203 403c63-403c6a call 40140b 195->203 196->169 201 403c04-403c14 GetClassInfoW RegisterClassW 197->201 202 403c1a-403c4b DialogBoxParamW call 40140b call 4038fa 197->202 198->197 201->202 202->173 203->179
              APIs
                • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
              • GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,0043F000,00000000), ref: 004039C4
                • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
              • lstrcatW.KERNEL32(1033,0042D248), ref: 00403A2B
              • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,?,?,?,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000000,0043F800,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403AAB
              • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,?,?,?,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000000,0043F800,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
              • GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr), ref: 00403AC9
              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403B12
              • RegisterClassW.USER32(00433E80), ref: 00403B4F
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
              • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
              • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
              • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
              • RegisterClassW.USER32(00433E80), ref: 00403C14
              • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
              • API String ID: 606308-828663631
              • Opcode ID: 2bcee5a68d5e04946ac8458ff7df2bb227cdd7c20c4429e934e38d678995b33b
              • Instruction ID: 064cc6771aa4ec85c149aa806f0e8f7fc9ed350ba8b4bb786133750ec3f232c3
              • Opcode Fuzzy Hash: 2bcee5a68d5e04946ac8458ff7df2bb227cdd7c20c4429e934e38d678995b33b
              • Instruction Fuzzy Hash: 9061A7312007007ED720AF669D46E2B3A6CEB85B4AF40157FF945B51E2CBBDA941CB2D
              Function 00402EDD Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 182COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 210 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 213 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 210->213 214 402f2d-402f32 210->214 222 403052-403060 call 402e79 213->222 223 402f6b 213->223 215 40310f-403113 214->215 229 403062-403065 222->229 230 4030b5-4030ba 222->230 225 402f70-402f87 223->225 227 402f89 225->227 228 402f8b-402f94 call 403331 225->228 227->228 236 402f9a-402fa1 228->236 237 4030bc-4030c4 call 402e79 228->237 232 403067-40307f call 403347 call 403331 229->232 233 403089-4030b3 GlobalAlloc call 403347 call 403116 229->233 230->215 232->230 258 403081-403087 232->258 233->230 257 4030c6-4030d7 233->257 241 402fa3-402fb7 call 405d6b 236->241 242 40301d-403021 236->242 237->230 247 40302b-403031 241->247 261 402fb9-402fc0 241->261 246 403023-40302a call 402e79 242->246 242->247 246->247 252 403040-40304a 247->252 253 403033-40303d call 406787 247->253 252->225 256 403050 252->256 253->252 256->222 262 4030d9 257->262 263 4030df-4030e4 257->263 258->230 258->233 261->247 265 402fc2-402fc9 261->265 262->263 267 4030e5-4030eb 263->267 265->247 266 402fcb-402fd2 265->266 266->247 268 402fd4-402fdb 266->268 267->267 269 4030ed-403108 SetFilePointer call 405d6b 267->269 268->247 270 402fdd-402ffd 268->270 273 40310d 269->273 270->230 272 403003-403007 270->272 274 403009-40300d 272->274 275 40300f-403017 272->275 273->215 274->256 274->275 275->247 276 403019-40301b 275->276 276->247
              APIs
              • GetTickCount.KERNEL32 ref: 00402EEE
              • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
              • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: File$AttributesCountCreateModuleNameSizeTick
              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
              • API String ID: 4283519449-2162933095
              • Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
              • Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
              • Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
              • Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD
              Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 277 40176f-401794 call 402c41 call 405c06 282 401796-40179c call 4062ba 277->282 283 40179e-4017b0 call 4062ba call 405b8f lstrcatW 277->283 288 4017b5-4017b6 call 40654e 282->288 283->288 292 4017bb-4017bf 288->292 293 4017c1-4017cb call 4065fd 292->293 294 4017f2-4017f5 292->294 302 4017dd-4017ef 293->302 303 4017cd-4017db CompareFileTime 293->303 296 4017f7-4017f8 call 405d8b 294->296 297 4017fd-401819 call 405db0 294->297 296->297 304 40181b-40181e 297->304 305 40188d-4018b6 call 405322 call 403116 297->305 302->294 303->302 306 401820-40185e call 4062ba * 2 call 4062dc call 4062ba call 405920 304->306 307 40186f-401879 call 405322 304->307 319 4018b8-4018bc 305->319 320 4018be-4018ca SetFileTime 305->320 306->292 339 401864-401865 306->339 317 401882-401888 307->317 321 402ace 317->321 319->320 323 4018d0-4018db FindCloseChangeNotification 319->323 320->323 327 402ad0-402ad4 321->327 324 4018e1-4018e4 323->324 325 402ac5-402ac8 323->325 328 4018e6-4018f7 call 4062dc lstrcatW 324->328 329 4018f9-4018fc call 4062dc 324->329 325->321 335 401901-4022fc call 405920 328->335 329->335 335->325 335->327 339->317 341 401867-401868 339->341 341->307
              APIs
              • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
              • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000000,00000000,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free,?,?,00000031), ref: 004017D5
                • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,downloader_easeus 2.0.0 Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr$C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free$C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free
              • API String ID: 1941528284-3037119332
              • Opcode ID: 6e9a8046af19eb094d6abfdf57eef79a3d41af2fa463d12146f877a34a213090
              • Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
              • Opcode Fuzzy Hash: 6e9a8046af19eb094d6abfdf57eef79a3d41af2fa463d12146f877a34a213090
              • Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D
              Function 00403116 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 343 403116-40312d 344 403136-40313f 343->344 345 40312f 343->345 346 403141 344->346 347 403148-40314d 344->347 345->344 346->347 348 40315d-40316a call 403331 347->348 349 40314f-403158 call 403347 347->349 353 403170-403174 348->353 354 40331f 348->354 349->348 355 4032ca-4032cc 353->355 356 40317a-4031c3 GetTickCount 353->356 357 403321-403322 354->357 358 40330c-40330f 355->358 359 4032ce-4032d1 355->359 360 403327 356->360 361 4031c9-4031d1 356->361 362 40332a-40332e 357->362 366 403311 358->366 367 403314-40331d call 403331 358->367 359->360 363 4032d3 359->363 360->362 364 4031d3 361->364 365 4031d6-4031e4 call 403331 361->365 368 4032d6-4032dc 363->368 364->365 365->354 377 4031ea-4031f3 365->377 366->367 367->354 375 403324 367->375 372 4032e0-4032ee call 403331 368->372 373 4032de 368->373 372->354 380 4032f0-4032fc call 405e62 372->380 373->372 375->360 379 4031f9-403219 call 4067f5 377->379 385 4032c2-4032c4 379->385 386 40321f-403232 GetTickCount 379->386 387 4032c6-4032c8 380->387 388 4032fe-403308 380->388 385->357 389 403234-40323c 386->389 390 40327d-40327f 386->390 387->357 388->368 393 40330a 388->393 394 403244-40327a MulDiv wsprintfW call 405322 389->394 395 40323e-403242 389->395 391 403281-403285 390->391 392 4032b6-4032ba 390->392 397 403287-40328e call 405e62 391->397 398 40329c-4032a7 391->398 392->361 399 4032c0 392->399 393->360 394->390 395->390 395->394 403 403293-403295 397->403 402 4032aa-4032ae 398->402 399->360 402->379 404 4032b4 402->404 403->387 405 403297-40329a 403->405 404->360 405->402
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CountTick$wsprintf
              • String ID: ... %d%%$yA$@
              • API String ID: 551687249-95529746
              • Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
              • Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
              • Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
              • Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9
              Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 406 406624-406644 GetSystemDirectoryW 407 406646 406->407 408 406648-40664a 406->408 407->408 409 40665b-40665d 408->409 410 40664c-406655 408->410 412 40665e-406691 wsprintfW LoadLibraryExW 409->412 410->409 411 406657-406659 410->411 411->412
              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
              • wsprintfW.USER32 ref: 00406676
              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystemwsprintf
              • String ID: %s%S.dll$UXTHEME$\
              • API String ID: 2200240437-1946221925
              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
              • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
              • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
              Function 00405DDF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 413 405ddf-405deb 414 405dec-405e20 GetTickCount GetTempFileNameW 413->414 415 405e22-405e24 414->415 416 405e2f-405e31 414->416 415->414 417 405e26 415->417 418 405e29-405e2c 416->418 417->418
              APIs
              • GetTickCount.KERNEL32 ref: 00405DFD
              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,0043F000,0040338D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9), ref: 00405E18
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-678247507
              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
              • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
              • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 419 4015c1-4015d5 call 402c41 call 405c3a 424 401631-401634 419->424 425 4015d7-4015ea call 405bbc 419->425 427 401663-402250 call 401423 424->427 428 401636-401655 call 401423 call 4062ba SetCurrentDirectoryW 424->428 432 401604-401607 call 40586e 425->432 433 4015ec-4015ef 425->433 441 402ac5-402ad4 427->441 442 40288b-402892 427->442 428->441 446 40165b-40165e 428->446 444 40160c-40160e 432->444 433->432 436 4015f1-4015f8 call 40588b 433->436 436->432 450 4015fa-401602 call 4057f1 436->450 442->441 447 401610-401615 444->447 448 401627-40162f 444->448 446->441 451 401624 447->451 452 401617-401622 GetFileAttributesW 447->452 448->424 448->425 450->444 451->448 452->448 452->451
              APIs
                • Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,74DF3420,004059EC,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C48
                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                • Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free,?,00000000,000000F0), ref: 0040164D
              Strings
              • C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free, xrefs: 00401640
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentFile
              • String ID: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free
              • API String ID: 1892508949-120379331
              • Opcode ID: 8b332d4b5b69e44390726f1312c4fe6c92a9be31ccf189f14f32e7c9e624f66a
              • Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
              • Opcode Fuzzy Hash: 8b332d4b5b69e44390726f1312c4fe6c92a9be31ccf189f14f32e7c9e624f66a
              • Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E
              Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 456 4058a3-4058d4 CreateProcessW 457 4058e2-4058e3 456->457 458 4058d6-4058df CloseHandle 456->458 458->457
              APIs
              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
              • CloseHandle.KERNEL32(?), ref: 004058D9
              Strings
              • Error launching installer, xrefs: 004058B6
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: Error launching installer
              • API String ID: 3712363035-66219284
              • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
              • Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
              • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
              • Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78
              Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 459 401b77-401b82 460 401b84-401b87 459->460 461 401bc8-401bcb 459->461 462 4022e4-4022fc call 4062dc call 405920 460->462 463 401b8d-401b91 460->463 464 401bf2-401c08 GlobalAlloc call 4062dc 461->464 465 401bcd-401bcf 461->465 474 402ac5-402ace 462->474 482 402ad0-402ad4 462->482 463->460 468 401b93-401b95 463->468 471 401c0d-401c1a 464->471 469 401bd5-401bed call 4062ba GlobalFree 465->469 470 40288b-402892 465->470 468->462 473 401b9b-4029e6 call 4062ba * 3 468->473 469->474 470->474 471->474 473->474 474->482
              APIs
              • GlobalFree.KERNEL32(00000000), ref: 00401BE7
              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
              Strings
              • "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr, xrefs: 00401B9E, 00401BA4, 00401BBE
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Global$AllocFree
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr
              • API String ID: 3394109436-944021693
              • Opcode ID: 940c73acf1eca21ab85db0ba256d73d499bf0a09b1c427e47b8dae174865ef7c
              • Instruction ID: fc266f0b09462df108d5b450fd3a6dc377bab1f5c412968f7868140de6343470
              • Opcode Fuzzy Hash: 940c73acf1eca21ab85db0ba256d73d499bf0a09b1c427e47b8dae174865ef7c
              • Instruction Fuzzy Hash: 4521A572610100EBCB10EB94DEC995E73A9EB49318B25013FF106F32D0DBB9A8519BAD
              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 489 401389-40138e 490 4013fa-4013fc 489->490 491 401390-4013a0 490->491 492 4013fe 490->492 491->492 494 4013a2-4013a3 call 401434 491->494 493 401400-401401 492->493 496 4013a8-4013ad 494->496 497 401404-401409 496->497 498 4013af-4013b7 call 40136d 496->498 497->493 501 4013b9-4013bb 498->501 502 4013bd-4013c2 498->502 503 4013c4-4013c9 501->503 502->503 503->490 504 4013cb-4013f4 MulDiv SendMessageW 503->504 504->490
              APIs
              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
              • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
              • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
              • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
              Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 505 406694-4066ae GetModuleHandleA 506 4066b0-4066b1 call 406624 505->506 507 4066ba-4066c7 GetProcAddress 505->507 510 4066b6-4066b8 506->510 509 4066cb-4066cd 507->509 510->507 511 4066c9 510->511 511->509
              APIs
              • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
              • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                • Part of subcall function 00406624: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040668A
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
              • String ID:
              • API String ID: 2547128583-0
              • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
              • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
              • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
              • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
              Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 512 405db0-405ddc GetFileAttributesW CreateFileW
              APIs
              • GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
              • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
              • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
              • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
              Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 517 40586e-40587c CreateDirectoryW 518 405882 GetLastError 517->518 519 40587e-405880 517->519 520 405888 518->520 519->520
              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
              • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CreateDirectoryErrorLast
              • String ID:
              • API String ID: 1375471231-0
              • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
              • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
              • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
              • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
              Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
              • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
              • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
              • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
              Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
              • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
              • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
              • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
              Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
              • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
              • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
              • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
              Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405322: lstrlenW.KERNEL32(0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                • Part of subcall function 00405322: lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
                • Part of subcall function 00405322: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
                • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                • Part of subcall function 004058A3: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
                • Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9
              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                • Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                • Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
              • String ID:
              • API String ID: 2972824698-0
              • Opcode ID: 5a28121f2258d33dec22efc4f0f8398db0f945c4b774a67d481a18083085a5c0
              • Instruction ID: 9073c6adce58ff193a4fc3832a7f1d33e0b572ffc6e746f3319226a0f770ccba
              • Opcode Fuzzy Hash: 5a28121f2258d33dec22efc4f0f8398db0f945c4b774a67d481a18083085a5c0
              • Instruction Fuzzy Hash: 24F0F0329090219BDB20FBA189885DE72A49F44318B2441BBF902B20D1CBBC0E409A6E
              Function 004038D0 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(FFFFFFFF,00403703,00000006,?,00000006,00000008,0000000A), ref: 004038DB
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: e8572cf52f1277920d32385407c6d748d2cc2d24b6f11499ea36587d3a9df684
              • Instruction ID: 1d93f2d4e3952ef003524c02ff0619ab5efb0f82ec005edec18b282fc718bfed
              • Opcode Fuzzy Hash: e8572cf52f1277920d32385407c6d748d2cc2d24b6f11499ea36587d3a9df684
              • Instruction Fuzzy Hash: C7C0127054070496D1206F749E4F6193E54AB8173ABA04336B0B8B00F1C77C4A59555E

              Non-executed Functions

              Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000403), ref: 004054BF
              • GetDlgItem.USER32(?,000003EE), ref: 004054CE
              • GetClientRect.USER32(?,?), ref: 0040550B
              • GetSystemMetrics.USER32(00000002), ref: 00405512
              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
              • ShowWindow.USER32(?,00000008), ref: 004055AE
              • GetDlgItem.USER32(?,000003EC), ref: 004055CF
              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
              • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
              • GetDlgItem.USER32(?,000003EC), ref: 00405621
              • CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
              • CloseHandle.KERNEL32(00000000), ref: 00405636
              • ShowWindow.USER32(00000000), ref: 0040565A
              • ShowWindow.USER32(00000000,00000008), ref: 0040565F
              • ShowWindow.USER32(00000008), ref: 004056A9
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
              • CreatePopupMenu.USER32 ref: 004056EE
              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
              • GetWindowRect.USER32(?,?), ref: 00405722
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
              • OpenClipboard.USER32(00000000), ref: 00405783
              • EmptyClipboard.USER32 ref: 00405789
              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
              • GlobalLock.KERNEL32(00000000), ref: 0040579F
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
              • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
              • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
              • CloseClipboard.USER32 ref: 004057E4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
              • String ID: {
              • API String ID: 590372296-366298937
              • Opcode ID: b747a118dcd76f797ac229e86f31520b95951f9f2fd18a8a10ba66df94a6a7c7
              • Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
              • Opcode Fuzzy Hash: b747a118dcd76f797ac229e86f31520b95951f9f2fd18a8a10ba66df94a6a7c7
              • Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68
              Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
              • GetDlgItem.USER32(?,00000408), ref: 00404CC1
              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
              • LoadBitmapW.USER32(0000006E), ref: 00404D1E
              • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
              • DeleteObject.GDI32(00000000), ref: 00404D94
              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
              • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
              • ShowWindow.USER32(?,00000005), ref: 00404EEE
              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
              • ImageList_Destroy.COMCTL32(?), ref: 004050BE
              • GlobalFree.KERNEL32(?), ref: 004050CE
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
              • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
              • ShowWindow.USER32(?,00000000), ref: 0040526D
              • GetDlgItem.USER32(?,000003FE), ref: 00405278
              • ShowWindow.USER32(00000000), ref: 0040527F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N
              • API String ID: 1638840714-813528018
              • Opcode ID: 38e67d642b103c863e09d225da822fb6d69acbe0d816e4b8de2aebeebed4de2d
              • Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
              • Opcode Fuzzy Hash: 38e67d642b103c863e09d225da822fb6d69acbe0d816e4b8de2aebeebed4de2d
              • Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58
              Function 00404722 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 00404771
              • SetWindowTextW.USER32(00000000,?), ref: 0040479B
              • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
              • CoTaskMemFree.OLE32(00000000), ref: 00404857
              • lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,0042D248,00000000,?,?), ref: 00404889
              • lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr), ref: 00404895
              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917
                • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                • Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
              • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040496A
              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                • Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
              Strings
              • A, xrefs: 00404845
              • "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr, xrefs: 00404883, 00404888, 00404893
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr$A
              • API String ID: 2624150263-911722758
              • Opcode ID: 0e7a3ef283d1d7ec7faeb562c0eda326dd22e556ee24bddd125c463040a43afb
              • Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
              • Opcode Fuzzy Hash: 0e7a3ef283d1d7ec7faeb562c0eda326dd22e556ee24bddd125c463040a43afb
              • Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D
              Function 004059CC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059F5
              • lstrcatW.KERNEL32(0042F250,\*.*), ref: 00405A3D
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405A60
              • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A66
              • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A76
              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
              • FindClose.KERNEL32(00000000), ref: 00405B25
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\$\*.*
              • API String ID: 2035342205-3042786806
              • Opcode ID: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
              • Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
              • Opcode Fuzzy Hash: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
              • Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E
              Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
              Strings
              • C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free, xrefs: 004021C3
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CreateInstance
              • String ID: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free
              • API String ID: 542301482-120379331
              • Opcode ID: 0bf3dfc2339aa7d15c11075db74036d96aed453b0273c78684b575aae048cbb1
              • Instruction ID: d410e27007f87fae541732bdb1cbefdb239a2090c9e466904aadd755c5c79360
              • Opcode Fuzzy Hash: 0bf3dfc2339aa7d15c11075db74036d96aed453b0273c78684b575aae048cbb1
              • Instruction Fuzzy Hash: 0D413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54
              Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID:
              • String ID: p!C$p!C
              • API String ID: 0-3125587631
              • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
              • Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
              • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
              • Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
              Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: 115c5d433e14c96260f9e46262acef96b25dd7cb937b0ec189ae6923d83c572a
              • Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
              • Opcode Fuzzy Hash: 115c5d433e14c96260f9e46262acef96b25dd7cb937b0ec189ae6923d83c572a
              • Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29
              Function 00406B15 Relevance: .3, Instructions: 334COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
              • Instruction ID: dcc2b246e3e85771245330633344c28aad3b6f2e7effc766acd5add5c88cb85a
              • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
              • Instruction Fuzzy Hash: DBE18A7190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
              Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
              • ShowWindow.USER32(?), ref: 00403DB1
              • DestroyWindow.USER32 ref: 00403DC5
              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
              • GetDlgItem.USER32(?,?), ref: 00403E02
              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
              • IsWindowEnabled.USER32(00000000), ref: 00403E1D
              • GetDlgItem.USER32(?,00000001), ref: 00403ECB
              • GetDlgItem.USER32(?,00000002), ref: 00403ED5
              • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
              • GetDlgItem.USER32(?,00000003), ref: 00403FE6
              • ShowWindow.USER32(00000000,?), ref: 00404007
              • EnableWindow.USER32(?,?), ref: 00404019
              • EnableWindow.USER32(?,?), ref: 00404034
              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
              • EnableMenuItem.USER32(00000000), ref: 00404051
              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
              • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
              • SetWindowTextW.USER32(?,0042D248), ref: 004040BA
              • ShowWindow.USER32(?,0000000A), ref: 004041EE
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
              • String ID:
              • API String ID: 184305955-0
              • Opcode ID: 0b7b1c17639b6d1c33985b6847ccd2c8cf6276db4693f940084e8c077b1e5a4a
              • Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
              • Opcode Fuzzy Hash: 0b7b1c17639b6d1c33985b6847ccd2c8cf6276db4693f940084e8c077b1e5a4a
              • Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D
              Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
              Download Yara Rule
              APIs
              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
              • GetDlgItem.USER32(?,000003E8), ref: 004044A2
              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
              • GetSysColor.USER32(?), ref: 004044D0
              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
              • lstrlenW.KERNEL32(?), ref: 004044F1
              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
              • GetDlgItem.USER32(?,0000040A), ref: 0040456C
              • SendMessageW.USER32(00000000), ref: 00404573
              • GetDlgItem.USER32(?,000003E8), ref: 0040459E
              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
              • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
              • SetCursor.USER32(00000000), ref: 004045F2
              • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
              • SetCursor.USER32(00000000), ref: 0040460E
              • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
              Strings
              • N, xrefs: 0040458C
              • "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr, xrefs: 004045CD
              • gC@, xrefs: 004045FA
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr$N$gC@
              • API String ID: 3103080414-3976289358
              • Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
              • Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
              • Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
              • Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8
              Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32(?,?), ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectW.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextW.USER32(00000000,downloader_easeus 2.0.0 Setup,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F$downloader_easeus 2.0.0 Setup
              • API String ID: 941294808-3134015408
              • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
              • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
              • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
              • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
              Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
              • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A
                • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
              • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
              • wsprintfA.USER32 ref: 00405F85
              • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
              • GlobalFree.KERNEL32(00000000), ref: 0040606E
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(00442800,00402F1D,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
              • String ID: %ls=%ls$[Rename]
              • API String ID: 2171350718-461813615
              • Opcode ID: 83696b653ec3a1efa3543d3077539b31fe4808eb9cc4cf445683fb08cbafc385
              • Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
              • Opcode Fuzzy Hash: 83696b653ec3a1efa3543d3077539b31fe4808eb9cc4cf445683fb08cbafc385
              • Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD
              Function 004062DC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000400), ref: 0040641D
              • GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000400,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406430
              • SHGetSpecialFolderLocation.SHELL32(00405359,0041BEF6,00000000,0042C228,?,00405359,0042C228,00000000), ref: 0040646C
              • SHGetPathFromIDListW.SHELL32(0041BEF6,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr), ref: 0040647A
              • CoTaskMemFree.OLE32(0041BEF6), ref: 00406485
              • lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
              • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000000,0042C228,?,00405359,0042C228,00000000), ref: 00406503
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 717251189-1532523090
              • Opcode ID: 55be7f4316b30cf13c4370b5612eea0ce10ea7aa58c3089d9c737aa3649c70f7
              • Instruction ID: 9562dd14d952d55a61127842092d6448be61ccc4685f782e3002b21b8a961bfb
              • Opcode Fuzzy Hash: 55be7f4316b30cf13c4370b5612eea0ce10ea7aa58c3089d9c737aa3649c70f7
              • Instruction Fuzzy Hash: 38611171A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D
              Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
              • GetSysColor.USER32(00000000), ref: 004042F3
              • SetTextColor.GDI32(?,00000000), ref: 004042FF
              • SetBkMode.GDI32(?,?), ref: 0040430B
              • GetSysColor.USER32(?), ref: 0040431E
              • SetBkColor.GDI32(?,?), ref: 0040432E
              • DeleteObject.GDI32(?), ref: 00404348
              • CreateBrushIndirect.GDI32(?), ref: 00404352
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
              • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
              • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
              • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
              Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: File$Pointer$ByteCharMultiWide$Read
              • String ID: 9
              • API String ID: 163830602-2366072709
              • Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
              • Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
              • Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
              • Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18
              Function 00405322 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
              • lstrlenW.KERNEL32(0040327A,0042C228,00000000,0041BEF6,74DF23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
              • lstrcatW.KERNEL32(0042C228,0040327A), ref: 0040537D
              • SetWindowTextW.USER32(0042C228,0042C228), ref: 0040538F
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID:
              • API String ID: 2531174081-0
              • Opcode ID: 165d7cb729b0b1d8dbd40609dc1f72fd4c041b11e62b4558e2d47e9179cb1f78
              • Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
              • Opcode Fuzzy Hash: 165d7cb729b0b1d8dbd40609dc1f72fd4c041b11e62b4558e2d47e9179cb1f78
              • Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8
              Function 0040654E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
              • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
              • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
              • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0043F000,0040336A,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Char$Next$Prev
              • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-4010320282
              • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
              • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
              • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
              • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
              Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
              • GetMessagePos.USER32 ref: 00404C0F
              • ScreenToClient.USER32(?,?), ref: 00404C29
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
              • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
              • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
              Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
              • MulDiv.KERNEL32(00019600,00000064,002881A0), ref: 00402E3C
              • wsprintfW.USER32 ref: 00402E4C
              • SetWindowTextW.USER32(?,?), ref: 00402E5C
              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
              Strings
              • verifying installer: %d%%, xrefs: 00402E46
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: verifying installer: %d%%
              • API String ID: 1451636040-82062127
              • Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
              • Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
              • Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
              • Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98
              Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
              • GlobalFree.KERNEL32(?), ref: 00402956
              • GlobalFree.KERNEL32(00000000), ref: 00402969
              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Global$AllocFree$CloseDeleteFileHandle
              • String ID:
              • API String ID: 2667972263-0
              • Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
              • Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
              • Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
              • Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98
              Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
              • GetLastError.KERNEL32 ref: 00405848
              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
              • GetLastError.KERNEL32 ref: 00405867
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: ErrorLast$CreateDirectoryFileSecurity
              • String ID: C:\Users\user\Desktop
              • API String ID: 3449924974-224404859
              • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
              • Instruction ID: 56aaffc7fd545305371b439287a03fd7ccaf004a29b63406c0e33255b185a1b6
              • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
              • Instruction Fuzzy Hash: 90011A72D00619EADF00DFA1C944BEFBBB8EF14354F00843AE945B6281D7789618CFA9
              Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(?), ref: 00401DBC
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
              • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
              • ReleaseDC.USER32(?,00000000), ref: 00401DEF
              • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontIndirectRelease
              • String ID:
              • API String ID: 3808545654-0
              • Opcode ID: 0df72e3b5cf70d21c530e24e682e28afae01b7faaf581061804cefe84a28b9e7
              • Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
              • Opcode Fuzzy Hash: 0df72e3b5cf70d21c530e24e682e28afae01b7faaf581061804cefe84a28b9e7
              • Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D
              Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,?), ref: 00401D63
              • GetClientRect.USER32(00000000,?), ref: 00401D70
              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
              • DeleteObject.GDI32(00000000), ref: 00401DAE
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
              • Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
              • Opcode Fuzzy Hash: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
              • Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38
              Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
              • Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
              • Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
              • Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18
              Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
              • wsprintfW.USER32 ref: 00404B88
              • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: be899ce802f4ada5aa38b77195d66e19eeaafb4e1a6305ece11e6f52dcfdaeb3
              • Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
              • Opcode Fuzzy Hash: be899ce802f4ada5aa38b77195d66e19eeaafb4e1a6305ece11e6f52dcfdaeb3
              • Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8
              Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free,00000400,?,?,00000021), ref: 004025E8
              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free,?,?,0040B5D0,000000FF,C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free,00000400,?,?,00000021), ref: 004025F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free
              • API String ID: 3109718747-120379331
              • Opcode ID: df88c7b315d98be26a832866f643f7765180fbf59289eea360610b16d9ed4daa
              • Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
              • Opcode Fuzzy Hash: df88c7b315d98be26a832866f643f7765180fbf59289eea360610b16d9ed4daa
              • Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E
              Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040337C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405BB1
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B8F
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-3081826266
              • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
              • Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
              • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
              • Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE
              Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Close$Enum
              • String ID:
              • API String ID: 464197530-0
              • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
              • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
              • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
              • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
              Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
              • GetTickCount.KERNEL32 ref: 00402EAA
              • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
              • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Window$CountCreateDestroyDialogParamShowTick
              • String ID:
              • API String ID: 2102729457-0
              • Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
              • Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
              • Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
              • Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC
              Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 004052C5
              • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                • Part of subcall function 0040427D: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040428F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
              • Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
              • Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
              • Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E
              Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,?,?,004063FC,80000002), ref: 004061CE
              • RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,"C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr,00000000,0042C228), ref: 004061D9
              Strings
              • "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr, xrefs: 0040618F
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CloseQueryValue
              • String ID: "C:\Users\user\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\user\Desktop ||| EXENAME=drw_fr
              • API String ID: 3356406503-944021693
              • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
              • Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
              • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
              • Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4
              Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
              • GlobalFree.KERNEL32(?), ref: 00403936
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403927
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: Free$GlobalLibrary
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 1100898210-3081826266
              • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
              • Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
              • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
              • Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8
              Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(00442800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
              • CharPrevW.USER32(00442800,00000000,00442800,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,00442800,00442800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\user\Desktop
              • API String ID: 2709904686-224404859
              • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
              • Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
              • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
              • Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD
              Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
              • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
              • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
              Memory Dump Source
              • Source File: 00000000.00000002.1643001405.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1642970890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643035849.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643073592.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1643187214.0000000000445000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_drw_free_installer.jbxd
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
              • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
              • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

              Execution Graph

              Execution Coverage:3.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:10.2%
              Total number of Nodes:2000
              Total number of Limit Nodes:58
              execution_graph 98322 f3c470 98340 f12580 98322->98340 98324 f3c4c6 98325 f12580 75 API calls 98324->98325 98326 f3c4eb 98325->98326 98350 f3d9b0 98326->98350 98341 f125d2 98340->98341 98343 f1258a 98340->98343 98437 f126d0 98341->98437 98343->98341 98347 f125b4 98343->98347 98344 f125e0 98346 f12602 98344->98346 98444 fdb2c9 67 API calls 2 library calls 98344->98444 98346->98324 98423 f121d0 98347->98423 98349 f125cd 98349->98324 98470 f1a270 98350->98470 98352 f3da22 98486 f140c0 98352->98486 98356 f3da44 98493 f1bb00 98356->98493 98358 f3da6a 98359 f140c0 75 API calls 98358->98359 98360 f3da77 98359->98360 98505 f323a0 98360->98505 98362 f3da8c 98363 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 98362->98363 98364 f3dab2 98363->98364 98365 f140c0 75 API calls 98364->98365 98366 f3dabf 98365->98366 98367 f323a0 75 API calls 98366->98367 98368 f3dad4 98367->98368 98369 f3db72 SHGetSpecialFolderPathW 98368->98369 98370 f3db00 98368->98370 98371 f3db90 98369->98371 98372 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 98370->98372 98371->98371 98375 f12580 75 API calls 98371->98375 98373 f3db1e 98372->98373 98374 f140c0 75 API calls 98373->98374 98376 f3db2b 98374->98376 98377 f3db54 ctype 98375->98377 98378 f323a0 75 API calls 98376->98378 98519 f129d0 98377->98519 98381 f3db3d 98378->98381 98380 f3dbc3 98526 f12a90 75 API calls ctype 98380->98526 98383 f121d0 75 API calls 98381->98383 98383->98377 98384 f3dbde ctype 98385 f140c0 75 API calls 98384->98385 98386 f3dc1a 98385->98386 98527 f42de0 98386->98527 98389 f121d0 75 API calls 98424 f121e3 98423->98424 98425 f121e8 98423->98425 98445 fda084 75 API calls 4 library calls 98424->98445 98427 f12218 98425->98427 98428 f121fb 98425->98428 98429 f126d0 75 API calls 98427->98429 98446 f12630 75 API calls 2 library calls 98428->98446 98435 f1221f 98429->98435 98431 f12206 98447 f12630 75 API calls 2 library calls 98431->98447 98433 f1225a 98433->98349 98434 f1220f 98434->98349 98435->98433 98448 fdb2c9 67 API calls 2 library calls 98435->98448 98438 f126e0 98437->98438 98439 f126db 98437->98439 98442 f126fc 98438->98442 98449 f12730 98438->98449 98458 fda04c 75 API calls 4 library calls 98439->98458 98442->98344 98443 f126f2 98443->98344 98444->98346 98446->98431 98447->98434 98448->98433 98450 f1276e 98449->98450 98451 f127b0 98450->98451 98452 f127a2 98450->98452 98459 f12b40 98451->98459 98453 fdb3b2 std::_Mutex::_Mutex 75 API calls 98452->98453 98456 f127a9 98453->98456 98455 f12804 ctype 98455->98443 98456->98455 98467 fdb2c9 67 API calls 2 library calls 98456->98467 98460 f12b7b 98459->98460 98461 f12b4f 98459->98461 98463 fdb3b2 std::_Mutex::_Mutex 75 API calls 98460->98463 98468 fdae7c 67 API calls 3 library calls 98461->98468 98465 f12b84 98463->98465 98464 f12b64 98469 fe274b RaiseException 98464->98469 98465->98456 98467->98455 98468->98464 98469->98460 98471 f1a283 98470->98471 98472 f1a288 98470->98472 98551 fda084 75 API calls 4 library calls 98471->98551 98474 f1a29b 98472->98474 98475 f1a2ba 98472->98475 98552 f1bbe0 75 API calls 2 library calls 98474->98552 98477 f1a2c4 98475->98477 98554 fda04c 75 API calls 4 library calls 98475->98554 98484 f1a2d7 98477->98484 98555 f1db40 75 API calls 3 library calls 98477->98555 98478 f1a2a7 98553 f1bbe0 75 API calls 2 library calls 98478->98553 98482 f1a2ea 98482->98352 98483 f1a2b1 98483->98352 98484->98482 98556 fdb2c9 67 API calls 2 library calls 98484->98556 98487 f1410a 98486->98487 98488 f140ed 98486->98488 98492 f324a0 75 API calls ctype 98487->98492 98557 f320a0 75 API calls 98488->98557 98490 f14100 98558 fdb779 98490->98558 98492->98356 98494 f1bb53 98493->98494 98498 f1bb0d 98493->98498 98495 f1bb61 98494->98495 98731 fda04c 75 API calls 4 library calls 98494->98731 98499 f1bb74 98495->98499 98732 f1db40 75 API calls 3 library calls 98495->98732 98498->98494 98500 f1bb36 98498->98500 98503 f1bb8c 98499->98503 98733 fdb2c9 67 API calls 2 library calls 98499->98733 98502 f1a270 std::_Locinfo::_Locinfo_ctor 75 API calls 98500->98502 98504 f1bb4d 98502->98504 98503->98358 98504->98358 98734 f19450 98505->98734 98507 f323e6 98508 f323fc 98507->98508 98740 fdb28d 6 API calls _setlocale 98507->98740 98510 f32404 98508->98510 98511 f3244b 98508->98511 98512 f3240d 98510->98512 98741 fdb28d 6 API calls _setlocale 98510->98741 98513 f12580 75 API calls 98511->98513 98515 f32417 98512->98515 98742 fdb28d 6 API calls _setlocale 98512->98742 98518 f32439 ctype 98513->98518 98517 f121d0 75 API calls 98515->98517 98517->98518 98518->98362 98520 f121d0 75 API calls 98519->98520 98521 f12a1f 98520->98521 98745 f12c70 98521->98745 98523 f12a4a 98524 f121d0 75 API calls 98523->98524 98525 f12a65 ctype 98524->98525 98525->98380 98526->98384 98772 f1f0f0 98527->98772 98552->98478 98553->98483 98555->98484 98556->98482 98557->98490 98561 fdb73d 98558->98561 98560 fdb786 98560->98487 98562 fdb749 _setlocale 98561->98562 98569 fe7acd 98562->98569 98568 fdb76a _setlocale 98568->98560 98595 fe4942 98569->98595 98571 fdb74e 98572 fdb652 98571->98572 98687 fe56af TlsGetValue 98572->98687 98575 fe56af __decode_pointer 6 API calls 98576 fdb676 98575->98576 98577 fdb6f9 98576->98577 98697 fe798e 98576->98697 98592 fdb773 98577->98592 98579 fdb694 98580 fdb6e0 98579->98580 98583 fdb6af 98579->98583 98584 fdb6be 98579->98584 98581 fe5634 __encode_pointer 6 API calls 98580->98581 98582 fdb6ee 98581->98582 98586 fe5634 __encode_pointer 6 API calls 98582->98586 98710 fe42d5 73 API calls _realloc 98583->98710 98584->98577 98585 fdb6b8 98584->98585 98585->98584 98589 fdb6d4 98585->98589 98711 fe42d5 73 API calls _realloc 98585->98711 98586->98577 98712 fe5634 TlsGetValue 98589->98712 98590 fdb6ce 98590->98577 98590->98589 98727 fe7ad6 98592->98727 98596 fe496a EnterCriticalSection 98595->98596 98597 fe4957 98595->98597 98596->98571 98602 fe487f 98597->98602 98599 fe495d 98599->98596 98630 fe7a61 67 API calls 3 library calls 98599->98630 98601 fe4969 98601->98596 98603 fe488b _setlocale 98602->98603 98604 fe489b 98603->98604 98605 fe48b3 98603->98605 98631 fe8ae4 67 API calls 2 library calls 98604->98631 98611 fe48c1 _setlocale 98605->98611 98634 fe4244 98605->98634 98607 fe48a0 98632 fe8939 67 API calls 7 library calls 98607->98632 98611->98599 98612 fe48a7 98633 fe7ab5 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 98612->98633 98613 fe48e2 98615 fe4942 __lock 67 API calls 98613->98615 98614 fe48d3 98640 fe0a22 67 API calls __getptd_noexit 98614->98640 98618 fe48e9 98615->98618 98620 fe491d 98618->98620 98621 fe48f1 98618->98621 98623 fdb0a2 __woutput_l 67 API calls 98620->98623 98641 ff2b47 InitializeCriticalSectionAndSpinCount _setlocale 98621->98641 98624 fe490e 98623->98624 98656 fe4939 LeaveCriticalSection _doexit 98624->98656 98625 fe48fc 98625->98624 98642 fdb0a2 98625->98642 98628 fe4908 98655 fe0a22 67 API calls __getptd_noexit 98628->98655 98630->98601 98631->98607 98632->98612 98636 fe424d 98634->98636 98637 fe4283 98636->98637 98638 fe4264 Sleep 98636->98638 98657 fde798 98636->98657 98637->98613 98637->98614 98639 fe4279 98638->98639 98639->98636 98639->98637 98640->98611 98641->98625 98644 fdb0ae _setlocale 98642->98644 98643 fdb127 _realloc _setlocale 98643->98628 98644->98643 98645 fdb0ed 98644->98645 98646 fe4942 __lock 65 API calls 98644->98646 98645->98643 98647 fdb102 RtlFreeHeap 98645->98647 98651 fdb0c5 ___sbh_find_block 98646->98651 98647->98643 98648 fdb114 98647->98648 98686 fe0a22 67 API calls __getptd_noexit 98648->98686 98650 fdb119 GetLastError 98650->98643 98654 fdb0df 98651->98654 98684 fe49a5 __VEC_memcpy VirtualFree VirtualFree HeapFree __shift 98651->98684 98685 fdb0f8 LeaveCriticalSection _doexit 98654->98685 98655->98624 98656->98611 98658 fde84b 98657->98658 98664 fde7aa 98657->98664 98682 fe5d87 6 API calls __decode_pointer 98658->98682 98660 fde7bb 98660->98664 98675 fe8ae4 67 API calls 2 library calls 98660->98675 98676 fe8939 67 API calls 7 library calls 98660->98676 98677 fe7ab5 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 98660->98677 98661 fde851 98683 fe0a22 67 API calls __getptd_noexit 98661->98683 98664->98660 98667 fde807 RtlAllocateHeap 98664->98667 98669 fde843 98664->98669 98670 fde837 98664->98670 98673 fde83c 98664->98673 98678 fde749 67 API calls 4 library calls 98664->98678 98679 fe5d87 6 API calls __decode_pointer 98664->98679 98667->98664 98669->98636 98680 fe0a22 67 API calls __getptd_noexit 98670->98680 98681 fe0a22 67 API calls __getptd_noexit 98673->98681 98675->98660 98676->98660 98678->98664 98679->98664 98680->98673 98681->98669 98682->98661 98683->98669 98684->98654 98685->98645 98686->98650 98688 fe56e8 GetModuleHandleW 98687->98688 98689 fe56c7 98687->98689 98691 fe56f8 98688->98691 98692 fe5703 GetProcAddress 98688->98692 98689->98688 98690 fe56d1 TlsGetValue 98689->98690 98695 fe56dc 98690->98695 98722 fe7a31 Sleep GetModuleHandleW 98691->98722 98694 fdb666 98692->98694 98694->98575 98695->98688 98695->98694 98696 fe56fe 98696->98692 98696->98694 98698 fe799a _setlocale 98697->98698 98699 fe79aa 98698->98699 98700 fe79c7 98698->98700 98723 fe0a22 67 API calls __getptd_noexit 98699->98723 98701 fe7a08 HeapSize 98700->98701 98703 fe4942 __lock 67 API calls 98700->98703 98706 fe79bf _setlocale 98701->98706 98707 fe79d7 ___sbh_find_block 98703->98707 98704 fe79af 98724 fdb267 6 API calls 2 library calls 98704->98724 98706->98579 98725 fe7a28 LeaveCriticalSection _doexit 98707->98725 98709 fe7a03 98709->98701 98709->98706 98710->98585 98711->98590 98713 fe564c 98712->98713 98714 fe566d GetModuleHandleW 98712->98714 98713->98714 98715 fe5656 TlsGetValue 98713->98715 98716 fe567d 98714->98716 98717 fe5688 GetProcAddress 98714->98717 98719 fe5661 98715->98719 98726 fe7a31 Sleep GetModuleHandleW 98716->98726 98721 fe5665 98717->98721 98719->98714 98719->98721 98720 fe5683 98720->98717 98720->98721 98721->98580 98722->98696 98723->98704 98725->98709 98726->98720 98730 fe4868 LeaveCriticalSection 98727->98730 98729 fdb778 98729->98568 98730->98729 98732->98499 98733->98503 98736 f19463 98734->98736 98735 f19472 98739 f19488 98735->98739 98744 fdb28d 6 API calls _setlocale 98735->98744 98736->98735 98743 fdb28d 6 API calls _setlocale 98736->98743 98739->98507 98740->98508 98741->98512 98742->98515 98743->98735 98744->98739 98746 f12cc6 98745->98746 98749 f12c82 98745->98749 98747 f12cde 98746->98747 98767 fda04c 75 API calls 4 library calls 98746->98767 98750 f126d0 75 API calls 98747->98750 98756 f12d17 98747->98756 98749->98746 98751 f12cac 98749->98751 98752 f12cee 98750->98752 98757 f12bb0 98751->98757 98752->98756 98768 fdb2c9 67 API calls 2 library calls 98752->98768 98756->98523 98758 f12bc4 98757->98758 98759 f12bc9 98757->98759 98769 fda084 75 API calls 4 library calls 98758->98769 98761 f12bec 98759->98761 98770 fda04c 75 API calls 4 library calls 98759->98770 98763 f12c3b 98761->98763 98764 f126d0 75 API calls 98761->98764 98763->98523 98765 f12bfc 98764->98765 98765->98763 98771 fdb2c9 67 API calls 2 library calls 98765->98771 98768->98756 98771->98763 98773 f1f12b 98772->98773 98774 f1f0ff 98772->98774 98776 fdb3b2 std::_Mutex::_Mutex 75 API calls 98773->98776 98786 fdae7c 67 API calls 3 library calls 98774->98786 98778 f1f138 98776->98778 98777 f1f114 98787 fe274b RaiseException 98777->98787 98780 f32f10 98778->98780 98788 f331a0 98780->98788 98783 f33160 98798 f331f0 98783->98798 98786->98777 98787->98773 98789 f331db 98788->98789 98790 f331af 98788->98790 98792 fdb3b2 std::_Mutex::_Mutex 75 API calls 98789->98792 98796 fdae7c 67 API calls 3 library calls 98790->98796 98794 f32f1a 98792->98794 98793 f331c4 98797 fe274b RaiseException 98793->98797 98794->98783 98796->98793 98797->98789 98802 f33231 98798->98802 98799 f3318f 98799->98389 98800 fdb28d 6 API calls 98800->98802 98802->98799 98802->98800 98804 f32f30 75 API calls 98802->98804 98805 f32fd0 75 API calls 3 library calls 98802->98805 98804->98802 98805->98802 98812 f39b90 98813 f39bc7 98812->98813 98855 f39e54 98812->98855 98814 f14e40 75 API calls 98813->98814 98815 f39bcc 98814->98815 99051 f38470 98815->99051 98816 fdadff __woutput_l 5 API calls 98818 f3a6fc 98816->98818 98820 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 98821 f39bf6 98820->98821 98822 f14e40 75 API calls 98821->98822 98823 f39bfb 98822->98823 99117 f2f100 98823->99117 98825 f39c08 98826 f39e8a 98825->98826 98827 f39c1d 98825->98827 99131 f1ffe0 98826->99131 98829 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 98827->98829 98831 f39c3a 98829->98831 98833 f14e40 75 API calls 98831->98833 98834 f39c3f 98833->98834 98836 f2f100 75 API calls 98834->98836 98835 f39e97 99139 f44ae0 98835->99139 98838 f39c4c 98836->98838 98840 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 98838->98840 98842 f39c69 98840->98842 98844 f14e40 75 API calls 98842->98844 98845 f39c6e 98844->98845 98846 f2f100 75 API calls 98845->98846 98848 f39c7b 98846->98848 98854 fdb986 __time64 GetSystemTimeAsFileTime 98848->98854 98848->98855 98857 f39c8d 98854->98857 98855->98816 98858 f12120 75 API calls 98857->98858 98861 f39ca4 _memset 98858->98861 98866 f39cbf GetTempPathW 98861->98866 98868 f39cdc 98866->98868 98920 f39d4d 98866->98920 99450 f159e0 134 API calls std::ios_base::_Ios_base_dtor 98868->99450 98874 f39cf8 98878 f12120 75 API calls 98874->98878 98881 f39d0a 98878->98881 98879 f39d90 98882 f39dad lstrlenW 98879->98882 98885 f39da3 98879->98885 99451 f12a90 75 API calls ctype 98881->99451 98882->98885 98886 f39dc0 __crtGetStringTypeA_stat 98882->98886 99458 f18860 75 API calls std::_Locinfo::_Locinfo_ctor 98885->99458 99454 f110b0 98886->99454 98888 f39d14 98890 f129d0 75 API calls 98888->98890 98893 f39d21 98890->98893 99452 f12a90 75 API calls ctype 98893->99452 98894 f39df1 99459 f12160 75 API calls 98894->99459 98900 f39d2e 98902 f129d0 75 API calls 98900->98902 98901 f39e04 99460 f18860 75 API calls std::_Locinfo::_Locinfo_ctor 98901->99460 98904 f39d3b 98902->98904 98906 f121d0 75 API calls 98904->98906 98905 f39e12 99461 f978d0 151 API calls 2 library calls 98905->99461 98906->98920 98908 f39e1b 98909 f39e49 98908->98909 98910 f12120 75 API calls 98908->98910 99476 f97720 6 API calls ctype 98909->99476 98912 f39e31 98910->98912 99462 f12160 75 API calls 98912->99462 98914 f39e44 99463 f153e0 98914->99463 98920->98855 99453 f97660 75 API calls 98920->99453 99052 f384bf 99051->99052 99116 f389ca ctype 99051->99116 99055 f12580 75 API calls 99052->99055 99053 fdadff __woutput_l 5 API calls 99054 f38c6a 99053->99054 99054->98820 99056 f384ed 99055->99056 99057 f38504 lstrlenW 99056->99057 99059 f384fd 99056->99059 99058 f38517 __crtGetStringTypeA_stat 99057->99058 99057->99059 99060 f110b0 WideCharToMultiByte 99058->99060 99061 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 99059->99061 99060->99059 99062 f38563 99061->99062 99491 f96a40 99062->99491 99065 f12580 75 API calls 99066 f385a6 99065->99066 99067 f121d0 75 API calls 99066->99067 99068 f385ca 99067->99068 99509 f16120 99068->99509 99070 f3884c 99071 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 99070->99071 99072 f3886f 99071->99072 99073 f14e40 75 API calls 99072->99073 99074 f38878 99073->99074 99075 f2f100 75 API calls 99074->99075 99076 f38886 99075->99076 99077 f388a4 lstrlenW 99076->99077 99079 f3889a 99076->99079 99078 f388b6 __crtGetStringTypeA_stat 99077->99078 99077->99079 99078->99079 99081 f388c6 WideCharToMultiByte 99078->99081 99082 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 99079->99082 99080 f386c5 lstrlenW 99111 f385d7 ctype __crtGetStringTypeA_stat 99080->99111 99081->99079 99083 f3891a 99082->99083 99519 f383c0 91 API calls __Tolower 99083->99519 99085 f38941 99088 f38a91 99085->99088 99089 f3894c 99085->99089 99086 f386e4 WideCharToMultiByte 99086->99111 99087 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 99087->99111 99520 f383c0 91 API calls __Tolower 99088->99520 99090 f12580 75 API calls 99089->99090 99091 f3896b 99090->99091 99095 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 99091->99095 99093 fdb28d 6 API calls 99093->99111 99094 f190c0 75 API calls 99094->99111 99098 f3898c 99095->99098 99096 f38aaf 99100 f12580 75 API calls 99096->99100 99096->99116 99097 f1af40 75 API calls 99097->99111 99101 f1e670 75 API calls 99101->99111 99106 f192e0 75 API calls 99106->99111 99111->99070 99111->99080 99111->99086 99111->99087 99111->99093 99111->99094 99111->99097 99111->99101 99111->99106 99116->99053 99118 f19450 6 API calls 99117->99118 99119 f2f141 99118->99119 99120 f2f157 99119->99120 100152 fdb28d 6 API calls _setlocale 99119->100152 99122 f2f1a6 99120->99122 99123 f2f15f 99120->99123 99125 f12580 75 API calls 99122->99125 99124 f2f168 99123->99124 100153 fdb28d 6 API calls _setlocale 99123->100153 99127 f2f172 99124->99127 100154 fdb28d 6 API calls _setlocale 99124->100154 99128 f2f194 ctype 99125->99128 99130 f121d0 75 API calls 99127->99130 99128->98825 99130->99128 99132 f2002a 99131->99132 99133 f2000d 99131->99133 99137 fdb986 GetSystemTimeAsFileTime 99132->99137 100155 f96b60 75 API calls 99133->100155 99135 f20020 99136 fdb779 _AtModuleExit 74 API calls 99135->99136 99136->99132 99138 fdb9b6 __aulldiv 99137->99138 99138->98835 100156 f47400 99139->100156 99144 f44d00 100192 f46250 99144->100192 99450->98874 99451->98888 99452->98900 99453->98879 99455 f110b4 99454->99455 99456 f110da 99454->99456 99455->99456 99457 f110b8 WideCharToMultiByte 99455->99457 99456->98885 99457->98885 99458->98894 99459->98901 99460->98905 99461->98908 101036 f97bc0 248 API calls 99461->101036 101037 f98910 168 API calls 99461->101037 99462->98914 99464 f153fb _memset 99463->99464 99465 f15433 CreateProcessW 99464->99465 99466 f154a1 GetExitCodeProcess 99465->99466 99467 f1544f GetLastError 99465->99467 99468 f154b9 GetLastError 99466->99468 99469 f1550b CloseHandle CloseHandle 99466->99469 99470 f96a40 167 API calls 99467->99470 99472 f96a40 167 API calls 99468->99472 99471 f96a40 167 API calls 99469->99471 99474 f15460 ctype 99470->99474 99475 f1553e ctype 99471->99475 99473 f154ca ctype 99472->99473 99473->98909 99474->98909 99475->98909 99476->98855 99521 fe1230 99491->99521 99495 f96a88 GetCurrentThreadId 99525 fdb57d 99495->99525 99503 fdadff __woutput_l 5 API calls 99505 f38581 99503->99505 99505->99065 99506 f96b35 99559 fdc756 99506->99559 99508 f96b3b 99508->99503 100147 f19d70 99509->100147 99512 f12bb0 75 API calls 99516 f1618a ctype 99512->99516 99513 f16217 ctype 99514 fdadff __woutput_l 5 API calls 99513->99514 99515 f16279 99514->99515 99515->99111 99516->99513 100150 f190c0 75 API calls 99516->100150 100151 f19e20 75 API calls 99516->100151 99519->99085 99520->99096 99522 f96a4a GetLocalTime 99521->99522 99523 fe06a0 99522->99523 99524 fe06ac __VEC_memzero 99523->99524 99524->99495 99526 fdb58d 99525->99526 99527 fdb5aa 99525->99527 99572 fe0a22 67 API calls __getptd_noexit 99526->99572 99529 fdb5d6 99527->99529 99531 fdb5b9 99527->99531 99576 fe6d26 103 API calls 12 library calls 99529->99576 99530 fdb592 99573 fdb267 6 API calls 2 library calls 99530->99573 99574 fe0a22 67 API calls __getptd_noexit 99531->99574 99535 fdb5be 99575 fdb267 6 API calls 2 library calls 99535->99575 99536 fdb604 99538 f96abb 99536->99538 99577 fe5daf 99536->99577 99540 fe7971 99538->99540 99818 fe78be 99540->99818 99543 fdd02a 99838 fdcf66 99543->99838 99545 f96b1b 99545->99508 99546 fdc54e 99545->99546 99547 fdc55a _setlocale 99546->99547 99548 fdc592 99547->99548 99549 fdc572 99547->99549 99550 fdc587 _setlocale 99547->99550 100063 fe01ff 99548->100063 100081 fe0a22 67 API calls __getptd_noexit 99549->100081 99550->99506 99554 fdc577 100082 fdb267 6 API calls 2 library calls 99554->100082 99560 fdc762 _setlocale 99559->99560 99561 fdc776 99560->99561 99562 fdc793 99560->99562 100108 fe0a22 67 API calls __getptd_noexit 99561->100108 99564 fe01ff __lock_file 68 API calls 99562->99564 99571 fdc78b _setlocale 99562->99571 99566 fdc7ab 99564->99566 99565 fdc77b 100109 fdb267 6 API calls 2 library calls 99565->100109 100092 fdc6df 99566->100092 99571->99508 99572->99530 99574->99535 99576->99536 99598 fe8f6c 99577->99598 99580 fe5dca 99639 fe0a22 67 API calls __getptd_noexit 99580->99639 99581 fe5de1 99583 fe5de5 99581->99583 99591 fe5df2 __stbuf 99581->99591 99640 fe0a22 67 API calls __getptd_noexit 99583->99640 99585 fe5e53 99586 fe5ee2 99585->99586 99587 fe5e62 99585->99587 99588 fe9ab0 __locking 101 API calls 99586->99588 99589 fe5e79 99587->99589 99595 fe5e96 99587->99595 99593 fe5dcf 99588->99593 99650 fe9ab0 99589->99650 99591->99585 99591->99593 99594 fe5e48 99591->99594 99641 ff2ba7 99591->99641 99593->99538 99594->99585 99604 fe8f9e 99594->99604 99595->99593 99607 fe1d31 99595->99607 99599 fe8f7b 99598->99599 99600 fe5dbf 99598->99600 99675 fe0a22 67 API calls __getptd_noexit 99599->99675 99600->99580 99600->99581 99602 fe8f80 99676 fdb267 6 API calls 2 library calls 99602->99676 99605 fe4244 __malloc_crt 67 API calls 99604->99605 99606 fe8fb3 99605->99606 99606->99585 99608 fe1d3d _setlocale 99607->99608 99609 fe1d4e 99608->99609 99610 fe1d6a 99608->99610 99697 fe0a35 67 API calls __getptd_noexit 99609->99697 99611 fe1d78 99610->99611 99615 fe1d99 99610->99615 99699 fe0a35 67 API calls __getptd_noexit 99611->99699 99613 fe1d53 99698 fe0a22 67 API calls __getptd_noexit 99613->99698 99618 fe1ddf 99615->99618 99619 fe1db9 99615->99619 99617 fe1d7d 99700 fe0a22 67 API calls __getptd_noexit 99617->99700 99677 ff20dd 99618->99677 99702 fe0a35 67 API calls __getptd_noexit 99619->99702 99623 fe1dbe 99703 fe0a22 67 API calls __getptd_noexit 99623->99703 99624 fe1de5 99627 fe1e0e 99624->99627 99628 fe1df2 99624->99628 99625 fe1d84 99701 fdb267 6 API calls 2 library calls 99625->99701 99705 fe0a22 67 API calls __getptd_noexit 99627->99705 99687 fe1cac 99628->99687 99630 fe1dc5 99704 fdb267 6 API calls 2 library calls 99630->99704 99631 fe1d5b _setlocale 99631->99593 99635 fe1e03 99707 fe1e40 LeaveCriticalSection __unlock_fhandle 99635->99707 99636 fe1e13 99706 fe0a35 67 API calls __getptd_noexit 99636->99706 99639->99593 99640->99593 99642 ff2bb4 99641->99642 99644 ff2bc3 99641->99644 99730 fe0a22 67 API calls __getptd_noexit 99642->99730 99645 ff2be7 99644->99645 99731 fe0a22 67 API calls __getptd_noexit 99644->99731 99645->99594 99647 ff2bb9 99647->99594 99648 ff2bd7 99732 fdb267 6 API calls 2 library calls 99648->99732 99651 fe9abc _setlocale 99650->99651 99652 fe9adf 99651->99652 99653 fe9ac4 99651->99653 99654 fe9aed 99652->99654 99659 fe9b2e 99652->99659 99797 fe0a35 67 API calls __getptd_noexit 99653->99797 99799 fe0a35 67 API calls __getptd_noexit 99654->99799 99657 fe9ac9 99798 fe0a22 67 API calls __getptd_noexit 99657->99798 99658 fe9af2 99800 fe0a22 67 API calls __getptd_noexit 99658->99800 99662 ff20dd ___lock_fhandle 68 API calls 99659->99662 99664 fe9b34 99662->99664 99663 fe9af9 99801 fdb267 6 API calls 2 library calls 99663->99801 99666 fe9b57 99664->99666 99667 fe9b41 99664->99667 99802 fe0a22 67 API calls __getptd_noexit 99666->99802 99733 fe937d 99667->99733 99670 fe9ad1 _setlocale 99670->99593 99671 fe9b4f 99804 fe9b82 LeaveCriticalSection __unlock_fhandle 99671->99804 99672 fe9b5c 99803 fe0a35 67 API calls __getptd_noexit 99672->99803 99675->99602 99678 ff20e9 _setlocale 99677->99678 99679 ff2144 99678->99679 99682 fe4942 __lock 67 API calls 99678->99682 99680 ff2149 EnterCriticalSection 99679->99680 99681 ff2166 _setlocale 99679->99681 99680->99681 99681->99624 99683 ff2115 99682->99683 99686 ff212c 99683->99686 99708 ff2b47 InitializeCriticalSectionAndSpinCount _setlocale 99683->99708 99709 ff2174 LeaveCriticalSection _doexit 99686->99709 99710 ff2066 99687->99710 99689 fe1cca 99690 fe1cd2 99689->99690 99691 fe1ce3 SetFilePointer 99689->99691 99723 fe0a22 67 API calls __getptd_noexit 99690->99723 99692 fe1cfb GetLastError 99691->99692 99696 fe1cd7 99691->99696 99694 fe1d05 99692->99694 99692->99696 99724 fe0a48 67 API calls 3 library calls 99694->99724 99696->99635 99697->99613 99698->99631 99699->99617 99700->99625 99702->99623 99703->99630 99705->99636 99706->99635 99707->99631 99708->99686 99709->99679 99711 ff208b 99710->99711 99712 ff2073 99710->99712 99717 ff20d0 99711->99717 99727 fe0a35 67 API calls __getptd_noexit 99711->99727 99725 fe0a35 67 API calls __getptd_noexit 99712->99725 99714 ff2078 99726 fe0a22 67 API calls __getptd_noexit 99714->99726 99717->99689 99718 ff20b9 99728 fe0a22 67 API calls __getptd_noexit 99718->99728 99719 ff2080 99719->99689 99721 ff20c0 99729 fdb267 6 API calls 2 library calls 99721->99729 99723->99696 99724->99696 99725->99714 99726->99719 99727->99718 99728->99721 99730->99647 99731->99648 99734 fe938c __ftelli64_nolock 99733->99734 99735 fe93be 99734->99735 99736 fe93e5 99734->99736 99781 fe93b3 99734->99781 99805 fe0a35 67 API calls __getptd_noexit 99735->99805 99739 fe944d 99736->99739 99740 fe9427 99736->99740 99737 fdadff __woutput_l 5 API calls 99741 fe9aae 99737->99741 99744 fe9461 99739->99744 99747 fe1cac __lseeki64_nolock 69 API calls 99739->99747 99808 fe0a35 67 API calls __getptd_noexit 99740->99808 99741->99671 99742 fe93c3 99806 fe0a22 67 API calls __getptd_noexit 99742->99806 99749 ff2ba7 __stbuf 67 API calls 99744->99749 99746 fe942c 99809 fe0a22 67 API calls __getptd_noexit 99746->99809 99747->99744 99748 fe93ca 99807 fdb267 6 API calls 2 library calls 99748->99807 99752 fe946c 99749->99752 99754 fe9712 99752->99754 99811 fe5938 67 API calls 2 library calls 99752->99811 99753 fe9435 99810 fdb267 6 API calls 2 library calls 99753->99810 99757 fe9722 99754->99757 99758 fe99e1 WriteFile 99754->99758 99761 fe9736 99757->99761 99762 fe9800 99757->99762 99760 fe9a14 GetLastError 99758->99760 99791 fe96f4 99758->99791 99759 fe9487 GetConsoleMode 99759->99754 99763 fe94b2 99759->99763 99760->99791 99767 fe9a5f 99761->99767 99769 fe97a4 WriteFile 99761->99769 99766 fe98e0 99762->99766 99780 fe980f 99762->99780 99763->99754 99764 fe94c4 GetConsoleCP 99763->99764 99790 fe94e7 99764->99790 99764->99791 99766->99767 99771 fe9946 WideCharToMultiByte 99766->99771 99767->99781 99816 fe0a22 67 API calls __getptd_noexit 99767->99816 99768 fe9a32 99772 fe9a3d 99768->99772 99773 fe9a51 99768->99773 99769->99760 99776 fe9747 99769->99776 99770 fe9a82 99817 fe0a35 67 API calls __getptd_noexit 99770->99817 99771->99760 99779 fe997d WriteFile 99771->99779 99813 fe0a22 67 API calls __getptd_noexit 99772->99813 99815 fe0a48 67 API calls 3 library calls 99773->99815 99774 fe9884 WriteFile 99774->99760 99782 fe981a 99774->99782 99776->99761 99786 fe97fb 99776->99786 99776->99791 99783 fe99b4 GetLastError 99779->99783 99788 fe99a8 99779->99788 99780->99767 99780->99774 99781->99737 99782->99780 99782->99786 99782->99791 99783->99788 99784 fe9a42 99814 fe0a35 67 API calls __getptd_noexit 99784->99814 99786->99791 99788->99766 99788->99779 99788->99786 99788->99791 99789 ff3fcb 11 API calls __putwch_nolock 99795 fe95eb 99789->99795 99790->99791 99792 fe9593 WideCharToMultiByte 99790->99792 99793 ff2ebf 79 API calls __fassign 99790->99793 99790->99795 99812 fdeab5 77 API calls __isleadbyte_l 99790->99812 99791->99767 99791->99768 99791->99781 99792->99791 99794 fe95c4 WriteFile 99792->99794 99793->99790 99794->99760 99794->99795 99795->99760 99795->99789 99795->99790 99795->99791 99796 fe9618 WriteFile 99795->99796 99796->99760 99796->99795 99797->99657 99798->99670 99799->99658 99800->99663 99802->99672 99803->99671 99804->99670 99805->99742 99806->99748 99808->99746 99809->99753 99811->99759 99812->99790 99813->99784 99814->99781 99815->99781 99816->99770 99817->99781 99819 fe78ee 99818->99819 99820 fe78ce 99818->99820 99821 fe791a 99819->99821 99823 fe78fd 99819->99823 99833 fe0a22 67 API calls __getptd_noexit 99820->99833 99837 fe6d26 103 API calls 12 library calls 99821->99837 99835 fe0a22 67 API calls __getptd_noexit 99823->99835 99824 fe78d3 99834 fdb267 6 API calls 2 library calls 99824->99834 99828 fe7902 99836 fdb267 6 API calls 2 library calls 99828->99836 99829 f96adc OutputDebugStringA 99829->99543 99831 fe7949 99831->99829 99832 fe5daf __flsbuf 101 API calls 99831->99832 99832->99829 99833->99824 99835->99828 99837->99831 99841 fdcf72 _setlocale 99838->99841 99839 fdcf85 99897 fe0a22 67 API calls __getptd_noexit 99839->99897 99841->99839 99842 fdcfba 99841->99842 99857 feac31 99842->99857 99843 fdcf8a 99898 fdb267 6 API calls 2 library calls 99843->99898 99846 fdcfbf 99848 fdcfc6 99846->99848 99849 fdcfd3 99846->99849 99847 fdcf9a @_EH4_CallFilterFunc@8 _setlocale 99847->99545 99899 fe0a22 67 API calls __getptd_noexit 99848->99899 99851 fdcffa 99849->99851 99852 fdcfda 99849->99852 99875 fea968 99851->99875 99900 fe0a22 67 API calls __getptd_noexit 99852->99900 99858 feac3d _setlocale 99857->99858 99859 fe4942 __lock 67 API calls 99858->99859 99872 feac4b 99859->99872 99860 feacc0 99902 fead60 99860->99902 99861 feacc7 99863 fe4244 __malloc_crt 67 API calls 99861->99863 99865 feacd1 99863->99865 99864 fead55 _setlocale 99864->99846 99865->99860 99907 ff2b47 InitializeCriticalSectionAndSpinCount _setlocale 99865->99907 99866 fe487f __mtinitlocknum 67 API calls 99866->99872 99869 feacf6 99870 fead14 EnterCriticalSection 99869->99870 99871 fead01 99869->99871 99870->99860 99873 fdb0a2 __woutput_l 67 API calls 99871->99873 99872->99860 99872->99861 99872->99866 99905 fe0240 68 API calls __lock 99872->99905 99906 fe02ae LeaveCriticalSection LeaveCriticalSection _doexit 99872->99906 99873->99860 99876 fea98a 99875->99876 99877 fea99e 99876->99877 99889 fea9bd 99876->99889 99912 fe0a22 67 API calls __getptd_noexit 99877->99912 99879 feab7a 99882 feabea 99879->99882 99883 feabd0 99879->99883 99880 fea9a3 99913 fdb267 6 API calls 2 library calls 99880->99913 99909 ff4931 99882->99909 99918 fe0a22 67 API calls __getptd_noexit 99883->99918 99886 feabd5 99919 fdb267 6 API calls 2 library calls 99886->99919 99889->99879 99889->99883 99914 ff4d00 77 API calls __mbsnbcmp_l 99889->99914 99891 feab45 99891->99883 99915 ff4b7c 102 API calls __mbsnbicmp_l 99891->99915 99893 feab73 99893->99879 99916 ff4b7c 102 API calls __mbsnbicmp_l 99893->99916 99895 feab93 99895->99879 99917 ff4b7c 102 API calls __mbsnbicmp_l 99895->99917 99897->99843 99899->99847 99900->99847 99901 fdd020 LeaveCriticalSection LeaveCriticalSection __wfsopen 99901->99847 99908 fe4868 LeaveCriticalSection 99902->99908 99904 fead67 99904->99864 99905->99872 99906->99872 99907->99869 99908->99904 99920 ff4865 99909->99920 99911 fdd005 99911->99901 99912->99880 99914->99891 99915->99893 99916->99895 99917->99879 99918->99886 99923 ff4871 _setlocale 99920->99923 99921 ff4884 99995 fe0a22 67 API calls __getptd_noexit 99921->99995 99923->99921 99925 ff48c2 99923->99925 99924 ff4889 99996 fdb267 6 API calls 2 library calls 99924->99996 99931 ff4090 99925->99931 99930 ff4898 _setlocale 99930->99911 99932 ff40b5 99931->99932 99998 ff8447 99932->99998 99935 ff40d6 100023 fdb13f 10 API calls 3 library calls 99935->100023 99937 ff40e0 99941 ff40e3 99937->99941 99938 ff4119 100024 fe0a35 67 API calls __getptd_noexit 99938->100024 99940 ff411e 100025 fe0a22 67 API calls __getptd_noexit 99940->100025 99941->99938 99945 ff41d9 99941->99945 99943 ff4128 100026 fdb267 6 API calls 2 library calls 99943->100026 100004 ff21a4 99945->100004 99947 ff427b 99948 ff429c CreateFileA 99947->99948 99949 ff4282 99947->99949 99951 ff42c9 99948->99951 99952 ff4336 GetFileType 99948->99952 100027 fe0a35 67 API calls __getptd_noexit 99949->100027 99956 ff4302 GetLastError 99951->99956 99959 ff42dd CreateFileA 99951->99959 99953 ff4387 99952->99953 99954 ff4343 GetLastError 99952->99954 100033 ff1f5f 68 API calls 2 library calls 99953->100033 100031 fe0a48 67 API calls 3 library calls 99954->100031 99955 ff4287 100028 fe0a22 67 API calls __getptd_noexit 99955->100028 100029 fe0a48 67 API calls 3 library calls 99956->100029 99959->99952 99959->99956 99961 ff436c CloseHandle 99962 ff4291 99961->99962 99963 ff437a 99961->99963 100030 fe0a22 67 API calls __getptd_noexit 99962->100030 100032 fe0a22 67 API calls __getptd_noexit 99963->100032 99965 ff43a5 99970 ff46aa 99965->99970 99971 ff43ff 99965->99971 99975 ff4470 99965->99975 99968 ff4137 99997 ff4903 LeaveCriticalSection __unlock_fhandle 99968->99997 99969 ff437f 99969->99962 99970->99968 99973 ff4732 CloseHandle CreateFileA 99970->99973 100034 fea5f9 69 API calls 3 library calls 99971->100034 99976 ff475d GetLastError 99973->99976 99977 ff463a 99973->99977 99974 ff440c 99982 ff441b 99974->99982 100035 fe0a35 67 API calls __getptd_noexit 99974->100035 99975->99970 99975->99982 99986 fe9ab0 __locking 101 API calls 99975->99986 99988 fe1cac 69 API calls __lseeki64_nolock 99975->99988 100053 fe0a48 67 API calls 3 library calls 99976->100053 99977->99968 99980 ff4769 100054 ff1fe0 68 API calls 2 library calls 99980->100054 99982->99975 99984 ff04f5 77 API calls __read_nolock 99982->99984 99987 ff462d 99982->99987 99989 fea5f9 69 API calls __lseek_nolock 99982->99989 99991 ff45c5 99982->99991 99993 fe1cac __lseeki64_nolock 69 API calls 99982->99993 100036 fea74a 99982->100036 100051 ff81d5 105 API calls 6 library calls 99982->100051 99984->99982 99986->99975 99990 fea74a __close_nolock 70 API calls 99987->99990 99988->99975 99989->99982 99992 ff4634 99990->99992 99991->99970 100052 fe0a22 67 API calls __getptd_noexit 99992->100052 99993->99982 99995->99924 99997->99930 99999 ff8456 99998->99999 100000 ff40d1 99998->100000 100055 fe0a22 67 API calls __getptd_noexit 99999->100055 100000->99935 100000->99941 100002 ff845b 100056 fdb267 6 API calls 2 library calls 100002->100056 100005 ff21b0 _setlocale 100004->100005 100006 fe487f __mtinitlocknum 67 API calls 100005->100006 100007 ff21c0 100006->100007 100008 fe4942 __lock 67 API calls 100007->100008 100012 ff21c5 _setlocale 100007->100012 100022 ff21d4 100008->100022 100009 ff2320 100060 ff2335 LeaveCriticalSection _doexit 100009->100060 100010 ff22ad 100059 fe4289 67 API calls __calloc_impl 100010->100059 100012->99947 100014 ff2255 EnterCriticalSection 100016 ff2265 LeaveCriticalSection 100014->100016 100014->100022 100015 fe4942 __lock 67 API calls 100015->100022 100016->100022 100017 ff22b6 100017->100009 100018 ff20dd ___lock_fhandle 68 API calls 100017->100018 100019 ff2317 100018->100019 100019->100009 100022->100009 100022->100010 100022->100014 100022->100015 100057 ff2b47 InitializeCriticalSectionAndSpinCount _setlocale 100022->100057 100058 ff2277 LeaveCriticalSection _doexit 100022->100058 100023->99937 100024->99940 100025->99943 100027->99955 100028->99962 100029->99962 100030->99968 100031->99961 100032->99969 100033->99965 100034->99974 100035->99982 100037 ff2066 __commit 67 API calls 100036->100037 100040 fea75a 100037->100040 100038 fea7b0 100061 ff1fe0 68 API calls 2 library calls 100038->100061 100040->100038 100042 ff2066 __commit 67 API calls 100040->100042 100050 fea78e 100040->100050 100041 ff2066 __commit 67 API calls 100043 fea79a FindCloseChangeNotification 100041->100043 100046 fea785 100042->100046 100043->100038 100047 fea7a6 GetLastError 100043->100047 100044 fea7b8 100045 fea7da 100044->100045 100062 fe0a48 67 API calls 3 library calls 100044->100062 100045->99982 100049 ff2066 __commit 67 API calls 100046->100049 100047->100038 100049->100050 100050->100038 100050->100041 100051->99982 100052->99977 100053->99980 100054->99977 100055->100002 100057->100022 100058->100022 100059->100017 100060->100012 100061->100044 100062->100045 100064 fe0233 EnterCriticalSection 100063->100064 100065 fe0211 100063->100065 100067 fdc59a 100064->100067 100065->100064 100066 fe0219 100065->100066 100068 fe4942 __lock 67 API calls 100066->100068 100069 fdc3ec 100067->100069 100068->100067 100070 fdc41f 100069->100070 100073 fdc3fe 100069->100073 100083 fdc5c6 LeaveCriticalSection LeaveCriticalSection __wfsopen 100070->100083 100071 fdc40a 100084 fe0a22 67 API calls __getptd_noexit 100071->100084 100073->100070 100073->100071 100076 fdc43d _setlocale 100073->100076 100074 fdc40f 100085 fdb267 6 API calls 2 library calls 100074->100085 100076->100070 100077 fe5daf __flsbuf 101 API calls 100076->100077 100079 fe8f6c __fileno 67 API calls 100076->100079 100080 fe9ab0 __locking 101 API calls 100076->100080 100086 fdbcb4 100076->100086 100077->100076 100079->100076 100080->100076 100081->99554 100083->99550 100084->100074 100087 fdbccd 100086->100087 100091 fdbcef 100086->100091 100088 fe8f6c __fileno 67 API calls 100087->100088 100087->100091 100089 fdbce8 100088->100089 100090 fe9ab0 __locking 101 API calls 100089->100090 100090->100091 100091->100076 100093 fdc70f 100092->100093 100094 fdc6f3 100092->100094 100097 fdbcb4 __flush 101 API calls 100093->100097 100100 fdc708 100093->100100 100138 fe0a22 67 API calls __getptd_noexit 100094->100138 100096 fdc6f8 100139 fdb267 6 API calls 2 library calls 100096->100139 100099 fdc71b 100097->100099 100111 fea5c8 100099->100111 100110 fdc7ca LeaveCriticalSection LeaveCriticalSection __wfsopen 100100->100110 100103 fe8f6c __fileno 67 API calls 100104 fdc729 100103->100104 100115 fea7e6 100104->100115 100106 fdc72f 100106->100100 100107 fdb0a2 __woutput_l 67 API calls 100106->100107 100107->100100 100108->99565 100110->99571 100112 fea5d8 100111->100112 100113 fdc723 100111->100113 100112->100113 100114 fdb0a2 __woutput_l 67 API calls 100112->100114 100113->100103 100114->100113 100116 fea7f2 _setlocale 100115->100116 100117 fea7fa 100116->100117 100118 fea815 100116->100118 100140 fe0a35 67 API calls __getptd_noexit 100117->100140 100120 fea823 100118->100120 100123 fea864 100118->100123 100142 fe0a35 67 API calls __getptd_noexit 100120->100142 100121 fea7ff 100141 fe0a22 67 API calls __getptd_noexit 100121->100141 100126 ff20dd ___lock_fhandle 68 API calls 100123->100126 100125 fea828 100143 fe0a22 67 API calls __getptd_noexit 100125->100143 100129 fea86a 100126->100129 100128 fea82f 100144 fdb267 6 API calls 2 library calls 100128->100144 100131 fea877 100129->100131 100132 fea885 100129->100132 100134 fea74a __close_nolock 70 API calls 100131->100134 100145 fe0a22 67 API calls __getptd_noexit 100132->100145 100133 fea807 _setlocale 100133->100106 100136 fea87f 100134->100136 100146 fea8a9 LeaveCriticalSection __unlock_fhandle 100136->100146 100138->100096 100140->100121 100141->100133 100142->100125 100143->100128 100145->100136 100146->100133 100148 f1f0f0 75 API calls 100147->100148 100149 f16170 100148->100149 100149->99512 100150->99516 100151->99516 100152->99120 100153->99124 100154->99127 100155->99135 100157 f1f0f0 75 API calls 100156->100157 100158 f4742f 100157->100158 100166 f47e20 100158->100166 100161 f989b0 100162 f1f0f0 75 API calls 100161->100162 100163 f989df 100162->100163 100179 f98bb0 100163->100179 100169 f481b0 100166->100169 100170 f481bf 100169->100170 100171 f481eb 100169->100171 100177 fdae7c 67 API calls 3 library calls 100170->100177 100173 fdb3b2 std::_Mutex::_Mutex 75 API calls 100171->100173 100175 f44b0b 100173->100175 100174 f481d4 100178 fe274b RaiseException 100174->100178 100175->100161 100177->100174 100178->100171 100182 f98e00 100179->100182 100183 f98e3b 100182->100183 100184 f98e0f 100182->100184 100186 fdb3b2 std::_Mutex::_Mutex 75 API calls 100183->100186 100190 fdae7c 67 API calls 3 library calls 100184->100190 100188 f39eac 100186->100188 100187 f98e24 100191 fe274b RaiseException 100187->100191 100188->99144 100190->100187 100191->100183 100666 f47180 100192->100666 100195 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100196 f4627a 100195->100196 100197 f47180 75 API calls 100196->100197 100198 f4628d 100197->100198 100199 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100198->100199 100200 f4629b 100199->100200 100201 f47180 75 API calls 100200->100201 100202 f462ae 100201->100202 100203 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100202->100203 100204 f462bc 100203->100204 100205 f47180 75 API calls 100204->100205 100206 f462cf 100205->100206 100207 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100206->100207 100208 f462dd 100207->100208 100209 f47180 75 API calls 100208->100209 100210 f462f0 100209->100210 100211 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100210->100211 100212 f462fe 100211->100212 100213 f47180 75 API calls 100212->100213 100214 f46311 100213->100214 100215 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100214->100215 100216 f4631f 100215->100216 100217 f47180 75 API calls 100216->100217 100218 f46332 100217->100218 100219 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100218->100219 100220 f46340 100219->100220 100221 f47180 75 API calls 100220->100221 100222 f46353 100221->100222 100223 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 100222->100223 100224 f46361 100223->100224 100225 f47180 75 API calls 100224->100225 100667 f471bc 100666->100667 100669 f471f2 100667->100669 100678 fdb28d 6 API calls _setlocale 100667->100678 100670 f1a270 std::_Locinfo::_Locinfo_ctor 75 API calls 100669->100670 100671 f4725e ctype 100669->100671 100673 f47247 100670->100673 100672 f472b7 100671->100672 100680 fdb28d 6 API calls _setlocale 100671->100680 100676 f4626c 100672->100676 100681 fdb28d 6 API calls _setlocale 100672->100681 100679 f47480 75 API calls 100673->100679 100676->100195 100678->100669 100679->100671 100680->100672 100681->100676 101040 f530d1 101099 fdc8e3 101040->101099 101043 f53111 101046 fdc8e3 __wcsicoll 79 API calls 101043->101046 101044 f530e3 101045 fdb3b2 std::_Mutex::_Mutex 75 API calls 101044->101045 101047 f530ed 101045->101047 101048 f5311c 101046->101048 101071 f524f0 _memset 101047->101071 101128 f7c3d0 67 API calls 101047->101128 101049 f53123 101048->101049 101050 f53152 101048->101050 101053 fdb3b2 std::_Mutex::_Mutex 75 API calls 101049->101053 101051 fdc8e3 __wcsicoll 79 API calls 101050->101051 101054 f5315d 101051->101054 101055 f5312d 101053->101055 101056 fdb3b2 std::_Mutex::_Mutex 75 API calls 101054->101056 101054->101071 101055->101071 101129 f642d0 70 API calls 101055->101129 101058 f53172 101056->101058 101058->101071 101130 f882b0 67 API calls 101058->101130 101059 f52450 264 API calls 101059->101071 101061 f53619 101062 fdadff __woutput_l 5 API calls 101061->101062 101063 f5363e 101062->101063 101064 f483e0 CharNextW CharNextW 101064->101071 101065 f48430 CharNextW CharNextW 101065->101071 101066 f772c0 92 API calls 101066->101071 101067 fdecd8 78 API calls __wcstoi64 101067->101071 101068 f48330 CharNextW CharNextW 101068->101071 101069 fdc8e3 79 API calls __wcsicoll 101069->101071 101071->101059 101071->101061 101071->101064 101071->101065 101071->101066 101071->101067 101071->101068 101071->101069 101072 f55a20 67 API calls 101071->101072 101077 fdb0a2 67 API calls __woutput_l 101071->101077 101083 f51a50 264 API calls 101071->101083 101084 fdb3b2 75 API calls std::_Mutex::_Mutex 101071->101084 101087 f68230 68 API calls 101071->101087 101091 f780e0 79 API calls 101071->101091 101092 f52e50 101071->101092 101096 f695b0 101071->101096 101107 f51b60 264 API calls 3 library calls 101071->101107 101108 f48400 CharNextW CharNextW 101071->101108 101109 f482f0 CharNextW CharNextW 101071->101109 101110 f482b0 CharNextW CharNextW 101071->101110 101111 f79b30 71 API calls 101071->101111 101112 f60550 79 API calls 2 library calls 101071->101112 101113 f7ad30 68 API calls _memset 101071->101113 101114 f7b390 67 API calls 101071->101114 101115 f7c3d0 67 API calls 101071->101115 101116 f7d3e0 68 API calls 101071->101116 101117 f7ea10 71 API calls 101071->101117 101118 f5bcb0 101071->101118 101123 f80c20 68 API calls 101071->101123 101124 f81b20 67 API calls 101071->101124 101125 f826a0 71 API calls 101071->101125 101126 f6b8d0 67 API calls 101071->101126 101072->101071 101077->101071 101083->101071 101084->101071 101087->101071 101091->101071 101092->101071 101127 f83010 75 API calls 101092->101127 101097 f5bcb0 67 API calls 101096->101097 101098 f695b6 GdiplusStartup 101097->101098 101098->101071 101100 fdc8f4 101099->101100 101101 fdc963 101099->101101 101106 f530dc 101100->101106 101131 fe0a22 67 API calls __getptd_noexit 101100->101131 101133 fdc7d2 79 API calls 3 library calls 101101->101133 101104 fdc900 101132 fdb267 6 API calls 2 library calls 101104->101132 101106->101043 101106->101044 101107->101071 101108->101071 101109->101071 101110->101071 101111->101071 101112->101071 101113->101071 101114->101071 101115->101071 101116->101071 101117->101071 101134 f4aba0 101118->101134 101120 f5bdfb 101121 f4aba0 67 API calls 101120->101121 101122 f5be21 _memset 101121->101122 101122->101071 101123->101071 101124->101071 101125->101071 101126->101071 101127->101092 101128->101071 101129->101071 101130->101071 101131->101104 101133->101106 101135 f4abaa 101134->101135 101137 f4abb0 101134->101137 101138 fdb0a2 __woutput_l 67 API calls 101135->101138 101136 f4abd0 _memset 101136->101120 101137->101136 101139 fdb0a2 __woutput_l 67 API calls 101137->101139 101138->101137 101139->101136 101140 f4adb0 101141 f4aba0 67 API calls 101140->101141 101142 f4aecf _memset 101141->101142 101145 f4b0ec GetStockObject GetObjectW CreateFontIndirectW 101142->101145 101149 f4b12b _memset 101142->101149 101143 f4b1d6 101146 fdadff __woutput_l 5 API calls 101143->101146 101144 f4b1b2 CreatePen #17 LoadLibraryW 101144->101143 101148 f4a110 72 API calls 101145->101148 101147 f4b293 101146->101147 101148->101149 101149->101143 101149->101144 101150 f5f4d0 101162 f816c0 101150->101162 101152 f5f4dd 101155 f5f503 101174 f819d0 5 API calls __woutput_l 101155->101174 101157 f5f539 101158 f5f553 101157->101158 101175 f5fa10 VariantInit SysAllocString VariantClear 101157->101175 101176 f600f0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 101158->101176 101160 f5f55c 101163 f816f3 101162->101163 101164 f81768 CoCreateInstance 101163->101164 101165 f8170b LoadLibraryW 101163->101165 101168 f8178c 101164->101168 101172 f5f4d9 101164->101172 101165->101164 101166 f81716 GetProcAddress 101165->101166 101167 f81739 101166->101167 101167->101164 101167->101168 101169 fdb3b2 std::_Mutex::_Mutex 75 API calls 101168->101169 101168->101172 101170 f817be 101169->101170 101170->101172 101177 f4f9e0 77 API calls __woutput_l 101170->101177 101172->101152 101173 f49e40 72 API calls _realloc 101172->101173 101173->101155 101174->101157 101175->101158 101176->101160 101177->101172 101178 f5d750 101179 f5d762 101178->101179 101180 f5d773 101179->101180 101182 f889b0 101179->101182 101183 f889c8 101182->101183 101184 f88a06 101183->101184 101186 f889db 101183->101186 101185 f88a94 101184->101185 101191 f88a1f 101184->101191 101187 f88a32 101185->101187 101198 f88ab3 101185->101198 101188 f889e3 101186->101188 101211 f5d780 82 API calls 101186->101211 101189 f88b02 101187->101189 101197 f88c63 101187->101197 101200 f88a45 101187->101200 101188->101180 101201 f88b0b 101189->101201 101203 f88c8c 101189->101203 101191->101187 101212 f88210 PtInRect 101191->101212 101193 f889fd 101193->101180 101195 f88af9 101195->101180 101197->101180 101214 f5d570 InvalidateRect UnionRect IntersectRect 101198->101214 101199 f88a8b 101199->101180 101213 f5d570 InvalidateRect UnionRect IntersectRect 101200->101213 101201->101197 101202 f88b48 GetFocus 101201->101202 101202->101197 101204 f88b5f GetCaretPos IntersectRect 101202->101204 101203->101197 101216 f59180 83 API calls 101203->101216 101204->101197 101210 f88bd3 101204->101210 101206 f88c4e 101215 f4e850 InvalidateRect UnionRect 101206->101215 101208 f88c0b IntersectRect 101208->101197 101208->101210 101209 f88c5a 101209->101180 101210->101206 101210->101208 101211->101193 101212->101187 101213->101199 101214->101195 101215->101209 101216->101197 101217 f5ff30 101218 f5ff40 101217->101218 101219 f5ff6f 101218->101219 101226 f5ffa8 101218->101226 101220 f5ff7d 101219->101220 101222 f5ff8a 101219->101222 101221 f4a110 72 API calls 101220->101221 101224 f5ff85 101221->101224 101223 f5ff99 101222->101223 101225 fdb0a2 __woutput_l 67 API calls 101222->101225 101225->101223 101229 f5ffe3 101226->101229 101230 f81100 101226->101230 101228 f60038 101231 f81114 101230->101231 101232 f81143 101231->101232 101235 f81154 101231->101235 101243 f814a0 7 API calls 3 library calls 101232->101243 101234 f8114b 101234->101228 101236 f8119c 101235->101236 101237 f811ad 101235->101237 101242 f811cf 101235->101242 101239 f4a110 72 API calls 101236->101239 101238 f811bc 101237->101238 101240 fdb0a2 __woutput_l 67 API calls 101237->101240 101238->101228 101241 f811a4 101239->101241 101240->101238 101241->101228 101242->101228 101243->101234 101244 f6ea10 101245 fdb0a2 __woutput_l 67 API calls 101244->101245 101246 f6ea1a 101245->101246 101247 f6e9f0 101250 fdf89a 101247->101250 101251 fdf89c 101250->101251 101258 fef09c 101251->101258 101253 fdf8b4 101254 f6e9ff 101253->101254 101271 fe0a22 67 API calls __getptd_noexit 101253->101271 101256 fdf8c7 101256->101254 101272 fe0a22 67 API calls __getptd_noexit 101256->101272 101259 fef0a8 _setlocale 101258->101259 101260 fef0c0 101259->101260 101270 fef0df _memset 101259->101270 101273 fe0a22 67 API calls __getptd_noexit 101260->101273 101262 fef0c5 101274 fdb267 6 API calls 2 library calls 101262->101274 101264 fef151 RtlAllocateHeap 101264->101270 101265 fe4942 __lock 66 API calls 101265->101270 101266 fef0d5 _setlocale 101266->101253 101270->101264 101270->101265 101270->101266 101275 fe5154 5 API calls 2 library calls 101270->101275 101276 fef198 LeaveCriticalSection _doexit 101270->101276 101277 fe5d87 6 API calls __decode_pointer 101270->101277 101271->101256 101272->101254 101273->101262 101275->101270 101276->101270 101277->101270 101278 f74190 101279 f741d2 101278->101279 101290 f7427e 101278->101290 101281 f4a110 72 API calls 101279->101281 101279->101290 101280 fdadff __woutput_l 5 API calls 101282 f74291 101280->101282 101283 f741f7 101281->101283 101291 f51500 101283->101291 101288 f74278 101289 fdb0a2 __woutput_l 67 API calls 101288->101289 101289->101290 101290->101280 101295 f51510 _wcschr 101291->101295 101292 f51605 SetBkMode SetTextColor 101300 f503b0 101292->101300 101293 fdcd92 91 API calls __hextodec 101293->101295 101295->101292 101295->101293 101299 fdb0a2 __woutput_l 67 API calls 101295->101299 101306 fdf452 78 API calls __wcstoi64 101295->101306 101307 f51480 5 API calls 2 library calls 101295->101307 101308 f4a320 72 API calls 101295->101308 101309 f4a3c0 72 API calls __woutput_l 101295->101309 101299->101295 101305 f503c5 __itow 101300->101305 101302 f50426 101303 fdadff __woutput_l 5 API calls 101302->101303 101304 f50434 SelectObject DrawTextW SelectObject 101303->101304 101304->101288 101304->101290 101305->101302 101310 f4fe00 6 API calls 101305->101310 101306->101295 101307->101295 101308->101295 101309->101295 101310->101302 101311 f80e90 101316 f5d220 101311->101316 101314 f80ed6 101315 f80ebe ShowWindow 101315->101314 101317 f5d232 101316->101317 101319 f5d24a 101316->101319 101317->101319 101320 f4ef30 GetFocus 101317->101320 101319->101314 101319->101315 101321 f4ef49 101320->101321 101322 f4ef6b 101320->101322 101321->101322 101325 f4ef64 SetFocus 101321->101325 101323 f4f086 101322->101323 101324 f4ef83 GetTickCount 101322->101324 101329 f4efea 101322->101329 101323->101319 101326 f4efc8 101324->101326 101325->101322 101333 f4f9e0 77 API calls __woutput_l 101326->101333 101328 f4efe0 101328->101329 101329->101323 101330 f4f023 GetTickCount 101329->101330 101331 f4f06e 101330->101331 101334 f4f9e0 77 API calls __woutput_l 101331->101334 101333->101328 101334->101323 101335 fe4796 HeapCreate 101336 fe47ba 101335->101336 101337 f973b0 CreateMutexW 101340 f98a20 101337->101340 101341 f1f0f0 75 API calls 101340->101341 101342 f98a4f 101341->101342 101345 f98bd0 75 API calls 101342->101345 101344 f97406 101345->101344 101346 f91789 101356 f91290 101346->101356 101347 f912ea 101361 f912f5 101347->101361 101362 f90140 101347->101362 101348 fdadff __woutput_l 5 API calls 101349 f91aca 101348->101349 101351 f918b6 101353 fdb0a2 __woutput_l 67 API calls 101351->101353 101351->101361 101352 fde862 _realloc 72 API calls 101352->101356 101354 f918cd 101353->101354 101376 f90d50 67 API calls 3 library calls 101354->101376 101356->101347 101356->101352 101356->101361 101357 f91919 101358 f91983 101357->101358 101357->101361 101377 f910a0 101357->101377 101360 fdb0a2 __woutput_l 67 API calls 101358->101360 101358->101361 101360->101361 101361->101348 101363 fde798 _malloc 67 API calls 101362->101363 101364 f9016a 101363->101364 101365 f901db 101364->101365 101383 f90010 72 API calls 101364->101383 101367 fdadff __woutput_l 5 API calls 101365->101367 101369 f901f0 101367->101369 101368 f901a2 101370 f901a9 101368->101370 101371 f901d1 101368->101371 101369->101351 101370->101365 101372 f901b1 101370->101372 101373 fdb0a2 __woutput_l 67 API calls 101371->101373 101374 fdadff __woutput_l 5 API calls 101372->101374 101373->101365 101375 f901ca 101374->101375 101375->101351 101376->101357 101378 fde798 _malloc 67 API calls 101377->101378 101380 f910c1 101378->101380 101379 f910c8 101379->101358 101380->101379 101380->101380 101381 fdb0a2 __woutput_l 67 API calls 101380->101381 101382 f91145 101381->101382 101382->101358 101383->101368 101384 f47880 101385 f478b1 101384->101385 101386 f478fd 101384->101386 101387 f1bb00 std::_Locinfo::_Locinfo_ctor 75 API calls 101385->101387 101394 f47e60 101386->101394 101389 f478d4 101387->101389 101399 f12dd0 75 API calls 2 library calls 101389->101399 101391 f478e6 101400 fe274b RaiseException 101391->101400 101393 f4790c 101395 f481b0 75 API calls 101394->101395 101396 f47e97 101395->101396 101397 f47ee1 101396->101397 101398 f1a270 std::_Locinfo::_Locinfo_ctor 75 API calls 101396->101398 101397->101393 101398->101397 101399->101391 101400->101386 101401 f75aa2 101503 f506e0 101401->101503 101403 f75abb 101405 f75b3a 101403->101405 101499 f74830 _setlocale 101403->101499 101521 f50100 84 API calls 5 library calls 101403->101521 101404 f7591b CharNextW 101404->101499 101522 f507c0 9 API calls 101405->101522 101408 f7590c CharNextW 101408->101404 101408->101499 101409 f75b49 101523 f49e40 72 API calls _realloc 101409->101523 101411 f75b55 SelectObject 101411->101499 101412 f76a56 101413 f76ab6 DeleteObject DeleteObject SelectObject 101412->101413 101414 f76aa3 SelectClipRgn 101412->101414 101415 f76af4 101413->101415 101416 f76aee 101413->101416 101414->101413 101418 f76b08 101415->101418 101420 fdb0a2 __woutput_l 67 API calls 101415->101420 101417 fdb0a2 __woutput_l 67 API calls 101416->101417 101417->101415 101419 f76b1c 101418->101419 101421 fdb0a2 __woutput_l 67 API calls 101418->101421 101422 f76b30 101419->101422 101424 fdb0a2 __woutput_l 67 API calls 101419->101424 101420->101418 101421->101419 101426 f76b4b 101422->101426 101428 fdb0a2 __woutput_l 67 API calls 101422->101428 101423 f76360 GetTextExtentPoint32W 101423->101499 101424->101422 101425 f766b6 SetRect 101427 f4a110 72 API calls 101425->101427 101429 f76b66 101426->101429 101432 fdb0a2 __woutput_l 67 API calls 101426->101432 101427->101499 101428->101426 101430 f76b7a 101429->101430 101433 fdb0a2 __woutput_l 67 API calls 101429->101433 101434 f76b8b 101430->101434 101437 fdb0a2 __woutput_l 67 API calls 101430->101437 101431 f49df0 67 API calls 101431->101499 101432->101429 101433->101430 101438 f76b9f 101434->101438 101441 fdb0a2 __woutput_l 67 API calls 101434->101441 101435 f75fb4 CharNextW 101435->101499 101436 f7659d TextOutW 101436->101499 101437->101434 101442 f76bb0 101438->101442 101450 fdb0a2 __woutput_l 67 API calls 101438->101450 101439 f75fee GetTextExtentPoint32W 101439->101499 101440 f761e8 GetTextExtentPoint32W 101440->101499 101441->101438 101452 fdadff __woutput_l 5 API calls 101442->101452 101443 f75cab SetTextColor 101443->101499 101444 f763d4 CharNextW 101455 f76407 GetTextExtentPoint32W 101444->101455 101444->101499 101445 f75fa3 CharNextW 101445->101435 101445->101499 101446 f74cdc CharNextW 101446->101499 101447 f760fc GetTextExtentPoint32W 101447->101499 101448 f75df2 SetRect 101448->101499 101449 f506e0 14 API calls 101449->101499 101450->101442 101451 f748fe CharNextW 101451->101499 101460 f76bd4 101452->101460 101453 f74c5a CharNextW 101453->101499 101454 fdecd8 78 API calls __wcstoi64 101454->101499 101455->101499 101456 f75dce SetBkMode 101456->101499 101457 f75dbc SetBkMode 101457->101499 101458 f75e72 SetTextColor 101458->101499 101459 f76550 TextOutW 101459->101499 101463 f75f2b SelectObject 101463->101499 101464 f765e1 TextOutW 101464->101499 101465 f76288 TextOutW 101465->101499 101466 f749ce SetTextColor 101472 f506e0 14 API calls 101466->101472 101468 f76097 TextOutW 101468->101499 101469 f75f02 GetCharABCWidthsW 101469->101463 101470 f7661e TextOutW 101470->101499 101471 f76629 TextOutW 101471->101499 101472->101499 101473 f74c95 SetTextColor 101473->101499 101474 f761a5 TextOutW 101474->101499 101476 f769d5 SetTextColor 101476->101499 101477 f76467 CharNextW 101477->101499 101479 f74e16 CharNextW 101479->101499 101480 f74d1c SelectObject 101480->101499 101481 f74da6 CharNextW 101481->101499 101482 f764ce CharPrevW 101485 f764e1 CharPrevW 101482->101485 101482->101499 101483 f74953 CharNextW 101483->101499 101484 f506e0 14 API calls 101487 f76a22 SelectObject 101484->101487 101485->101499 101490 f76a3d SetBkMode 101487->101490 101487->101499 101488 f74bd1 SelectObject 101488->101499 101490->101499 101491 f49fd0 72 API calls 101491->101499 101492 f74e66 CharNextW 101492->101499 101494 f50100 84 API calls 101494->101499 101495 f507c0 9 API calls 101495->101499 101496 f74e8c CharNextW 101496->101499 101498 f74aa4 SelectObject 101498->101499 101499->101404 101499->101408 101499->101412 101499->101423 101499->101425 101499->101431 101499->101435 101499->101436 101499->101439 101499->101440 101499->101443 101499->101444 101499->101445 101499->101446 101499->101447 101499->101448 101499->101449 101499->101451 101499->101453 101499->101454 101499->101456 101499->101457 101499->101458 101499->101459 101499->101463 101499->101464 101499->101465 101499->101468 101499->101469 101499->101470 101499->101471 101499->101474 101499->101476 101499->101477 101499->101479 101499->101481 101499->101482 101499->101483 101499->101484 101499->101487 101499->101491 101499->101492 101499->101494 101499->101495 101499->101496 101502 fdb0a2 67 API calls __woutput_l 101499->101502 101511 f4a1c0 67 API calls __woutput_l 101499->101511 101512 f4a220 72 API calls 101499->101512 101513 f49e40 72 API calls _realloc 101499->101513 101514 f49e40 72 API calls _realloc 101499->101514 101515 f49e40 72 API calls _realloc 101499->101515 101516 f49e40 72 API calls _realloc 101499->101516 101517 f49e40 72 API calls _realloc 101499->101517 101518 fdcd92 91 API calls __isdigit_l 101499->101518 101519 fdf27a 78 API calls 2 library calls 101499->101519 101520 f49e40 72 API calls _realloc 101499->101520 101501 f74fd7 SelectObject 101501->101499 101502->101499 101506 f50722 __itow 101503->101506 101504 f5079d 101507 fdadff __woutput_l 5 API calls 101504->101507 101505 f50769 SelectObject GetTextMetricsW SelectObject 101505->101504 101510 f50758 101506->101510 101524 f4fe00 6 API calls 101506->101524 101508 f507ad 101507->101508 101508->101403 101510->101504 101510->101505 101511->101499 101512->101499 101513->101466 101514->101498 101515->101488 101516->101473 101517->101480 101518->101499 101519->101499 101520->101501 101521->101405 101522->101409 101523->101411 101524->101510 101525 f541c0 101526 f541e7 101525->101526 101527 f54407 101526->101527 101532 f4be70 101526->101532 101530 f543f6 CallWindowProcW 101530->101527 101531 f543ea 101533 f4bed0 101532->101533 101626 f4bf61 101532->101626 101534 f4bf1e 101533->101534 101538 f4bf73 101533->101538 101535 f4c00c 101534->101535 101543 f4bf4c IsIconic 101534->101543 101534->101626 101539 f4c01a 101535->101539 101549 f4c03d 101535->101549 101536 fdadff __woutput_l 5 API calls 101537 f4e69f 101536->101537 101537->101530 101537->101531 101548 f4bfbb ScreenToClient 101538->101548 101538->101626 101542 f4c022 SendMessageW 101539->101542 101539->101626 101540 f4da51 101544 f4da5d 101540->101544 101545 f4dfaa 101540->101545 101541 f4d5af 101546 f4d5b5 101541->101546 101547 f4d72a 101541->101547 101542->101626 101543->101549 101543->101626 101550 f4da63 101544->101550 101551 f4de6b 101544->101551 101554 f4dfb6 101545->101554 101605 f4e552 ctype _setlocale 101545->101605 101552 f4d5f2 101546->101552 101553 f4d5bf 101546->101553 101559 f4d772 101547->101559 101560 f4d77e SendMessageW 101547->101560 101593 f4d7a8 101547->101593 101547->101626 101548->101626 101549->101540 101549->101541 101549->101626 101562 f4dd65 101550->101562 101563 f4dc90 101550->101563 101564 f4da79 101550->101564 101565 f4db9b 101550->101565 101550->101626 101555 f4de78 ScreenToClient 101551->101555 101551->101626 101558 f4d600 IsRectEmpty 101552->101558 101575 f4d641 101552->101575 101557 f4d5d5 SendMessageW 101553->101557 101553->101626 101556 f4e462 101554->101556 101566 f4dfc8 101554->101566 101594 f4e131 101554->101594 101586 f4deb8 101555->101586 101561 f4e46f GetClientRect SaveDC 101556->101561 101556->101626 101557->101626 101568 f4d611 IsIconic 101558->101568 101558->101575 101572 f4d792 _TrackMouseEvent 101559->101572 101560->101572 101576 f4e4aa 101561->101576 101571 f4dd6e SetFocus 101562->101571 101592 f4dd7f 101562->101592 101569 f4dcb4 101563->101569 101563->101626 101570 f4da82 SetFocus 101564->101570 101600 f4da93 101564->101600 101567 f4dba4 SetFocus 101565->101567 101587 f4dbb5 101565->101587 101584 f4dfed SendMessageW 101566->101584 101585 f4dffe 101566->101585 101566->101626 101567->101587 101574 f4d62a 101568->101574 101568->101626 101654 f4f470 ReleaseCapture 101569->101654 101570->101600 101571->101592 101572->101593 101573 f4e632 101590 fdb0a2 __woutput_l 67 API calls 101573->101590 101573->101626 101580 f4be70 104 API calls 101574->101580 101588 f4d681 GetTickCount 101575->101588 101575->101626 101581 f4e4b5 GetWindow 101576->101581 101582 f4e541 RestoreDC 101576->101582 101578 f4d7ff GetTickCount 101649 f4ab50 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 101578->101649 101580->101626 101581->101582 101589 f4e4ca 101581->101589 101582->101626 101583 f4dcba GetTickCount 101606 f4d6f4 101583->101606 101584->101585 101591 f4e00b GetCursorPos GetWindowRect IsIconic 101585->101591 101585->101626 101597 f4ded3 101586->101597 101586->101626 101609 f4dbf6 101587->101609 101587->101626 101648 f4ab50 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 101588->101648 101598 f4e4d5 GetWindowRect MapWindowPoints SetWindowOrgEx SendMessageW GetWindow 101589->101598 101590->101626 101601 f4e114 SendMessageW 101591->101601 101602 f4e068 GetActiveWindow 101591->101602 101612 f4ddbe GetTickCount 101592->101612 101592->101626 101593->101578 101593->101626 101595 f4e214 101594->101595 101596 f4e175 GetTickCount 101594->101596 101594->101626 101613 f4e240 101595->101613 101614 f4e25b 101595->101614 101656 f4ab50 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 101596->101656 101655 f4ab50 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyState 101597->101655 101598->101582 101598->101598 101619 f4dae1 101600->101619 101600->101626 101601->101626 101602->101601 101607 f4e07a PtInRect 101602->101607 101605->101573 101616 fdb0a2 67 API calls __woutput_l 101605->101616 101605->101626 101606->101626 101607->101601 101611 f4e096 SendMessageW 101607->101611 101608 f4e1f4 101608->101595 101653 f4f450 SetCapture 101609->101653 101610 f4df54 GetTickCount 101621 f4df7d SendMessageW 101610->101621 101617 f4e0f7 SendMessageW 101611->101617 101618 f4e0ba ScreenToClient SendMessageW 101611->101618 101612->101606 101624 fdb0a2 __woutput_l 67 API calls 101613->101624 101613->101626 101622 f51500 97 API calls 101614->101622 101616->101605 101617->101626 101618->101626 101652 f4f450 SetCapture 101619->101652 101620 f4dbfd GetTickCount 101620->101606 101621->101626 101632 f4e267 _memset 101622->101632 101624->101626 101625 f4d872 101625->101606 101625->101626 101650 f49d00 67 API calls _malloc 101625->101650 101626->101536 101629 f4d8e9 101651 f49df0 67 API calls 3 library calls 101629->101651 101630 f4dafc GetTickCount 101630->101606 101633 f4e387 101632->101633 101634 f4e2ee CreateWindowExW SendMessageW 101632->101634 101635 f4e391 101633->101635 101637 f4e3a2 101633->101637 101638 f4e3ef SendMessageW 101633->101638 101636 f4e348 SendMessageW SendMessageW SendMessageW 101634->101636 101639 f4e432 SendMessageW 101635->101639 101636->101633 101645 f4e3e1 101637->101645 101647 f4e3c0 SendMessageW 101637->101647 101642 f4e410 SendMessageW SendMessageW 101638->101642 101639->101556 101641 f4d900 _setlocale 101643 f4d98f 101641->101643 101644 f4d97a SendMessageW 101641->101644 101642->101639 101643->101606 101646 fdb0a2 __woutput_l 67 API calls 101643->101646 101644->101643 101645->101642 101646->101606 101647->101645 101648->101606 101649->101625 101650->101629 101651->101641 101652->101630 101653->101620 101654->101583 101655->101610 101656->101608 101657 f509c0 101658 f509d4 101657->101658 101659 f50b1c 101657->101659 101658->101659 101661 f50a09 101658->101661 101762 fdcd92 91 API calls __isdigit_l 101658->101762 101681 f71690 101661->101681 101662 f509ed 101662->101661 101763 fdecd8 78 API calls wcstoxl 101662->101763 101667 f50a4e _setlocale 101668 f50ad9 101667->101668 101670 f50ab4 101667->101670 101669 f50ad3 101668->101669 101767 f71e20 68 API calls 2 library calls 101668->101767 101769 f4a8f0 75 API calls 2 library calls 101669->101769 101670->101669 101765 f71e20 68 API calls 2 library calls 101670->101765 101673 f50aee 101768 f4aa40 67 API calls 101673->101768 101675 f50acb 101766 f4aa40 67 API calls 101675->101766 101677 f50b06 101679 f50b11 101677->101679 101770 f71e20 68 API calls 2 library calls 101677->101770 101682 f716db 101681->101682 101685 f71984 101681->101685 101683 f4a110 72 API calls 101682->101683 101684 f716fc 101683->101684 101686 f71803 101684->101686 101687 f71711 101684->101687 101699 f71a2f FindResourceW 101685->101699 101700 f719bf 101685->101700 101771 f49fd0 101686->101771 101688 f71725 CreateFileW 101687->101688 101689 f7171c 101687->101689 101692 f7176d GetFileSize 101688->101692 101693 f71748 101688->101693 101691 f49fd0 72 API calls 101689->101691 101691->101688 101696 f717a1 101692->101696 101697 f7177c 101692->101697 101695 f71a96 CreateFileW 101693->101695 101702 fdb0a2 __woutput_l 67 API calls 101693->101702 101694 f7180e 101698 f71817 101694->101698 101821 f70730 101694->101821 101703 f71b14 101695->101703 101704 f71abd GetFileSize 101695->101704 101709 f717af ReadFile CloseHandle 101696->101709 101697->101695 101711 fdb0a2 __woutput_l 67 API calls 101697->101711 101707 f71836 101698->101707 101708 f7185b 101698->101708 101699->101695 101706 f71a3c 101699->101706 101722 f71b39 _memset 101700->101722 101832 f8a560 72 API calls __woutput_l 101700->101832 101739 f71765 101702->101739 101716 fdadff __woutput_l 5 API calls 101703->101716 101704->101703 101710 f71acc 101704->101710 101712 f71a42 LoadResource 101706->101712 101707->101695 101713 f7184d 101707->101713 101782 f707a0 101708->101782 101714 f717d5 101709->101714 101761 f7195c 101709->101761 101717 f71ada ReadFile CloseHandle 101710->101717 101711->101739 101718 f71a50 FreeResource 101712->101718 101719 f71a58 101712->101719 101720 fdb0a2 __woutput_l 67 API calls 101713->101720 101714->101695 101735 fdb0a2 __woutput_l 67 API calls 101714->101735 101723 f50a2c 101716->101723 101724 f71b0c 101717->101724 101729 f71afc 101717->101729 101718->101695 101730 f71a5d SizeofResource 101719->101730 101720->101739 101721 f71874 101725 f718a0 101721->101725 101726 f7187b 101721->101726 101722->101703 101728 f71b63 CreateDIBSection 101722->101728 101723->101659 101723->101667 101764 f4a1e0 72 API calls __woutput_l 101723->101764 101724->101700 101724->101703 101733 f718ab 101725->101733 101740 f718d0 101725->101740 101726->101695 101731 f71892 101726->101731 101727 fdb0a2 __woutput_l 67 API calls 101732 f7197c 101727->101732 101728->101703 101742 f71bc9 101728->101742 101729->101703 101730->101695 101734 f71a6a 101730->101734 101736 fdb0a2 __woutput_l 67 API calls 101731->101736 101732->101695 101732->101700 101733->101695 101737 f718c2 101733->101737 101741 f71a70 LockResource 101734->101741 101735->101739 101736->101739 101738 fdb0a2 __woutput_l 67 API calls 101737->101738 101738->101739 101739->101695 101751 f718e1 101740->101751 101797 f70640 101740->101797 101831 fe02e0 101741->101831 101750 f71c44 101742->101750 101752 f71c37 101742->101752 101753 f71c30 CharNextW 101742->101753 101745 fdb0a2 __woutput_l 67 API calls 101748 f71d99 101745->101748 101746 f718fd 101749 f7194d 101746->101749 101746->101751 101747 f71a84 FreeResource 101747->101732 101756 fdb3b2 std::_Mutex::_Mutex 75 API calls 101748->101756 101749->101761 101830 f70930 68 API calls ctype 101749->101830 101750->101745 101750->101748 101754 f71928 101751->101754 101829 f70930 68 API calls ctype 101751->101829 101833 fded03 78 API calls wcstoxl 101752->101833 101753->101752 101754->101695 101755 f71925 101754->101755 101755->101754 101760 fdb0a2 __woutput_l 67 API calls 101755->101760 101756->101703 101760->101739 101761->101727 101761->101732 101762->101662 101763->101661 101764->101667 101765->101675 101766->101669 101767->101673 101768->101669 101769->101677 101770->101679 101772 f49fe1 101771->101772 101773 f4a0b7 101772->101773 101774 f4a011 101772->101774 101778 fdb0a2 __woutput_l 67 API calls 101773->101778 101780 f4a022 101773->101780 101775 f4a06e 101774->101775 101776 f4a018 101774->101776 101777 fde862 _realloc 72 API calls 101775->101777 101779 fde798 _malloc 67 API calls 101776->101779 101781 f4a079 101777->101781 101778->101780 101779->101780 101780->101694 101780->101780 101781->101694 101781->101781 101783 f707e9 101782->101783 101784 f707c8 101782->101784 101786 f7080f 101783->101786 101787 f707ee 101783->101787 101785 fdadff __woutput_l 5 API calls 101784->101785 101788 f707e2 101785->101788 101834 f705b0 101786->101834 101789 fdadff __woutput_l 5 API calls 101787->101789 101788->101721 101791 f70808 101789->101791 101791->101721 101792 f7081e _memset 101793 f708d5 101792->101793 101795 f708b6 MultiByteToWideChar 101792->101795 101794 fdadff __woutput_l 5 API calls 101793->101794 101796 f708e5 101794->101796 101795->101793 101796->101721 101798 f70669 101797->101798 101819 f706c5 101797->101819 101799 f70675 101798->101799 101801 f70010 67 API calls 101798->101801 101802 f70683 101799->101802 101808 f7069d 101799->101808 101801->101799 101804 fdadff __woutput_l 5 API calls 101802->101804 101810 f70697 101804->101810 101805 f706e1 101811 fdadff __woutput_l 5 API calls 101805->101811 101806 f706fb 101812 f70010 67 API calls 101806->101812 101807 f706a7 101809 f706be 101807->101809 101999 f6f910 ReadFile SetFilePointer 101807->101999 101808->101807 101998 f6f8d0 ReadFile SetFilePointer 101808->101998 101978 f6fd60 101809->101978 101810->101746 101816 f706f5 101811->101816 101814 f70702 101812->101814 101817 fdadff __woutput_l 5 API calls 101814->101817 101816->101746 101820 f70723 101817->101820 101993 f6fe70 101819->101993 101820->101746 101822 fdb3b2 std::_Mutex::_Mutex 75 API calls 101821->101822 101823 f7073c 101822->101823 102000 f70100 101823->102000 101825 f7076f 101826 f70778 ctype 101825->101826 101827 fdb3b2 std::_Mutex::_Mutex 75 API calls 101825->101827 101826->101698 101828 f7078d 101827->101828 101828->101698 101829->101755 101830->101761 101831->101747 101832->101722 101833->101750 101842 f6f970 8 API calls 2 library calls 101834->101842 101836 f705c5 101837 f705cc _memset 101836->101837 101839 f70610 101836->101839 101871 f70010 101836->101871 101837->101792 101840 f7062f 101839->101840 101843 f701b0 101839->101843 101840->101792 101842->101836 101844 f701ea 101843->101844 101864 f7020f ctype 101843->101864 101847 f70010 67 API calls 101844->101847 101848 f70200 101844->101848 101844->101864 101845 fdadff __woutput_l 5 API calls 101846 f7059e 101845->101846 101846->101840 101847->101848 101849 f70282 101848->101849 101848->101864 101943 f6f8d0 ReadFile SetFilePointer 101848->101943 101851 f702a5 101849->101851 101944 f6f910 ReadFile SetFilePointer 101849->101944 101879 f6f650 101851->101879 101854 f702c0 101918 f6fb80 101854->101918 101856 f702d9 101857 f70311 101856->101857 101858 f702f9 SetFilePointer 101856->101858 101856->101864 101859 fdb3b2 std::_Mutex::_Mutex 75 API calls 101857->101859 101858->101857 101860 f70322 101859->101860 101945 f6f040 101860->101945 101862 f70337 101863 f7040c DosDateTimeToFileTime 101862->101863 101862->101864 101863->101864 101865 f70473 101863->101865 101864->101845 101865->101864 101866 f70503 101865->101866 101949 f70090 68 API calls __localtime64 101865->101949 101868 f70528 101866->101868 101950 f70090 68 API calls __localtime64 101866->101950 101868->101864 101951 f70090 68 API calls __localtime64 101868->101951 101872 f70017 101871->101872 101874 f7001c 101871->101874 101872->101839 101873 f70024 101873->101839 101874->101873 101875 f70048 101874->101875 101876 fdb0a2 __woutput_l 67 API calls 101874->101876 101877 fdb0a2 __woutput_l 67 API calls 101875->101877 101876->101875 101878 f70072 101877->101878 101878->101839 101880 f6f665 101879->101880 101881 f6f670 101879->101881 101880->101854 101882 f6f697 101881->101882 101883 f6f681 SetFilePointer 101881->101883 101884 f6f6a6 101881->101884 101952 f6f150 ReadFile 101882->101952 101883->101882 101953 f6f0b0 ReadFile 101884->101953 101887 f6f6cd 101954 f6f0b0 ReadFile 101887->101954 101889 f6f6e3 101955 f6f0b0 ReadFile 101889->101955 101891 f6f6f9 101956 f6f0b0 ReadFile 101891->101956 101893 f6f70f 101957 f6f150 ReadFile 101893->101957 101895 f6f725 101958 f6f150 ReadFile 101895->101958 101897 f6f78a 101959 f6f150 ReadFile 101897->101959 101899 f6f7a0 101960 f6f150 ReadFile 101899->101960 101901 f6f7b6 101961 f6f0b0 ReadFile 101901->101961 101903 f6f7cc 101962 f6f0b0 ReadFile 101903->101962 101905 f6f7e2 101963 f6f0b0 ReadFile 101905->101963 101907 f6f7f8 101964 f6f0b0 ReadFile 101907->101964 101909 f6f80e 101965 f6f0b0 ReadFile 101909->101965 101911 f6f824 101966 f6f150 ReadFile 101911->101966 101913 f6f83a 101967 f6f150 ReadFile 101913->101967 101915 f6f857 101915->101854 101916 f6f850 101916->101915 101917 f6f040 ReadFile 101916->101917 101917->101915 101919 f6fbbd 101918->101919 101920 f6fba5 101918->101920 101968 f6f150 ReadFile 101919->101968 101921 f6fbda 101920->101921 101922 f6fbab SetFilePointer 101920->101922 101921->101856 101922->101919 101924 f6fbc9 101969 f6f0b0 ReadFile 101924->101969 101926 f6fbfc 101970 f6f0b0 ReadFile 101926->101970 101928 f6fc12 101971 f6f0b0 ReadFile 101928->101971 101931 f6fc28 101972 f6f150 ReadFile 101931->101972 101932 f6fc5b 101973 f6f150 ReadFile 101932->101973 101934 f6fc72 101974 f6f150 ReadFile 101934->101974 101936 f6fca5 101975 f6f150 ReadFile 101936->101975 101938 f6fcd4 101976 f6f0b0 ReadFile 101938->101976 101940 f6fd03 101977 f6f0b0 ReadFile 101940->101977 101942 f6fd30 101942->101856 101943->101849 101944->101849 101946 f6f052 ReadFile 101945->101946 101948 f6f078 _setlocale 101945->101948 101947 f6f069 101946->101947 101947->101862 101948->101862 101949->101866 101950->101868 101951->101864 101952->101884 101953->101887 101954->101889 101955->101891 101956->101893 101957->101895 101958->101897 101959->101899 101960->101901 101961->101903 101962->101905 101963->101907 101964->101909 101965->101911 101966->101913 101967->101916 101968->101924 101969->101926 101970->101928 101971->101931 101972->101932 101973->101934 101974->101936 101975->101938 101976->101940 101977->101942 101979 f6fd6d 101978->101979 101980 f6fd78 101978->101980 101979->101819 101980->101979 101981 f6fd87 101980->101981 101982 f70010 67 API calls 101980->101982 101983 f6fb80 2 API calls 101981->101983 101982->101981 101984 f6fd9b 101983->101984 101985 f6fda2 101984->101985 101986 fde798 _malloc 67 API calls 101984->101986 101985->101819 101987 f6fdb5 101986->101987 101988 fde798 _malloc 67 API calls 101987->101988 101991 f6fde8 101987->101991 101989 f6fdc8 101988->101989 101990 fdb0a2 __woutput_l 67 API calls 101989->101990 101992 f6fdf7 101989->101992 101990->101991 101991->101819 101992->101819 101994 f6fe98 101993->101994 101995 f6fe8b 101993->101995 101994->101995 101996 f6ff14 SetFilePointer 101994->101996 101997 f6f040 ReadFile 101994->101997 101995->101805 101995->101806 101996->101994 101997->101994 101998->101807 101999->101807 102001 f70196 102000->102001 102002 f70115 102000->102002 102001->101825 102002->102001 102003 f7011b GetCurrentDirectoryW 102002->102003 102004 f70130 102003->102004 102004->102004 102005 f7015f 102004->102005 102006 f70148 GetFileType 102004->102006 102013 f6ef00 102005->102013 102006->102005 102008 f70153 102006->102008 102008->101825 102009 f70171 102010 f70178 102009->102010 102028 f6f420 102009->102028 102010->101825 102012 f70188 102012->101825 102014 f6ef0b 102013->102014 102015 f6ef73 GetCurrentProcess GetCurrentProcess DuplicateHandle 102014->102015 102016 f6ef3f 102014->102016 102017 f6ef15 102014->102017 102020 f6efa4 102015->102020 102021 f6ef95 102015->102021 102018 f6ef44 CreateFileW 102016->102018 102019 f6efb5 102016->102019 102017->102009 102022 f6efa8 GetFileType 102018->102022 102024 f6ef66 102018->102024 102023 fdb3b2 std::_Mutex::_Mutex 75 API calls 102019->102023 102020->102022 102021->102009 102022->102019 102025 f6efbc 102023->102025 102024->102009 102026 f6efcb 102025->102026 102027 f6f011 SetFilePointer 102025->102027 102026->102009 102027->102026 102029 f6f44f 102028->102029 102030 f6f43a 102028->102030 102059 f6f2a0 102029->102059 102030->102012 102032 f6f456 102033 f6f480 102032->102033 102034 f6f46a SetFilePointer 102032->102034 102074 f6f150 ReadFile 102033->102074 102034->102033 102036 f6f494 102075 f6f0b0 ReadFile 102036->102075 102038 f6f4aa 102076 f6f0b0 ReadFile 102038->102076 102040 f6f4c0 102077 f6f0b0 ReadFile 102040->102077 102042 f6f4d6 102078 f6f0b0 ReadFile 102042->102078 102044 f6f4ec 102079 f6f150 ReadFile 102044->102079 102046 f6f51f 102080 f6f150 ReadFile 102046->102080 102048 f6f535 102081 f6f0b0 ReadFile 102048->102081 102050 f6f54b 102051 f6f569 102050->102051 102052 f6f5a3 102050->102052 102053 f6f57d CloseHandle 102051->102053 102056 f6f587 ctype 102051->102056 102054 fde798 _malloc 67 API calls 102052->102054 102053->102056 102055 f6f5d3 102054->102055 102082 f6f8d0 ReadFile SetFilePointer 102055->102082 102056->102012 102058 f6f5ec 102058->102012 102060 f6f2ab 102059->102060 102061 f6f2c1 102059->102061 102062 f6f2f0 102060->102062 102063 f6f2b1 SetFilePointer 102060->102063 102064 f6f2f7 102061->102064 102065 f6f2cd SetFilePointer 102061->102065 102062->102032 102063->102061 102066 fde798 _malloc 67 API calls 102064->102066 102065->102064 102071 f6f32d 102066->102071 102067 f6f336 102067->102032 102068 f6f40a 102069 fdb0a2 __woutput_l 67 API calls 102068->102069 102070 f6f410 102069->102070 102070->102032 102071->102067 102071->102068 102072 f6f3a0 SetFilePointer 102071->102072 102073 f6f040 ReadFile 102071->102073 102072->102071 102073->102071 102074->102036 102075->102038 102076->102040 102077->102042 102078->102044 102079->102046 102080->102048 102081->102050 102082->102058 102083 f87aa0 102089 f6b250 102083->102089 102085 f87b69 LoadLibraryW 102087 f87b7c GetProcAddress 102085->102087 102088 f87b8c 102085->102088 102086 f87ac8 _memset 102086->102085 102086->102088 102087->102088 102090 f6b269 _memset 102089->102090 102091 f503b0 11 API calls 102090->102091 102092 f6b284 GetObjectW 102091->102092 102093 f6b2c5 GetDeviceCaps 102092->102093 102094 f6b306 102093->102094 102095 fdadff __woutput_l 5 API calls 102094->102095 102096 f6b35c 102095->102096 102096->102086 102097 f80300 102100 f80160 102097->102100 102098 f8031c 102101 f80184 102100->102101 102102 f80176 102100->102102 102101->102102 102103 f8018e OleLockRunning 102101->102103 102102->102098 102108 f801a7 102103->102108 102104 f80203 102107 f80216 102104->102107 102112 f805e0 102104->102112 102106 f8028c 102106->102098 102107->102106 102110 f80269 OffsetRect 102107->102110 102111 f8027a KiUserCallbackDispatcher 102107->102111 102108->102104 102119 f49e40 72 API calls _realloc 102108->102119 102110->102111 102111->102106 102113 f805ea 102112->102113 102118 f80654 102112->102118 102114 fdb3b2 std::_Mutex::_Mutex 75 API calls 102113->102114 102116 f805f1 102114->102116 102115 f8061e 102115->102107 102116->102115 102117 f49580 8 API calls 102116->102117 102117->102118 102118->102107 102119->102104 102120 f90320 102121 fde798 _malloc 67 API calls 102120->102121 102122 f9034a _setlocale 102121->102122 102122->102122 102123 fe7b20 102124 fe7b2e __IsNonwritableInCurrentImage 102123->102124 102129 ff1eac 102124->102129 102126 fe7b4c __initterm_e 102127 fdb779 _AtModuleExit 74 API calls 102126->102127 102128 fe7b6b __IsNonwritableInCurrentImage __initterm 102126->102128 102127->102128 102130 ff1eb2 102129->102130 102131 fe5634 __encode_pointer 6 API calls 102130->102131 102132 ff1eca 102130->102132 102131->102130 102132->102126 102133 f4c22b GetClientRect 102134 f4c322 GetUpdateRect 102133->102134 102135 f4c26f IsRectEmpty 102133->102135 102137 f4bff4 102134->102137 102138 f4c2f7 102134->102138 102136 f4c2ac _memset 102135->102136 102135->102138 102139 f4c2c3 BeginPaint EndPaint 102136->102139 102140 fdadff __woutput_l 5 API calls 102137->102140 102141 f4c402 102138->102141 102142 f4c35b InvalidateRect 102138->102142 102163 f4c376 102138->102163 102139->102137 102143 f4e69f 102140->102143 102144 f4c425 IsRectEmpty 102141->102144 102149 f4c617 _memset 102141->102149 102142->102141 102145 f4c43f 102144->102145 102144->102149 102147 f4c451 102145->102147 102148 f4c51b 102145->102148 102146 f4c700 _memset 102156 f4c740 BeginPaint 102146->102156 102152 f4c473 DeleteDC 102147->102152 102153 f4c47a 102147->102153 102205 f49dc0 67 API calls __woutput_l 102148->102205 102149->102146 102151 f4c6c0 CreateCompatibleDC 102149->102151 102158 f4c705 CreateCompatibleBitmap 102151->102158 102159 f4c6e2 102151->102159 102152->102153 102154 f4c484 DeleteDC 102153->102154 102155 f4c48b 102153->102155 102154->102155 102161 f4c495 DeleteObject 102155->102161 102162 f4c49c 102155->102162 102164 f4ced5 SaveDC 102156->102164 102165 f4c765 SelectObject SaveDC 102156->102165 102157 f4ef30 81 API calls 102157->102141 102158->102146 102208 f715d0 CreateDIBSection 102159->102208 102161->102162 102166 f4c4a6 DeleteObject 102162->102166 102185 f4c4ad 102162->102185 102163->102141 102163->102157 102167 f4cf02 RestoreDC 102164->102167 102189 f4c79a 102165->102189 102166->102185 102168 f4cf10 EndPaint 102167->102168 102168->102137 102170 f4cf3c 102168->102170 102169 f4ca36 RestoreDC 102176 f4ce24 BitBlt 102169->102176 102177 f4ca8a GetWindowRect 102169->102177 102215 f4e7f0 InvalidateRect GetClientRect UnionRect 102170->102215 102172 f4c845 IsWindow 102178 f4c88b IsWindowVisible 102172->102178 102172->102189 102175 f4c5e8 102175->102149 102179 f4c602 102175->102179 102180 f4ce57 SelectObject 102176->102180 102181 f4cb22 102177->102181 102196 f4cc31 102177->102196 102178->102189 102207 f4e7f0 InvalidateRect GetClientRect UnionRect 102179->102207 102180->102168 102183 f4ce78 102180->102183 102184 f4cb2b CreateCompatibleDC 102181->102184 102194 f4cba2 _memset 102181->102194 102183->102168 102187 f4ce85 SelectObject GetStockObject SelectObject Rectangle SelectObject 102183->102187 102211 f715d0 CreateDIBSection 102184->102211 102185->102149 102206 f4f9e0 77 API calls __woutput_l 102185->102206 102187->102168 102189->102169 102189->102172 102209 f4f700 GetWindowRect ScreenToClient ScreenToClient 102189->102209 102190 f4c8ae IntersectRect 102190->102189 102192 f4c8ea CreateCompatibleDC 102190->102192 102191 f4cb5c _memset 102195 f4cb7b SelectObject 102191->102195 102210 f715d0 CreateDIBSection 102192->102210 102194->102196 102212 f709e0 GetClipBox CreateRectRgnIndirect CreateRectRgnIndirect ExtSelectClipRgn 102194->102212 102195->102194 102196->102180 102198 f4cc04 102213 f730d0 186 API calls 3 library calls 102198->102213 102199 f4c94d SelectObject SendMessageW 102201 f4c9de BitBlt SelectObject DeleteObject DeleteDC 102199->102201 102204 f4c91d _memset 102199->102204 102201->102189 102202 f4cc1e 102214 f709b0 SelectClipRgn DeleteObject DeleteObject 102202->102214 102204->102199 102204->102201 102205->102185 102206->102175 102207->102137 102208->102146 102209->102190 102210->102204 102211->102191 102212->102198 102213->102202 102214->102196 102215->102137

              Executed Functions

              Function 00F742A0 Relevance: 130.0, APIs: 68, Strings: 5, Instructions: 2242COMMON
              Download Yara Rule
              APIs
              • IsRectEmpty.USER32(?), ref: 00F74344
              • _malloc.LIBCMT ref: 00F74379
                • Part of subcall function 00FDE798: __FF_MSGBANNER.LIBCMT ref: 00FDE7BB
                • Part of subcall function 00FDE798: __NMSG_WRITE.LIBCMT ref: 00FDE7C2
                • Part of subcall function 00FDE798: RtlAllocateHeap.NTDLL(00000000,?), ref: 00FDE80F
              • _malloc.LIBCMT ref: 00F7439C
              • _malloc.LIBCMT ref: 00F743B5
              • _malloc.LIBCMT ref: 00F743D1
              • GetClipBox.GDI32(?,?), ref: 00F74407
              • CreateRectRgnIndirect.GDI32(?), ref: 00F7441B
              • CreateRectRgnIndirect.GDI32(?), ref: 00F74425
              • ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 00F74438
                • Part of subcall function 00F742A0: PtInRect.USER32(?,?,?), ref: 00F74707
              • SelectObject.GDI32(?,?), ref: 00F744AD
              • SetBkMode.GDI32(?,00000001), ref: 00F744BD
              • SetTextColor.GDI32(?), ref: 00F744E7
              • SetBkColor.GDI32(?), ref: 00F74510
              • CharNextW.USER32(?), ref: 00F748FF
              • CharNextW.USER32(?), ref: 00F74954
              • SetTextColor.GDI32(?,00000000), ref: 00F749EF
              • SelectObject.GDI32(?,00000000), ref: 00F74AB6
              • SelectObject.GDI32(?,00000000), ref: 00F74BE3
              • CharNextW.USER32(?), ref: 00F7590D
              • CharNextW.USER32(?), ref: 00F7591C
              • GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00F76373
              • TextOutW.GDI32(?,?,?,?,?), ref: 00F765B1
              • SetRect.USER32(?,?,?,?,?), ref: 00F766DB
              • SetTextColor.GDI32(?,?), ref: 00F769F6
              • SelectObject.GDI32(?), ref: 00F76A30
              • SetBkMode.GDI32(?,00000002), ref: 00F76A40
              • SelectClipRgn.GDI32(?,?), ref: 00F76AB0
              • DeleteObject.GDI32(?), ref: 00F76AC4
              • DeleteObject.GDI32(?), ref: 00F76ACE
              • SelectObject.GDI32(?,?), ref: 00F76ADD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ObjectSelect$RectText$CharColorNext_malloc$Clip$CreateDeleteIndirectMode$AllocateEmptyExtentHeapPoint32
              • String ID: ...$bold$d$italic$underline
              • API String ID: 1369725245-2658422815
              • Opcode ID: 2a28f7c08f088908728fcd371d34fa416b746d5a67de91716d27693b49540cae
              • Instruction ID: eb03d3c1cbf9e5679cb9cc6e7c20bbed201fdf4dcb65cf6fc47cacb7542d1d40
              • Opcode Fuzzy Hash: 2a28f7c08f088908728fcd371d34fa416b746d5a67de91716d27693b49540cae
              • Instruction Fuzzy Hash: 41136970A087818FD724CF28C884BABB7E5AFC8714F14892EE989D7241D775E845DB93
              Function 00F52450 Relevance: 111.2, APIs: 31, Strings: 32, Instructions: 980COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$__wcstoi64$_malloc_memsetwcstoxl
              • String ID: ActiveX$Button$CheckBox$Combo$ComboBox$Control$DateTime$Default$Edit$Font$GifAnim$HBox$IContainer$Image$Include$Label$List$MultiLanguage$Option$Progress$RichEdit$Slider$Text$Tree$TreeNode$TreeNodeUI$TreeView$VBox$count$cover$source$true
              • API String ID: 1658991335-831569304
              • Opcode ID: 835374de1082b1b087401c10183e28595cc478b39de651630ec9a83f04ea7a72
              • Instruction ID: ca8e3ae3390128f1cb36c809e423ce6db5948b898a1a80d28b86253c67e56729
              • Opcode Fuzzy Hash: 835374de1082b1b087401c10183e28595cc478b39de651630ec9a83f04ea7a72
              • Instruction Fuzzy Hash: 6E72E971A043429BDB20DF58CC42B6B73E5AF94355F04452EFE8987242E739DA48FB92
              Function 00F4C22B Relevance: 83.2, APIs: 46, Strings: 1, Instructions: 908COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1011 f4c22b-f4c269 GetClientRect 1012 f4c322-f4c337 GetUpdateRect 1011->1012 1013 f4c26f-f4c2aa IsRectEmpty 1011->1013 1016 f4bff4-f4bff6 1012->1016 1017 f4c33d-f4c341 1012->1017 1014 f4c2f7-f4c2ff 1013->1014 1015 f4c2ac-f4c2f2 call fe06a0 BeginPaint EndPaint 1013->1015 1020 f4c305-f4c30d 1014->1020 1021 f4c301 1014->1021 1018 f4e67f-f4e6a2 call fdadff 1015->1018 1016->1018 1022 f4c345-f4c34c 1017->1022 1025 f4c313-f4c320 1020->1025 1026 f4c30f 1020->1026 1021->1020 1027 f4c411-f4c41f 1022->1027 1028 f4c352-f4c359 1022->1028 1025->1022 1026->1025 1032 f4c425-f4c439 IsRectEmpty 1027->1032 1033 f4c617-f4c61e 1027->1033 1029 f4c376-f4c3b0 1028->1029 1030 f4c35b-f4c371 InvalidateRect 1028->1030 1044 f4c3f7-f4c3fd call f4ef30 1029->1044 1045 f4c3b2-f4c3f5 1029->1045 1034 f4c409-f4c40d 1030->1034 1036 f4c6ae-f4c6b5 1032->1036 1037 f4c43f-f4c44b 1032->1037 1035 f4c624-f4c62b 1033->1035 1033->1036 1034->1027 1035->1036 1039 f4c631-f4c648 1035->1039 1040 f4c724-f4c75f call fe06a0 BeginPaint 1036->1040 1041 f4c6b7-f4c6be 1036->1041 1042 f4c451-f4c471 1037->1042 1043 f4c51b-f4c54c call f49dc0 1037->1043 1047 f4c667-f4c6a9 1039->1047 1048 f4c64a-f4c664 call fe06a0 1039->1048 1066 f4ced5-f4cf0a SaveDC RestoreDC 1040->1066 1067 f4c765-f4c798 SelectObject SaveDC 1040->1067 1041->1040 1050 f4c6c0-f4c6e0 CreateCompatibleDC 1041->1050 1051 f4c473-f4c474 DeleteDC 1042->1051 1052 f4c47a-f4c482 1042->1052 1076 f4c54e 1043->1076 1077 f4c5ba-f4c5c1 1043->1077 1068 f4c402 1044->1068 1045->1044 1045->1068 1047->1036 1048->1047 1059 f4c705-f4c718 CreateCompatibleBitmap 1050->1059 1060 f4c6e2-f4c703 call f715d0 1050->1060 1051->1052 1053 f4c484-f4c485 DeleteDC 1052->1053 1054 f4c48b-f4c493 1052->1054 1053->1054 1062 f4c495-f4c496 DeleteObject 1054->1062 1063 f4c49c-f4c4a4 1054->1063 1064 f4c71e 1059->1064 1060->1064 1062->1063 1071 f4c4a6-f4c4a7 DeleteObject 1063->1071 1072 f4c4ad-f4c4cd 1063->1072 1064->1040 1084 f4cf10-f4cf3a EndPaint 1066->1084 1073 f4c808-f4c82d 1067->1073 1074 f4c79a-f4c7a1 1067->1074 1068->1034 1071->1072 1079 f4c4ef-f4c516 1072->1079 1080 f4c4cf-f4c4eb 1072->1080 1087 f4ca36-f4ca3e 1073->1087 1088 f4c833-f4c83f 1073->1088 1074->1073 1081 f4c7a3-f4c7b5 1074->1081 1082 f4c550-f4c56f 1076->1082 1077->1036 1086 f4c5c7-f4c5ef call f4f9e0 1077->1086 1079->1077 1080->1079 1081->1073 1085 f4c7b7-f4c7bf 1081->1085 1105 f4c571-f4c576 1082->1105 1106 f4c578-f4c582 1082->1106 1089 f4cf43-f4cf45 1084->1089 1090 f4cf3c-f4cf3e call f4e7f0 1084->1090 1092 f4c7c0-f4c7c2 1085->1092 1086->1036 1102 f4c5f5-f4c5fc 1086->1102 1099 f4ca40-f4ca66 1087->1099 1100 f4ca68-f4ca84 RestoreDC 1087->1100 1088->1087 1095 f4c845-f4c85b IsWindow 1088->1095 1089->1018 1090->1089 1097 f4c7c4 1092->1097 1098 f4c7fd-f4c806 1092->1098 1107 f4c85d-f4c85f 1095->1107 1108 f4c88b-f4c899 IsWindowVisible 1095->1108 1109 f4c7d0-f4c7f3 1097->1109 1098->1073 1098->1092 1099->1100 1103 f4ce24-f4ce51 BitBlt 1100->1103 1104 f4ca8a-f4cb1c GetWindowRect 1100->1104 1102->1036 1111 f4c602-f4c612 call f4e7f0 1102->1111 1112 f4ce57-f4ce72 SelectObject 1103->1112 1113 f4cb22-f4cb29 1104->1113 1114 f4cd99-f4ce22 1104->1114 1125 f4c585-f4c5b8 1105->1125 1106->1125 1115 f4c865-f4c886 call f49f40 * 2 1107->1115 1116 f4ca26-f4ca30 1107->1116 1108->1116 1117 f4c89f-f4c8e4 call f4f700 IntersectRect 1108->1117 1109->1109 1118 f4c7f5-f4c7f9 1109->1118 1111->1018 1112->1084 1120 f4ce78-f4ce7f 1112->1120 1121 f4cba2-f4cba9 1113->1121 1122 f4cb2b-f4cba0 CreateCompatibleDC call f715d0 call fe06a0 SelectObject 1113->1122 1114->1112 1115->1116 1116->1087 1116->1095 1117->1116 1140 f4c8ea-f4c987 CreateCompatibleDC call f715d0 call fe06a0 SelectObject SendMessageW 1117->1140 1118->1098 1120->1084 1128 f4ce85-f4ced3 SelectObject GetStockObject SelectObject Rectangle SelectObject 1120->1128 1131 f4cc35-f4cc3f 1121->1131 1132 f4cbaf-f4cbd4 call fe06a0 1121->1132 1149 f4cbd5-f4cc31 call f709e0 call f730d0 call f709b0 1122->1149 1125->1077 1125->1082 1128->1084 1131->1114 1135 f4cc45-f4cc5c 1131->1135 1132->1149 1135->1114 1142 f4cc62-f4cc6f 1135->1142 1158 f4c9de-f4ca20 BitBlt SelectObject DeleteObject DeleteDC 1140->1158 1159 f4c989 1140->1159 1147 f4cc70-f4cc7d 1142->1147 1151 f4cc83-f4cc8a 1147->1151 1152 f4cd7b-f4cd93 1147->1152 1149->1131 1156 f4cc91-f4cd66 1151->1156 1152->1114 1152->1147 1156->1156 1160 f4cd6c-f4cd74 1156->1160 1158->1116 1162 f4c990-f4c99a 1159->1162 1160->1152 1164 f4c99c 1162->1164 1165 f4c9ce-f4c9dc 1162->1165 1167 f4c9a0-f4c9b2 1164->1167 1165->1158 1165->1162 1168 f4c9b4-f4c9bb 1167->1168 1169 f4c9bf-f4c9c8 1167->1169 1168->1169 1169->1167 1170 f4c9ca 1169->1170 1170->1165
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect$Delete$EmptyObjectPaint$BeginClientInvalidateUpdate_memset
              • String ID: windowinit
              • API String ID: 2546552490-3894911279
              • Opcode ID: 3320140e61af4cd953fab0f0689ea323ad08acf5c50453c34b3c232119946d51
              • Instruction ID: 62f58c575e06b04a5ad2da208e111da2697cbab4878bf6a6c0e573b509ad2bcf
              • Opcode Fuzzy Hash: 3320140e61af4cd953fab0f0689ea323ad08acf5c50453c34b3c232119946d51
              • Instruction Fuzzy Hash: 0B821B716083409FD754CF28C884B9ABBF5BFC9300F18896DED898B355DB75A845CBA2
              Function 00F71690 Relevance: 35.6, APIs: 18, Strings: 2, Instructions: 568fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1583 f71690-f716d5 1584 f71984-f7198b 1583->1584 1585 f716db-f7170b call f4a110 1583->1585 1587 f71990-f71996 1584->1587 1592 f71803-f71815 call f49fd0 1585->1592 1593 f71711-f7171a 1585->1593 1589 f719b6-f719b8 1587->1589 1590 f71998-f7199b 1587->1590 1591 f719bb-f719bd 1589->1591 1594 f719b2-f719b4 1590->1594 1595 f7199d-f719a5 1590->1595 1597 f71a21-f71a3a call f4b7e0 FindResourceW 1591->1597 1598 f719bf 1591->1598 1614 f71817-f7181d 1592->1614 1615 f7181f-f71830 call f70730 1592->1615 1599 f71725-f71746 CreateFileW 1593->1599 1600 f7171c-f71720 call f49fd0 1593->1600 1594->1591 1595->1589 1596 f719a7-f719b0 1595->1596 1596->1587 1596->1594 1610 f71a96-f71abb CreateFileW 1597->1610 1626 f71a3c-f71a4e call f4b7e0 LoadResource 1597->1626 1602 f719c2-f719df 1598->1602 1604 f7176d-f7177a GetFileSize 1599->1604 1605 f71748-f71759 1599->1605 1600->1599 1608 f719e5-f719ea 1602->1608 1609 f71b24-f71b4a call f8a560 call fdb901 1602->1609 1612 f717a1-f717cf call fda64d ReadFile CloseHandle 1604->1612 1613 f7177c-f7178d 1604->1613 1605->1610 1611 f7175f-f71768 call fdb0a2 1605->1611 1618 f719f0-f719f6 1608->1618 1621 f71b14-f71b16 1609->1621 1671 f71b4c-f71b50 1609->1671 1610->1621 1622 f71abd-f71aca GetFileSize 1610->1622 1611->1610 1642 f717d5-f717ef call fdb901 1612->1642 1643 f7195f-f71970 1612->1643 1613->1610 1623 f71793-f7179c call fdb0a2 1613->1623 1624 f71832-f71834 1614->1624 1615->1624 1633 f719fc-f719ff 1618->1633 1634 f71b1b-f71b1d 1618->1634 1632 f71de9-f71e10 call fdadff 1621->1632 1622->1621 1637 f71acc-f71afa call fda64d ReadFile CloseHandle 1622->1637 1623->1610 1629 f71836-f71847 1624->1629 1630 f7185b-f71879 call f707a0 1624->1630 1652 f71a50-f71a56 FreeResource 1626->1652 1653 f71a58-f71a68 call f4b7e0 SizeofResource 1626->1653 1629->1610 1641 f7184d-f71856 call fdb0a2 1629->1641 1668 f718a0-f718a9 1630->1668 1669 f7187b-f7188c 1630->1669 1646 f71a01-f71a09 1633->1646 1647 f71a1a-f71a1c 1633->1647 1645 f71b20-f71b22 1634->1645 1663 f71b0c-f71b0e 1637->1663 1664 f71afc-f71b07 call fdb901 1637->1664 1641->1610 1642->1610 1676 f717f5-f717fe call fdb0a2 1642->1676 1658 f71976-f7197f call fdb0a2 1643->1658 1659 f71a8e-f71a90 1643->1659 1645->1609 1657 f71b54-f71bc3 call fe06a0 CreateDIBSection 1645->1657 1646->1634 1660 f71a0f-f71a18 1646->1660 1647->1645 1652->1610 1653->1610 1684 f71a6a-f71a88 call fda64d LockResource call fe02e0 FreeResource 1653->1684 1657->1621 1681 f71bc9-f71bdf 1657->1681 1658->1659 1659->1602 1659->1610 1660->1618 1660->1647 1663->1602 1663->1621 1664->1632 1679 f718d0-f718df call fda64d 1668->1679 1680 f718ab-f718bc 1668->1680 1669->1610 1677 f71892-f7189b call fdb0a2 1669->1677 1671->1657 1676->1610 1677->1610 1699 f718e1-f718eb 1679->1699 1700 f718ed-f718f8 call f70640 1679->1700 1680->1610 1687 f718c2-f718cb call fdb0a2 1680->1687 1689 f71be5-f71bea 1681->1689 1690 f71c6b-f71c6f 1681->1690 1684->1659 1687->1610 1698 f71bf0-f71bf6 1689->1698 1695 f71c75-f71c80 1690->1695 1696 f71d4a-f71d4f 1690->1696 1702 f71c82-f71c90 1695->1702 1707 f71d51-f71d5a 1696->1707 1708 f71d8f-f71d94 call fdb0a2 1696->1708 1703 f71c16-f71c18 1698->1703 1704 f71bf8-f71bfb 1698->1704 1705 f7190d-f7191d call fdb901 1699->1705 1715 f718fd-f71904 1700->1715 1711 f71c92-f71ce6 1702->1711 1712 f71ce8-f71d02 1702->1712 1716 f71c1b-f71c1d 1703->1716 1713 f71c12-f71c14 1704->1713 1714 f71bfd-f71c05 1704->1714 1737 f7191f 1705->1737 1738 f71928-f71939 1705->1738 1717 f71d60-f71d66 1707->1717 1720 f71d99 1708->1720 1721 f71d06-f71d14 1711->1721 1712->1721 1713->1716 1714->1703 1722 f71c07-f71c10 1714->1722 1723 f71906-f7190b 1715->1723 1724 f7194d-f71954 1715->1724 1716->1690 1725 f71c1f-f71c2e 1716->1725 1726 f71d86-f71d88 1717->1726 1727 f71d68-f71d6b 1717->1727 1729 f71d9c-f71dab call fdb3b2 1720->1729 1730 f71d16-f71d39 1721->1730 1731 f71d3e-f71d44 1721->1731 1722->1698 1722->1713 1723->1705 1723->1724 1724->1643 1732 f71956-f7195c call f70930 1724->1732 1733 f71c37-f71c67 call fded03 1725->1733 1734 f71c30-f71c31 CharNextW 1725->1734 1739 f71d8b-f71d8d 1726->1739 1735 f71d82-f71d84 1727->1735 1736 f71d6d-f71d75 1727->1736 1752 f71dad-f71db8 1729->1752 1753 f71dba 1729->1753 1730->1731 1731->1696 1731->1702 1732->1643 1733->1690 1734->1733 1735->1739 1736->1726 1743 f71d77-f71d80 1736->1743 1745 f71920-f71925 call f70930 1737->1745 1738->1610 1740 f7193f-f71948 call fdb0a2 1738->1740 1739->1708 1739->1729 1740->1610 1743->1717 1743->1735 1745->1738 1754 f71dbc-f71de2 1752->1754 1753->1754 1754->1632
              APIs
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00F71770
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00F717BE
              • CloseHandle.KERNEL32(00000000), ref: 00F717C5
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0066EAA0,?,8F2D4ADD,?,?,?,?), ref: 00F7173C
                • Part of subcall function 00F49FD0: _malloc.LIBCMT ref: 00F4A01D
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F71AB0
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00F71AC0
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00F71AE9
              • CloseHandle.KERNEL32(00000000), ref: 00F71AF0
              • _memset.LIBCMT ref: 00F71B5E
              • CreateDIBSection.GDI32 ref: 00F71BB7
                • Part of subcall function 00F4A110: _wcsncpy.LIBCMT ref: 00F4A1A1
              • CharNextW.USER32(?), ref: 00F71C31
              • __wcstoui64.LIBCMT ref: 00F71C3F
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: File$Create$CloseHandleReadSize$CharErrorFreeHeapLastNextSection___sbh_find_block___sbh_free_block__lock__wcstoui64_malloc_memset_wcsncpy
              • String ID: ($*COLOR*
              • API String ID: 415274439-1670140489
              • Opcode ID: a011bd4bef33d1e26709a72ccba435f125c2ebf201bccf20964544fa37ac6ec2
              • Instruction ID: 5c160c48a731fe0756e574295052b3d17ff639aaa9691959dc4c9229cdaed999
              • Opcode Fuzzy Hash: a011bd4bef33d1e26709a72ccba435f125c2ebf201bccf20964544fa37ac6ec2
              • Instruction Fuzzy Hash: D822C0719083419FD321DF288885B6BB7E9BFA4710F08891EF88987341E77AD949DB53
              Function 00F15AA0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 150COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1755 f15aa0-f15af6 call fe06a0 GetUserNameW 1758 f15c76-f15c8e call fdadff 1755->1758 1759 f15afc-f15b75 call fe06a0 * 2 LookupAccountNameW 1755->1759 1759->1758 1766 f15b7b-f15b88 IsValidSid 1759->1766 1766->1758 1767 f15b8e-f15b9e GetSidIdentifierAuthority 1766->1767 1768 f15c75 1767->1768 1769 f15ba4-f15bc0 call fdb417 1767->1769 1768->1758 1769->1768 1772 f15bc6-f15bcf 1769->1772 1773 f15bd0-f15bd9 1772->1773 1773->1773 1774 f15bdb-f15bfd call fdb417 1773->1774 1774->1768 1777 f15bff-f15c10 GetSidSubAuthorityCount 1774->1777 1777->1768 1778 f15c12-f15c18 1777->1778 1778->1768 1779 f15c1a-f15c23 1778->1779 1780 f15c71 1779->1780 1781 f15c25-f15c2b 1779->1781 1780->1768 1782 f15c30-f15c3a GetSidSubAuthority 1781->1782 1783 f15c6c 1782->1783 1784 f15c3c-f15c5f call fdb417 1782->1784 1783->1780 1784->1783 1787 f15c61-f15c68 1784->1787 1787->1782 1788 f15c6a 1787->1788 1788->1780
              APIs
              • _memset.LIBCMT ref: 00F15AD0
              • GetUserNameW.ADVAPI32(?,?), ref: 00F15AEE
              • _memset.LIBCMT ref: 00F15B0E
              • _memset.LIBCMT ref: 00F15B2B
              • LookupAccountNameW.ADVAPI32 ref: 00F15B6D
              • IsValidSid.ADVAPI32(00000000), ref: 00F15B80
              • GetSidIdentifierAuthority.ADVAPI32(?), ref: 00F15B94
              • swprintf.LIBCMT ref: 00F15BB5
                • Part of subcall function 00FDB417: __vswprintf_s_l.LIBCMT ref: 00FDB42B
              • swprintf.LIBCMT ref: 00F15BF2
              • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 00F15C08
              • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00F15C36
              • swprintf.LIBCMT ref: 00F15C54
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Authority_memsetswprintf$Name$AccountCountIdentifierLookupUserValid__vswprintf_s_l
              • String ID: %-lu$-%lu$S-%lu-
              • API String ID: 1903154352-474367829
              • Opcode ID: 56acb5dab2cae718a2314abcc6977f5b7bad92354a0104c9f9756e8a5fb0cb98
              • Instruction ID: 4e08f3a5b61450364e1b93ffe59a82c8c642e82e2e4dd9d821326c970a568d62
              • Opcode Fuzzy Hash: 56acb5dab2cae718a2314abcc6977f5b7bad92354a0104c9f9756e8a5fb0cb98
              • Instruction Fuzzy Hash: FB51F6B2904340EBD320DF74CC85AEBB3E9AFC8710F044A1DF59986181EB75D648D792
              Function 00F396C0 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 313timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1920 f396c0-f39756 GetTimeZoneInformation call f12580 1923 f39758 1920->1923 1924 f3975d-f3975f 1920->1924 1923->1924 1925 f39762-f3976b 1924->1925 1925->1925 1926 f3976d-f397f3 call f12c70 call f38250 1925->1926 1931 f397f6-f397ff 1926->1931 1931->1931 1932 f39801-f3987b call f12c70 call fe06a0 GetLocaleInfoW 1931->1932 1937 f39880-f39889 1932->1937 1937->1937 1938 f3988b-f39907 call f12580 call f1a3f0 call f12580 call f19500 call f121d0 1937->1938 1949 f39916-f39966 call f12580 call f19500 call f121d0 1938->1949 1950 f39909-f39913 call fdadf4 1938->1950 1959 f39975-f399c9 call f1bb00 call f14e40 call f2f100 1949->1959 1960 f39968-f39972 call fdadf4 1949->1960 1950->1949 1969 f399cb-f399d3 call f12580 1959->1969 1970 f399d8-f39a2d call f12580 call f19500 call f121d0 1959->1970 1960->1959 1969->1970 1978 f39a2f-f39a39 call fdadf4 1970->1978 1979 f39a3c-f39a95 call f12580 * 2 call f110e0 1970->1979 1978->1979 1987 f39a9a-f39aa6 1979->1987 1988 f39ab5-f39ac8 1987->1988 1989 f39aa8-f39ab2 call fdadf4 1987->1989 1991 f39ad7-f39ade 1988->1991 1992 f39aca-f39ad4 call fdadf4 1988->1992 1989->1988 1993 f39af0-f39b21 call f19620 1991->1993 1994 f39ae0-f39aed call fdadf4 1991->1994 1992->1991 2002 f39b23-f39b2d call fdadf4 1993->2002 2003 f39b30-f39b4c 1993->2003 1994->1993 2002->2003 2005 f39b5e-f39b81 call fdadff 2003->2005 2006 f39b4e-f39b5b call fdadf4 2003->2006 2006->2005
              APIs
              • GetTimeZoneInformation.KERNELBASE(?,8F2D4ADD), ref: 00F39708
              • _memset.LIBCMT ref: 00F39832
              • GetLocaleInfoW.KERNEL32(00000400,00001002,?,00000104,?,?,?), ref: 00F39851
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: InfoInformationLocaleTimeZone_memset
              • String ID: %02d:%02d$Country$GMT$Pageid$Result_Run_Installer$Timezone$Web_Installer$exeNumber
              • API String ID: 3153034172-1566158848
              • Opcode ID: 8c1b5129e4c7847fa0f7b419256d8b3bcba59fcc9c102b0ed4aa1b534486a12c
              • Instruction ID: dc7b574b743463c4182185c27499a67671b24588414b44946fd9b53bb24af9ba
              • Opcode Fuzzy Hash: 8c1b5129e4c7847fa0f7b419256d8b3bcba59fcc9c102b0ed4aa1b534486a12c
              • Instruction Fuzzy Hash: 6EC1AE716083809FD725DF69C842B9BB7E9AFC5700F448A1EF5C987241DBB895448B93
              Function 00F96A40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 84timethreadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetLocalTime.KERNEL32(?,00000000,74DF2EE0,00F1553E,Install recomand return=%ld,?), ref: 00F96A71
              • _memset.LIBCMT ref: 00F96A83
              • GetCurrentThreadId.KERNEL32 ref: 00F96AA3
              • __snprintf.LIBCMT ref: 00F96AB6
              • _vswprintf_s.LIBCMT ref: 00F96AD7
                • Part of subcall function 00FE7971: __vsnprintf_l.LIBCMT ref: 00FE7984
              • OutputDebugStringA.KERNELBASE(?), ref: 00F96B06
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CurrentDebugLocalOutputStringThreadTime__snprintf__vsnprintf_l_memset_vswprintf_s
              • String ID: EasyLog.log$[%d]-%02d:%02d:%02d:%03d $ab+
              • API String ID: 833957585-2050719945
              • Opcode ID: c84fb8800c89673931fa83c8ed7f34162f439c44c79ec61f52b9fde59edd3089
              • Instruction ID: b1bf786454fcdf126457290ad9c0dd00963731db2e4b86fac1f5d9aaa0054eaa
              • Opcode Fuzzy Hash: c84fb8800c89673931fa83c8ed7f34162f439c44c79ec61f52b9fde59edd3089
              • Instruction Fuzzy Hash: 9821EEB1908351ABD320EF64CC46EABB7E9AF88704F44891EF588C7242E63DD504D7A2
              Function 00F91220 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 589COMMON
              Download Yara Rule
              APIs
              • _realloc.LIBCMT ref: 00F91362
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_realloc
              • String ID: DNEI$ETLP$IBgC$RDHI$SNRt$TADI
              • API String ID: 2678416073-81932513
              • Opcode ID: 130a164c03d7f2a6435bc0497f7b891b5a217a4b3883105ec8db5811ac951253
              • Instruction ID: 367db5a4aa6233c07a6aa103235cdc3177c431c496cc3d14d21a16a478af4819
              • Opcode Fuzzy Hash: 130a164c03d7f2a6435bc0497f7b891b5a217a4b3883105ec8db5811ac951253
              • Instruction Fuzzy Hash: F232A071A05386DFEF75CF18C8447AA37A0BB85354F18457EE88A8B341D7398949EB82
              Function 00F816C0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 288librarycomloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2797 f816c0-f81709 2799 f81768-f81786 CoCreateInstance 2797->2799 2800 f8170b-f81714 LoadLibraryW 2797->2800 2801 f81879-f8188e 2799->2801 2802 f8178c-f817b1 2799->2802 2800->2799 2803 f81716-f8173d GetProcAddress 2800->2803 2802->2801 2811 f817b7-f817c3 call fdb3b2 2802->2811 2806 f81758-f81766 2803->2806 2807 f8173f-f81756 2803->2807 2806->2799 2806->2802 2807->2806 2814 f817cc 2811->2814 2815 f817c5-f817ca call f7fad0 2811->2815 2816 f817ce-f8181b 2814->2816 2815->2816 2821 f81828-f81845 2816->2821 2822 f8181d-f81825 2816->2822 2824 f8185d-f8185f 2821->2824 2825 f81847-f8184c 2821->2825 2822->2821 2826 f8188f-f81897 2824->2826 2827 f81861-f8186f 2824->2827 2831 f8184f-f8185a 2825->2831 2829 f818a8-f818c4 2826->2829 2830 f81899-f818a3 2826->2830 2827->2801 2828 f81871-f81876 2827->2828 2828->2801 2833 f818fe-f81913 2829->2833 2834 f818c6-f818e2 2829->2834 2830->2829 2831->2824 2837 f8192a-f81932 2833->2837 2838 f81915-f81928 call f4f9e0 2833->2838 2834->2833 2839 f818e4-f818fc 2834->2839 2841 f8195a-f81977 2837->2841 2842 f81934-f81955 2837->2842 2838->2837 2839->2833 2847 f81979-f81991 2841->2847 2848 f81994-f819a7 2841->2848 2845 f81958 2842->2845 2845->2841 2847->2848 2849 f819a9-f819ae 2848->2849 2850 f819b1-f819c6 2848->2850 2849->2850
              APIs
              • LoadLibraryW.KERNEL32(?), ref: 00F8170C
              • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 00F81720
              • CoCreateInstance.OLE32(?,00000000,00000017,01012444,?), ref: 00F8177C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressCreateInstanceLibraryLoadProc
              • String ID: DllGetClassObject$UIActiveX$showactivex
              • API String ID: 3919134875-1617538497
              • Opcode ID: c3c369e55fe08b2b4ed956905e9dc778cb34cbe3c0a3c367feebce614b69f812
              • Instruction ID: 3b989601a270e01bee9f91fa90c2329fcea69bef507060adc0e07b1cf2deecce
              • Opcode Fuzzy Hash: c3c369e55fe08b2b4ed956905e9dc778cb34cbe3c0a3c367feebce614b69f812
              • Instruction Fuzzy Hash: 4DA136706447019FC310EB68C880E6AB3EAFFCD714F208A5CF199DB264DB76A846CB51
              Function 00F701B0 Relevance: 3.3, APIs: 2, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c27cc1bfc2454246e667d5c030095a39f59b54b8897ec5cc143c909d0a3ac4d
              • Instruction ID: e0b90113956b42380da1653249278c056866693b174a3309a537734191ccac43
              • Opcode Fuzzy Hash: 8c27cc1bfc2454246e667d5c030095a39f59b54b8897ec5cc143c909d0a3ac4d
              • Instruction Fuzzy Hash: 46C1F671904345CFDB24CF28C8907DA7BE1AF99314F08855EE98D8B381DB75EA49CB92
              Function 00F90320 Relevance: 2.4, APIs: 1, Instructions: 853COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00F90345
                • Part of subcall function 00FDE798: __FF_MSGBANNER.LIBCMT ref: 00FDE7BB
                • Part of subcall function 00FDE798: __NMSG_WRITE.LIBCMT ref: 00FDE7C2
                • Part of subcall function 00FDE798: RtlAllocateHeap.NTDLL(00000000,?), ref: 00FDE80F
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AllocateHeap_malloc
              • String ID:
              • API String ID: 501242067-0
              • Opcode ID: 68a049cdfc5235ad3caee8b25472a8f4ae20f558964c94ddbac2ec98a6534f74
              • Instruction ID: 1285a0471917bd32269e28c44269b5ed79870923690250fdfa7935c24aaac565
              • Opcode Fuzzy Hash: 68a049cdfc5235ad3caee8b25472a8f4ae20f558964c94ddbac2ec98a6534f74
              • Instruction Fuzzy Hash: A662E131A083918FDB25CF3DC09016AFBE1EFA6314F184A5DE5D58B392DA35D806DB92
              Function 00F39B90 Relevance: 51.6, APIs: 13, Strings: 16, Instructions: 800stringwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1171 f39b90-f39bc1 1172 f39bc7-f39c17 call f14e40 call f38470 call f1bb00 call f14e40 call f2f100 call f190f0 1171->1172 1173 f3a6e4 1171->1173 1189 f39e8a-f39ee2 call f1ffe0 call fdb986 call f44ae0 call f44d00 call fe06a0 call f15aa0 1172->1189 1190 f39c1d-f39c81 call f1bb00 call f14e40 call f2f100 call f1bb00 call f14e40 call f2f100 1172->1190 1175 f3a6e6-f3a705 call fdadff 1173->1175 1215 f39ee8-f39efa call f15c90 1189->1215 1216 f39f6c-f39f81 call f45f10 1189->1216 1217 f39c87-f39cd6 call fdb986 call f12120 call fe06a0 GetTempPathW 1190->1217 1218 f39e5f-f39e85 call f12190 * 3 1190->1218 1227 f39f0a 1215->1227 1228 f39efc-f39f04 1215->1228 1229 f39f83-f39f86 1216->1229 1230 f39f88 1216->1230 1253 f39d7b-f39d81 1217->1253 1254 f39cdc-f39d76 call f159e0 call f12120 call f12a90 call f129d0 call f12a90 call f129d0 call f121d0 call f12190 * 6 1217->1254 1218->1175 1234 f39f10-f39f20 lstrlenA 1227->1234 1228->1234 1235 f39f06-f39f08 1228->1235 1236 f39f8b-f39f8d 1229->1236 1230->1236 1240 f39f22-f39f24 1234->1240 1241 f39f26-f39f38 call fee830 call f11080 1234->1241 1239 f39f3d 1235->1239 1242 f39f93-f39fa3 lstrlenA 1236->1242 1243 f39f8f-f39f91 1236->1243 1250 f39f43-f39f52 1239->1250 1240->1239 1241->1239 1248 f39fa5-f39fa7 1242->1248 1249 f39fa9-f39fbb call fee830 call f11080 1242->1249 1247 f39fc0-f3a045 call f12120 call f1bb00 call f1af40 call f1e670 call f14e40 call f192e0 call f18180 * 2 1243->1247 1320 f3a047-f3a053 call fdadf4 1247->1320 1321 f3a056-f3a073 1247->1321 1248->1247 1249->1247 1250->1250 1257 f39f54-f39f5b 1250->1257 1260 f39d87-f39d97 call f97660 1253->1260 1261 f39e54-f39e5a call f12190 1253->1261 1254->1253 1257->1216 1264 f39f5d-f39f69 call fdadf4 1257->1264 1277 f39da7 1260->1277 1278 f39d99-f39da1 1260->1278 1261->1218 1264->1216 1279 f39dad-f39dba lstrlenW 1277->1279 1278->1279 1282 f39da3-f39da5 1278->1282 1284 f39dc0-f39dd9 call fee830 call f110b0 1279->1284 1285 f39dbc-f39dbe 1279->1285 1283 f39ddb-f39e1d call f18860 call f12160 call f18860 call f978d0 1282->1283 1316 f39e1f-f39e49 call f12120 call f12160 call f153e0 1283->1316 1317 f39e4c-f39e4f call f97720 1283->1317 1284->1283 1285->1283 1316->1317 1317->1261 1320->1321 1328 f3a075-f3a081 call fdadf4 1321->1328 1329 f3a084-f3a0a4 1321->1329 1328->1329 1334 f3a0a6-f3a0b2 call fdadf4 1329->1334 1335 f3a0b5-f3a0d0 1329->1335 1334->1335 1340 f3a0d3-f3a0dc 1335->1340 1340->1340 1344 f3a0de-f3a165 call f12580 call f1bb00 call f1af40 call f1e670 call f14e40 call f192e0 call f18180 * 2 1340->1344 1367 f3a167-f3a173 call fdadf4 1344->1367 1368 f3a176-f3a194 1344->1368 1367->1368 1369 f3a196-f3a1a2 call fdadf4 1368->1369 1370 f3a1a5-f3a1e4 call f1bb00 call f14e40 call f2f100 call f11a60 1368->1370 1369->1370 1383 f3a1e6-f3a1f2 call fdadf4 1370->1383 1384 f3a1f5-f3a290 call f1bb00 call f14e40 call f2f100 call f121d0 call f38fd0 call f121d0 call f39330 1370->1384 1383->1384 1401 f3a292-f3a2ee call f18860 call f1af40 call f1e670 call f14e40 call f192e0 call f18180 * 2 1384->1401 1402 f3a304-f3a374 call f1bb00 call f1af40 call f1e670 call f14e40 call f192e0 call f18180 * 2 1384->1402 1433 f3a2f0-f3a2fc call fdadf4 1401->1433 1434 f3a2ff 1401->1434 1431 f3a376-f3a382 call fdadf4 1402->1431 1432 f3a385-f3a400 call f1bb00 call f14e40 call f2f100 call f121d0 call f1ffe0 call f96c20 call f190f0 1402->1432 1431->1432 1453 f3a406-f3a40d call f45110 1432->1453 1454 f3a4bd-f3a4d0 call f14e40 call f44fd0 1432->1454 1433->1434 1434->1402 1459 f3a470-f3a497 call f12190 * 3 1453->1459 1460 f3a40f-f3a416 call f45930 1453->1460 1465 f3a576-f3a590 call f460f0 call f12120 1454->1465 1466 f3a4d6-f3a4eb call f45f40 call f12190 1454->1466 1489 f3a498-f3a4b8 call f44b60 call f1ffe0 call f96fa0 call f12190 1459->1489 1471 f3a442-f3a45f call f14e40 call f38270 1460->1471 1472 f3a418-f3a440 call f12190 * 3 1460->1472 1493 f3a592-f3a59e 1465->1493 1494 f3a5a0-f3a5a3 1465->1494 1490 f3a51a-f3a526 call f45f40 1466->1490 1491 f3a4ed-f3a515 call f12190 * 3 1466->1491 1471->1459 1498 f3a461-f3a46d call f3c3e0 call fdadf4 1471->1498 1472->1489 1489->1175 1516 f3a528-f3a52b 1490->1516 1517 f3a52d 1490->1517 1536 f3a6c9-f3a6df call f44b60 call f1ffe0 call f96fa0 call f12190 1491->1536 1502 f3a5b1 call f19090 1493->1502 1500 f3a5b6-f3a5c3 1494->1500 1501 f3a5a5-f3a5ac 1494->1501 1498->1459 1504 f3a5c5 1500->1504 1505 f3a5cb-f3a609 call f45f40 call f12120 * 2 call f34960 1500->1505 1501->1502 1502->1500 1504->1505 1549 f3a643-f3a673 call f396c0 call f12120 call f14790 call f38270 call f34d00 1505->1549 1550 f3a60b-f3a63e call f12190 * 4 1505->1550 1518 f3a530-f3a545 FindWindowW call f12190 1516->1518 1517->1518 1532 f3a6a1-f3a6c8 call f12190 * 3 1518->1532 1533 f3a54b-f3a554 IsWindow 1518->1533 1532->1536 1533->1532 1538 f3a55a-f3a571 ShowWindow SetForegroundWindow SetFocus 1533->1538 1536->1173 1538->1532 1574 f3a678-f3a67a 1549->1574 1550->1536 1575 f3a68b-f3a69c call f12190 1574->1575 1576 f3a67c-f3a688 call f3c3e0 call fdadf4 1574->1576 1575->1532 1576->1575
              APIs
              • _memset.LIBCMT ref: 00F39CBA
              • GetTempPathW.KERNEL32(00000104,?,?,?,?,0000000B), ref: 00F39CCE
              • lstrlenW.KERNEL32(?,?,?,?,?,0000000B), ref: 00F39DAE
                • Part of subcall function 00F121D0: _memcpy_s.LIBCMT ref: 00F12255
              • __time64.LIBCMT ref: 00F39C88
                • Part of subcall function 00FDB986: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00F163C6,00000000,8F2D4ADD), ref: 00FDB991
                • Part of subcall function 00FDB986: __aulldiv.LIBCMT ref: 00FDB9B1
              • __time64.LIBCMT ref: 00F39E92
              • _memset.LIBCMT ref: 00F39ECD
                • Part of subcall function 00F1BB00: std::_String_base::_Xlen.LIBCPMT ref: 00F1BB5C
                • Part of subcall function 00F1BB00: _memcpy_s.LIBCMT ref: 00F1BBB6
              • lstrlenA.KERNEL32(?,?,?,?,0000000C), ref: 00F39F11
              • lstrlenA.KERNEL32(00000004,?,?,?,0000000C), ref: 00F39F94
                • Part of subcall function 00F159E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F15A79
              • FindWindowW.USER32(00000000,-00000004), ref: 00F3A532
              • IsWindow.USER32(00000000), ref: 00F3A54C
              • ShowWindow.USER32(00000000,00000005), ref: 00F3A55D
              • SetForegroundWindow.USER32(00000000), ref: 00F3A564
              • SetFocus.USER32(00000000), ref: 00F3A56B
                • Part of subcall function 00F396C0: GetTimeZoneInformation.KERNELBASE(?,8F2D4ADD), ref: 00F39708
                • Part of subcall function 00F14790: LoadImageW.USER32(00F10000,?,00000001,00000000,00000000,00000050), ref: 00F147B6
                • Part of subcall function 00F14790: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00F147CA
                • Part of subcall function 00F14790: LoadImageW.USER32(00F10000,?,00000001,00000000,00000000,00000050), ref: 00F147EB
                • Part of subcall function 00F14790: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F147F9
                • Part of subcall function 00F34D00: SetTimer.USER32(?,00000014,00000000,00000000), ref: 00F34D18
                • Part of subcall function 00F34D00: SetTimer.USER32(?,00000015,00000320,00000000), ref: 00F34D27
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$Timelstrlen$ImageLoadMessageSendTimer__time64_memcpy_s_memset$FileFindFocusForegroundInformationIos_base_dtorPathShowString_base::_SystemTempXlenZone__aulldivstd::_std::ios_base::_
              • String ID: DATA=1 ||| INSTALL_TYPE=1$.exe$EXENAME$GUID$INSTALL_TYPE$Install_Language$PRODUCT_VERSION$RECOMMEND_URL$REFERNUMBER$TestID$downloader.ico$exeNumber$install.xml$installEBC.xml$installTB.xml$skin.zip
              • API String ID: 1361978398-1569736989
              • Opcode ID: 336cbae43340339750b8e8b88887fa9d710c76da6a263c55dc67d8b2fb943872
              • Instruction ID: 0ef9c696e8c0778ff1e51348ca321a617066b6281f3fd1f941c26c9d11283ea8
              • Opcode Fuzzy Hash: 336cbae43340339750b8e8b88887fa9d710c76da6a263c55dc67d8b2fb943872
              • Instruction Fuzzy Hash: 755229728102889BCF34FF74CC56ADE3769AF44310F540129FD095B252EF79AA85EB92
              Function 00F486A0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1789 f486a0-f486ea 1790 f486f5-f486fa 1789->1790 1791 f486ec-f486f2 call fdb0a2 1789->1791 1793 f48705-f4873a call f4a110 1790->1793 1794 f486fc-f48702 call fdb0a2 1790->1794 1791->1790 1800 f48740-f48742 1793->1800 1801 f4883c-f4884e call f49fd0 1793->1801 1794->1793 1803 f48744-f48748 call f49fd0 1800->1803 1804 f4874d-f4876d CreateFileW 1800->1804 1811 f48850-f48856 1801->1811 1812 f48858-f48868 call f70730 1801->1812 1803->1804 1807 f487b4-f487c1 GetFileSize 1804->1807 1808 f4876f-f48771 1804->1808 1809 f487c3-f487ca 1807->1809 1810 f487cc-f487d2 1807->1810 1813 f48776-f48779 1808->1813 1809->1813 1814 f487d4-f487db 1810->1814 1815 f487dd-f4880b call fda64d ReadFile CloseHandle 1810->1815 1816 f4886a-f4886c 1811->1816 1812->1816 1818 f4877a-f487a2 call fde6ff * 2 1813->1818 1814->1813 1827 f4882d-f48837 call f485f0 1815->1827 1828 f4880d-f48828 call fdb901 call f48990 1815->1828 1821 f4886e-f48875 1816->1821 1822 f4887a-f48893 call f707a0 1816->1822 1836 f487a4-f487aa call fdb0a2 1818->1836 1837 f487ad-f487af 1818->1837 1821->1813 1833 f488a5-f488b0 1822->1833 1834 f48895-f4889f 1822->1834 1843 f48940-f48954 call fdb901 1827->1843 1828->1818 1839 f488b2-f488b4 1833->1839 1840 f488be-f488c3 1833->1840 1834->1833 1836->1837 1844 f48961-f48988 call fdadff 1837->1844 1839->1840 1845 f488c5-f488c7 1840->1845 1846 f488d1-f488d2 call fda64d 1840->1846 1857 f48956-f4895c call fdb0a2 1843->1857 1858 f4895f 1843->1858 1845->1846 1854 f488d7-f488f0 call f708f0 1846->1854 1862 f48924-f4892b 1854->1862 1863 f488f2-f488f7 1854->1863 1857->1858 1858->1844 1864 f48936-f4893f call f485f0 1862->1864 1865 f4892d-f48933 call f70930 1862->1865 1863->1862 1866 f488f9-f48909 call fdb901 1863->1866 1864->1843 1865->1864 1873 f48914-f4891e 1866->1873 1874 f4890b-f48911 call f70930 1866->1874 1873->1862 1874->1873
              APIs
              • CreateFileW.KERNEL32(0066EAA0,80000000,00000001,00000000,00000003,00000080,00000000,0066EAA0,000000FF,8F2D4ADD,?,?,?,?), ref: 00F48762
              • _wcsncpy.LIBCMT ref: 00F4877A
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00F487B7
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00F487FA
              • CloseHandle.KERNEL32(00000000), ref: 00F48801
                • Part of subcall function 00F49FD0: _malloc.LIBCMT ref: 00F4A01D
              • _wcsncpy.LIBCMT ref: 00F48790
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: File$_wcsncpy$CloseCreateErrorFreeHandleHeapLastReadSize___sbh_find_block___sbh_free_block__lock_malloc
              • String ID: Could not find ziped file$Could not read file$Could not unzip file$Error opening file$Error opening zip file$File is empty$File too large
              • API String ID: 274506145-2950584456
              • Opcode ID: 692709a26925ce0e5b4f59e88d603969900b4278965a3c8856519b2e4ba0e0a4
              • Instruction ID: 6ea50f692c6da164ec0f29ed7d369602095f7859c1ed39c38d56b085898ee2d8
              • Opcode Fuzzy Hash: 692709a26925ce0e5b4f59e88d603969900b4278965a3c8856519b2e4ba0e0a4
              • Instruction Fuzzy Hash: 4C716EB1E04304ABD620AB20DC86F2F7B9DAB44750F14492AFD45A7281EF7DE905A793
              Function 00F4ADB0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 269libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00F4ABA0: _memset.LIBCMT ref: 00F4ABE8
              • _memset.LIBCMT ref: 00F4AFEE
              • _memset.LIBCMT ref: 00F4B02C
              • _memset.LIBCMT ref: 00F4B06A
                • Part of subcall function 00F4AC00: _memset.LIBCMT ref: 00F4AC6C
                • Part of subcall function 00F4AC00: _memset.LIBCMT ref: 00F4ACA7
                • Part of subcall function 00F4AC00: _memset.LIBCMT ref: 00F4ACE2
                • Part of subcall function 00F4AC00: _memset.LIBCMT ref: 00F4AD1D
              • _memset.LIBCMT ref: 00F4B0E7
              • GetStockObject.GDI32(00000011), ref: 00F4B0F8
              • GetObjectW.GDI32(00000000), ref: 00F4B0FF
              • CreateFontIndirectW.GDI32 ref: 00F4B10F
                • Part of subcall function 00F4A110: _wcsncpy.LIBCMT ref: 00F4A1A1
              • _memset.LIBCMT ref: 00F4B16B
              • CreatePen.GDI32(00000000,00000001,000000DC), ref: 00F4B1BA
              • #17.COMCTL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,8F2D4ADD,?), ref: 00F4B1C5
              • LoadLibraryW.KERNELBASE(msimg32.dll), ref: 00F4B1D0
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset$CreateObject$FontIndirectLibraryLoadStock_wcsncpy
              • String ID: msimg32.dll
              • API String ID: 3166912299-3287713914
              • Opcode ID: 7fda5094d5bb219c70c4ed8ac34e719df83fc47ee2d3be02e184677212b77b20
              • Instruction ID: 214ee97930d8a92f67f5275ba5f4dba0722c08a408fe862b7c31553373c50983
              • Opcode Fuzzy Hash: 7fda5094d5bb219c70c4ed8ac34e719df83fc47ee2d3be02e184677212b77b20
              • Instruction Fuzzy Hash: 19D1E1B0A45B82EFD359DF3A8485786FBE8BB49300F80872EE1AC87241D7756164CF95
              Function 00F49650 Relevance: 19.6, APIs: 13, Instructions: 85windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1906 f49650-f496a6 GetWindow ShowWindow EnableWindow IsWindow 1907 f496a8-f496bb KiUserCallbackDispatcher 1906->1907 1908 f49719-f4972a EnableWindow SetFocus 1906->1908 1907->1908 1911 f496bd-f496c2 1907->1911 1909 f49737-f4973f 1908->1909 1910 f4972c-f49731 PostQuitMessage 1908->1910 1910->1909 1912 f496c4-f496cb 1911->1912 1913 f496dd-f496ec call f518a0 1911->1913 1912->1913 1915 f496cd-f496d7 EnableWindow SetFocus 1912->1915 1917 f49704-f49709 1913->1917 1918 f496ee-f496fe TranslateMessage DispatchMessageW 1913->1918 1915->1913 1917->1908 1919 f4970b-f49717 IsWindow 1917->1919 1918->1917 1919->1907 1919->1908
              APIs
              • GetWindow.USER32(?,00000004), ref: 00F4965E
              • ShowWindow.USER32(?,00000001), ref: 00F4966C
              • EnableWindow.USER32(00000000,00000000), ref: 00F4967A
              • IsWindow.USER32(?), ref: 00F4969E
              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00F496B3
              • EnableWindow.USER32(00000000,00000001), ref: 00F496D4
              • SetFocus.USER32(00000000), ref: 00F496D7
              • TranslateMessage.USER32(?), ref: 00F496F3
              • DispatchMessageW.USER32(?), ref: 00F496FE
              • IsWindow.USER32(?), ref: 00F4970F
              • EnableWindow.USER32(00000000,00000001), ref: 00F4971C
              • SetFocus.USER32(00000000), ref: 00F4971F
              • PostQuitMessage.USER32(?), ref: 00F49731
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$EnableMessage$Focus$CallbackDispatchDispatcherPostQuitShowTranslateUser
              • String ID:
              • API String ID: 802916070-0
              • Opcode ID: 0499878f2f4c86018d257277bd0da41c03b0a28e2ce17e41e84120d5abb3ac64
              • Instruction ID: 742eecaeda7d685a8f248a4a589579075d1757ac9838ae2d38020ed8fb10c478
              • Opcode Fuzzy Hash: 0499878f2f4c86018d257277bd0da41c03b0a28e2ce17e41e84120d5abb3ac64
              • Instruction Fuzzy Hash: B5317C70A04301AFD720DF64D984B5BBBEAFF48715F404918F599D3241DB7AE914CBA2
              Function 00F153E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2012 f153e0-f15423 call fe06a0 2015 f15425 2012->2015 2016 f15428-f1542e 2012->2016 2015->2016 2017 f15430 2016->2017 2018 f15433-f1544d CreateProcessW 2016->2018 2017->2018 2019 f154a1-f154b7 GetExitCodeProcess 2018->2019 2020 f1544f-f15466 GetLastError call f96a40 2018->2020 2021 f154b9-f154d0 GetLastError call f96a40 2019->2021 2022 f1550b-f15548 CloseHandle * 2 call f96a40 2019->2022 2027 f15474-f15487 2020->2027 2028 f15468-f15471 call fdadf4 2020->2028 2036 f154d2-f154db call fdadf4 2021->2036 2037 f154de-f154f1 2021->2037 2034 f15556-f15569 2022->2034 2035 f1554a-f15553 call fdadf4 2022->2035 2032 f15495-f154a0 2027->2032 2033 f15489-f15492 call fdadf4 2027->2033 2028->2027 2033->2032 2043 f15577-f1557f 2034->2043 2044 f1556b-f15574 call fdadf4 2034->2044 2035->2034 2036->2037 2038 f154f3-f154fc call fdadf4 2037->2038 2039 f154ff-f1550a 2037->2039 2038->2039 2044->2043
              APIs
              • _memset.LIBCMT ref: 00F153F6
              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F15445
              • GetLastError.KERNEL32 ref: 00F1544F
              • GetExitCodeProcess.KERNELBASE(?,?), ref: 00F154AF
              • GetLastError.KERNEL32 ref: 00F154B9
                • Part of subcall function 00F96A40: GetLocalTime.KERNEL32(?,00000000,74DF2EE0,00F1553E,Install recomand return=%ld,?), ref: 00F96A71
                • Part of subcall function 00F96A40: _memset.LIBCMT ref: 00F96A83
                • Part of subcall function 00F96A40: GetCurrentThreadId.KERNEL32 ref: 00F96AA3
                • Part of subcall function 00F96A40: __snprintf.LIBCMT ref: 00F96AB6
                • Part of subcall function 00F96A40: _vswprintf_s.LIBCMT ref: 00F96AD7
                • Part of subcall function 00F96A40: OutputDebugStringA.KERNELBASE(?), ref: 00F96B06
              • CloseHandle.KERNEL32(?), ref: 00F15516
              • CloseHandle.KERNEL32(?), ref: 00F1551D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseErrorHandleLastProcess_memset$CodeCreateCurrentDebugExitLocalOutputStringThreadTime__snprintf_vswprintf_s
              • String ID: D$Install recomand ErrCode= %ld$Install recomand ErrCode=%d$Install recomand return=%ld
              • API String ID: 3332992758-3228177572
              • Opcode ID: adb07f12cd9a97c5a9154f68a7f1530b7a2a186b6ab02410ae93d5b0034499b8
              • Instruction ID: 50b87330307df46ec09e0289bd2b33af95736dff81768c0efa846e8ed2818249
              • Opcode Fuzzy Hash: adb07f12cd9a97c5a9154f68a7f1530b7a2a186b6ab02410ae93d5b0034499b8
              • Instruction Fuzzy Hash: E841BCB19003449BDB00EF69E88199FB7E9EFC8715F00862EF94997200E779D544CF96
              Function 00F530D1 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 235COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$_malloc_memset
              • String ID: $ExtendRichEdit$ListHeaderItem$VerticalLayout$cover$true
              • API String ID: 1497606448-1609732637
              • Opcode ID: ebb5a1f493729200cd992ba5483f8915ac6c2e02d5e04784b159490c3db15723
              • Instruction ID: a33b2ff371cb61334e945aa2eafff9eb4e1ae5a24bf19067652db70fc5ca467b
              • Opcode Fuzzy Hash: ebb5a1f493729200cd992ba5483f8915ac6c2e02d5e04784b159490c3db15723
              • Instruction Fuzzy Hash: 2081D671A043429FD720DF58CC81B6EB3E5AFD4395F44052DEE8987241EB35DA49EB82
              Function 00F44600 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2735 f44600-f4467c call fe06a0 2738 f44685-f44693 2735->2738 2739 f4467e 2735->2739 2740 f44695 2738->2740 2741 f4469c-f446bf GetPrivateProfileStringA 2738->2741 2739->2738 2740->2741 2742 f446c5-f446e1 call fe06a0 2741->2742 2743 f448bf-f448c6 2741->2743 2742->2743 2752 f446e7 2742->2752 2745 f448d8-f448f8 2743->2745 2746 f448c8-f448d5 call fdadf4 2743->2746 2749 f4490a-f44931 call fdadff 2745->2749 2750 f448fa-f44907 call fdadf4 2745->2750 2746->2745 2750->2749 2756 f446f0-f446f6 2752->2756 2756->2743 2758 f446fc-f4470d 2756->2758 2759 f448b6-f448b9 2758->2759 2760 f44713-f44737 call fe06a0 2758->2760 2759->2743 2759->2756 2763 f44740-f4474e 2760->2763 2764 f44739 2760->2764 2765 f44757-f4478d GetPrivateProfileStringA 2763->2765 2766 f44750 2763->2766 2764->2763 2767 f44790-f44795 2765->2767 2766->2765 2767->2767 2768 f44797-f447cf call f1bb00 2767->2768 2771 f447d0-f447d5 2768->2771 2771->2771 2772 f447d7-f4483a call f1bb00 call f44290 call f1af40 call f1e670 call f192e0 2771->2772 2782 f4483f-f44859 call f18180 * 2 2772->2782 2787 f44868-f44888 2782->2787 2788 f4485b-f44865 call fdadf4 2782->2788 2789 f44897-f448b3 call fe06a0 2787->2789 2790 f4488a-f44894 call fdadf4 2787->2790 2788->2787 2789->2759 2790->2789
              APIs
              • _memset.LIBCMT ref: 00F44661
              • GetPrivateProfileStringA.KERNEL32(?,00000000,00000000,?,00000800,?), ref: 00F446AD
              • _memset.LIBCMT ref: 00F446D3
              • _memset.LIBCMT ref: 00F44721
              • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00F4476F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset$PrivateProfileString
              • String ID: .ini
              • API String ID: 3423441237-3921635435
              • Opcode ID: 6a878e89eee7e21a2edb5417194193f501d4e656cc3dde1c8ce53b9b65decfee
              • Instruction ID: 5294255b1fa80bb99923319ce03131a634a14f068636952b50d5d16d79747c83
              • Opcode Fuzzy Hash: 6a878e89eee7e21a2edb5417194193f501d4e656cc3dde1c8ce53b9b65decfee
              • Instruction Fuzzy Hash: 0481C1B15083C49FD330EB64C895BEBBBE8ABC5304F40492EE58997241DB75A948C793
              Function 00F6EF00 Relevance: 9.1, APIs: 6, Instructions: 116fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2852 f6ef00-f6ef09 2853 f6ef24-f6ef3d 2852->2853 2854 f6ef0b-f6ef0e 2852->2854 2856 f6ef73-f6ef93 GetCurrentProcess * 2 DuplicateHandle 2853->2856 2857 f6ef3f-f6ef42 2853->2857 2854->2853 2855 f6ef10-f6ef13 2854->2855 2855->2853 2858 f6ef15-f6ef23 2855->2858 2861 f6efa4 2856->2861 2862 f6ef95-f6efa3 2856->2862 2859 f6ef44-f6ef64 CreateFileW 2857->2859 2860 f6efb5-f6efc4 call fdb3b2 2857->2860 2863 f6efa8-f6efb2 GetFileType 2859->2863 2865 f6ef66-f6ef72 2859->2865 2867 f6efc6-f6efc9 2860->2867 2868 f6eff5-f6f00f 2860->2868 2861->2863 2863->2860 2867->2868 2869 f6efcb-f6eff4 2867->2869 2870 f6f025-f6f035 2868->2870 2871 f6f011-f6f022 SetFilePointer 2868->2871 2871->2870
              APIs
              • CreateFileW.KERNELBASE(00F70171,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00F7076F,?), ref: 00F6EF57
              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,00F7076F,?), ref: 00F6EF84
              • GetCurrentProcess.KERNEL32(00F70171,00000000), ref: 00F6EF88
              • DuplicateHandle.KERNEL32(00000000), ref: 00F6EF8B
              • GetFileType.KERNELBASE(00000000), ref: 00F6EFA9
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CurrentFileProcess$CreateDuplicateHandleType
              • String ID:
              • API String ID: 3926963402-0
              • Opcode ID: f6acc2ded0469e23249254e639f69b363d1e1ef7dea96697b4b795771899f416
              • Instruction ID: 99d34790f8b65017512ef8f83980f7f4daad54d3d631ae0a2872e72e21cb59a5
              • Opcode Fuzzy Hash: f6acc2ded0469e23249254e639f69b363d1e1ef7dea96697b4b795771899f416
              • Instruction Fuzzy Hash: A0318076B453009FE731CF28DC44B5BBBE5EB45320F24890EF59587680D7B6A844DB51
              Function 00F87AA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2872 f87aa0-f87aca call f6b250 2875 f87ad0-f87b31 call fe06a0 2872->2875 2876 f87bd5-f87bdb 2872->2876 2879 f87b33-f87b3e 2875->2879 2880 f87b44-f87b49 2875->2880 2879->2880 2881 f87b40 2879->2881 2882 f87b59-f87b5b 2880->2882 2883 f87b4b-f87b57 2880->2883 2881->2880 2884 f87b69-f87b7a LoadLibraryW 2882->2884 2885 f87b5d-f87b62 2882->2885 2883->2884 2886 f87b7c-f87b8a GetProcAddress 2884->2886 2887 f87b96-f87bba 2884->2887 2885->2884 2886->2887 2888 f87b8c-f87b92 2886->2888 2887->2876 2891 f87bbc-f87bbe 2887->2891 2888->2887 2892 f87bde-f87be7 2891->2892 2893 f87bc0-f87bc5 2891->2893 2893->2892 2894 f87bc7-f87bd3 2893->2894 2894->2876 2894->2892
              APIs
                • Part of subcall function 00F6B250: _memset.LIBCMT ref: 00F6B264
                • Part of subcall function 00F6B250: GetObjectW.GDI32(00000000,0000005C,?), ref: 00F6B28C
                • Part of subcall function 00F6B250: GetDeviceCaps.GDI32(?,0000005A), ref: 00F6B2CE
              • _memset.LIBCMT ref: 00F87ADE
              • LoadLibraryW.KERNELBASE(msftedit.dll,?,00000000), ref: 00F87B72
              • GetProcAddress.KERNEL32(00000000,CreateTextServices), ref: 00F87B82
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset$AddressCapsDeviceLibraryLoadObjectProc
              • String ID: CreateTextServices$msftedit.dll
              • API String ID: 4046179195-260715840
              • Opcode ID: e416b27b575170ca3206d99d917eda758f2146a8174a031d55ab0d961ffaf1c5
              • Instruction ID: b29bda03c8186a1ec8dff6ce571a1c380e705440ce7b46c676d5b6c84a3ede3f
              • Opcode Fuzzy Hash: e416b27b575170ca3206d99d917eda758f2146a8174a031d55ab0d961ffaf1c5
              • Instruction Fuzzy Hash: B641E0716043018FD714EF69C884B87BBEAFFC4310F148568E948CB25ADB75E955CBA0
              Function 00F74190 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2896 f74190-f741cc 2897 f741d2-f741d4 2896->2897 2898 f74281-f74297 call fdadff 2896->2898 2897->2898 2900 f741da-f74276 call f4a110 call f51500 SetBkMode SetTextColor call f503b0 SelectObject DrawTextW SelectObject 2897->2900 2900->2898 2908 f74278-f7427e call fdb0a2 2900->2908 2908->2898
              APIs
                • Part of subcall function 00F4A110: _wcsncpy.LIBCMT ref: 00F4A1A1
                • Part of subcall function 00F51500: _wcschr.LIBCMT ref: 00F5150B
                • Part of subcall function 00F51500: _wcschr.LIBCMT ref: 00F515EB
              • SetBkMode.GDI32(?,00000001), ref: 00F74205
              • SetTextColor.GDI32(?), ref: 00F74228
                • Part of subcall function 00F503B0: __itow.LIBCMT ref: 00F503EF
              • SelectObject.GDI32(?,00000000), ref: 00F74246
              • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00F74260
              • SelectObject.GDI32(?,00000000), ref: 00F74268
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ObjectSelectText_wcschr$ColorDrawErrorFreeHeapLastMode___sbh_find_block___sbh_free_block__itow__lock_wcsncpy
              • String ID:
              • API String ID: 151897381-0
              • Opcode ID: e77b6e3bef98126c6333a02f2a7aa46e6c7e72b10a92381bf310b64cb6727223
              • Instruction ID: 65c9365eb0b45f6e97bd6d3f2b7e20c971323081d9f1450cee71b33906a2f7a1
              • Opcode Fuzzy Hash: e77b6e3bef98126c6333a02f2a7aa46e6c7e72b10a92381bf310b64cb6727223
              • Instruction Fuzzy Hash: FC216D716043149FD764DB25CC85B6BB7E9FBC8311F044A1DF99A93382DB39A805CB62
              Function 00FDB0A2 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FE4942: __mtinitlocknum.LIBCMT ref: 00FE4958
                • Part of subcall function 00FE4942: __amsg_exit.LIBCMT ref: 00FE4964
                • Part of subcall function 00FE4942: EnterCriticalSection.KERNEL32(?,?,?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001), ref: 00FE496C
              • ___sbh_find_block.LIBCMT ref: 00FDB0CB
              • ___sbh_free_block.LIBCMT ref: 00FDB0DA
              • RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
              • GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
              • String ID:
              • API String ID: 2714421763-0
              • Opcode ID: f25ec2bf684515e0d77289372b2f516ee1298b3c952146a1506a7250fd2f5da1
              • Instruction ID: 9cf4569987c8acbf7bb2ab18a456df9e899d517a928a95ed85009948b87aef89
              • Opcode Fuzzy Hash: f25ec2bf684515e0d77289372b2f516ee1298b3c952146a1506a7250fd2f5da1
              • Instruction Fuzzy Hash: 52018631D05316FADF31AF72AC1AB5E3BA5AF00771F15411AF440A6282DF7E9980BB54
              Function 00F889B0 Relevance: 6.3, APIs: 4, Instructions: 274windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: IntersectRect$CaretFocus
              • String ID:
              • API String ID: 3821461340-0
              • Opcode ID: 5c737c433677e8d587d5d2b575b219ce637cb68c36a2379e45ee2122d616b8a2
              • Instruction ID: 4809b4436490db0631bc129fb1f8ca2ece8136fba17732bbf6c49427fc3e8b30
              • Opcode Fuzzy Hash: 5c737c433677e8d587d5d2b575b219ce637cb68c36a2379e45ee2122d616b8a2
              • Instruction Fuzzy Hash: A0A1BE31B056019FD728DF18C880AAAF7E5BF89364F54465AE998C7381CB31EC52CB91
              Function 00FDC3EC Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __flush.LIBCMT ref: 00FDC4B0
              • __fileno.LIBCMT ref: 00FDC4D0
              • __locking.LIBCMT ref: 00FDC4D7
              • __flsbuf.LIBCMT ref: 00FDC502
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
                • Part of subcall function 00FDB267: __decode_pointer.LIBCMT ref: 00FDB272
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
              • String ID:
              • API String ID: 3240763771-0
              • Opcode ID: 3eeadf69eb4e18bd64e6abb00a3158512462f3aafd96295394ad5cbc7d378198
              • Instruction ID: 265d1c594af9428f84c2b9e51ceb355d094b0ea90906f463b645ac5038958a59
              • Opcode Fuzzy Hash: 3eeadf69eb4e18bd64e6abb00a3158512462f3aafd96295394ad5cbc7d378198
              • Instruction Fuzzy Hash: F141E431E006069BDF24DF6998946AEB7B7EF81330F2C822AE41697340D774ED41EB80
              Function 00F6F2A0 Relevance: 6.1, APIs: 4, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000002,00000000,?,00000000,00F7076F,?), ref: 00F6F2BB
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,00000000,?,00000000,00F7076F,?), ref: 00F6F2D7
              • _malloc.LIBCMT ref: 00F6F328
              • SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,?,00000000,?,00000000,00F7076F,?), ref: 00F6F3AE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer$_malloc
              • String ID:
              • API String ID: 3040784002-0
              • Opcode ID: fa790710b0a9f34389f0090717ab300ae00b455aa13ae3dee9452630f104f009
              • Instruction ID: 80eb115bd3a3bf2e71c6f8992ed4bb604349e12394ae6d3f33ea6a4d9fdf22c0
              • Opcode Fuzzy Hash: fa790710b0a9f34389f0090717ab300ae00b455aa13ae3dee9452630f104f009
              • Instruction Fuzzy Hash: 6E4106B1E08742ABE720DF28E88672ABBD1EF40364F54453EE54587782D375E89CE781
              Function 00F14790 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00F10000,?,00000001,00000000,00000000,00000050), ref: 00F147B6
              • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00F147CA
              • LoadImageW.USER32(00F10000,?,00000001,00000000,00000000,00000050), ref: 00F147EB
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F147F9
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ImageLoadMessageSend
              • String ID:
              • API String ID: 2779929661-0
              • Opcode ID: baaa1e42847b354c8e8631edf3cce3b6c307299e9d81c410d5489d78264264fb
              • Instruction ID: 0ef240cc379c055e8030aa97d37b561b020f8bec0d79b18c6918cfc34b54a437
              • Opcode Fuzzy Hash: baaa1e42847b354c8e8631edf3cce3b6c307299e9d81c410d5489d78264264fb
              • Instruction Fuzzy Hash: 6901DA75294305BBE624DB54DC81F5B73EDAB88B05F108919F385AA1C0C6B5F894CB29
              Function 00FDB3B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00FDB3CC
                • Part of subcall function 00FDE798: __FF_MSGBANNER.LIBCMT ref: 00FDE7BB
                • Part of subcall function 00FDE798: __NMSG_WRITE.LIBCMT ref: 00FDE7C2
                • Part of subcall function 00FDE798: RtlAllocateHeap.NTDLL(00000000,?), ref: 00FDE80F
              • std::bad_alloc::bad_alloc.LIBCMT ref: 00FDB3EF
                • Part of subcall function 00FDB397: std::exception::exception.LIBCMT ref: 00FDB3A3
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
              • String ID: P5s
              • API String ID: 3447465555-4100073701
              • Opcode ID: c8e40cb13d9861cd06aa828ef80250db33e21a0ff3dd172c0b2e70531847fc2c
              • Instruction ID: 15ae3e003b17a25018c2a4503e1a18c7a04b61f96c9dbdd3730fcec768b10d83
              • Opcode Fuzzy Hash: c8e40cb13d9861cd06aa828ef80250db33e21a0ff3dd172c0b2e70531847fc2c
              • Instruction Fuzzy Hash: 3FF0E271800309BADF14BBA2EC16A5D3B9E8F40324B19412AFC5099295DF6ADA40BA40
              Function 00F6F420 Relevance: 4.7, APIs: 3, Instructions: 164COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,00000000,00F7076F,?), ref: 00F6F478
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 90d627a3eaa3118e7f044141c77663945f7cf56ac1cefc74ed25c8b8899f8fac
              • Instruction ID: af4c0914dcc823c92eea51658981f33a2ea3f90bae222198e149cbeaf6be433a
              • Opcode Fuzzy Hash: 90d627a3eaa3118e7f044141c77663945f7cf56ac1cefc74ed25c8b8899f8fac
              • Instruction Fuzzy Hash: DD51E2B2A046004BE320DE29FC4071BB7E5AB85334F180739E965832D2EB39DD0ED392
              Function 00F446E9 Relevance: 4.6, APIs: 3, Instructions: 150COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F44721
              • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00F4476F
              • _memset.LIBCMT ref: 00F448A5
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset$PrivateProfileString
              • String ID:
              • API String ID: 3423441237-0
              • Opcode ID: 92dfca6963ce741ffa369cce6c09b4ee1e3278703f779c9bbbaab303d391b1e1
              • Instruction ID: cab0b99192ab85b8afab5a157300703f447d41329fd15b26745b673ee64e6adf
              • Opcode Fuzzy Hash: 92dfca6963ce741ffa369cce6c09b4ee1e3278703f779c9bbbaab303d391b1e1
              • Instruction Fuzzy Hash: E451D0B15083C09BD321EB64C891BEFBBE9AFC5304F44092EE5C957201EB75A549C7A3
              Function 00F80160 Relevance: 4.6, APIs: 3, Instructions: 117comCOMMON
              Download Yara Rule
              APIs
              • OleLockRunning.OLE32(?,00000001,00000000), ref: 00F80197
              • OffsetRect.USER32(?,?,?), ref: 00F80274
              • KiUserCallbackDispatcher.NTDLL(?,?,?), ref: 00F8028A
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CallbackDispatcherLockOffsetRectRunningUser
              • String ID:
              • API String ID: 147883647-0
              • Opcode ID: 6087db921a9a02bd419dc0b43c7b2750506c1462450480996400156cc3d0eeeb
              • Instruction ID: 2bb2f52875e860b278fe2062994f62c5fa7371dae08a97ce9db98d2c8a379e37
              • Opcode Fuzzy Hash: 6087db921a9a02bd419dc0b43c7b2750506c1462450480996400156cc3d0eeeb
              • Instruction Fuzzy Hash: 6F419F756046029FD710DF28D888EA6B7F8FF89310F0482A9E8488B751DB31FC59CBA1
              Function 00F1A6A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 00F1A718
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 3976011213-1285458680
              • Opcode ID: 1ef6189a56d18d9ca2fe6d6b562d1979f4bc3a61cf207267492949be5129668a
              • Instruction ID: d3cb316ecc8cb9c940ff81a88ee077d476d8f1888615bea4ae857081c99b3ed3
              • Opcode Fuzzy Hash: 1ef6189a56d18d9ca2fe6d6b562d1979f4bc3a61cf207267492949be5129668a
              • Instruction Fuzzy Hash: 7B713475906641DFC321DF14C184A92FBF1BB59720F69828DE4894B392D735EC82DBD2
              Function 00F47880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBCMT ref: 00F478F8
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8RaiseThrow
              • String ID: map/set<T> too long
              • API String ID: 3976011213-1285458680
              • Opcode ID: e2c6860d296d68142b980b8a68670d703d725646d894032fb2d95906453da6cb
              • Instruction ID: 294bc1784ef1c5b6eb7c817cde67022e9ca6fb12cd176445c5994508f9a5e61e
              • Opcode Fuzzy Hash: e2c6860d296d68142b980b8a68670d703d725646d894032fb2d95906453da6cb
              • Instruction Fuzzy Hash: 897123B1A087459FC311EF29C180A16FBE1BF59720F69868DE8894B362C735EC81DF95
              Function 00F973B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateMutexW.KERNELBASE(00000000,00000000,00000000,8F2D4ADD,?,?,00FFD6A8,000000FF), ref: 00F973E9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID: @1f
              • API String ID: 1964310414-3981940493
              • Opcode ID: 1b08e160372a20bbc12bf5940e1f1d2a8187339be56eb08875be3912cc7b086c
              • Instruction ID: 0680bd223842c130dd98debb584dc2ffdcb55dfa8bef84bb039e9f3f124cfa14
              • Opcode Fuzzy Hash: 1b08e160372a20bbc12bf5940e1f1d2a8187339be56eb08875be3912cc7b086c
              • Instruction Fuzzy Hash: DDF058B0288B80BBE324CF40DC46B267BE8F784B24F000A59F4858A680C77D9605CB82
              Function 00F34960 Relevance: 3.2, APIs: 2, Instructions: 226COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$Show
              • String ID:
              • API String ID: 990937876-0
              • Opcode ID: 84eb2ae627eb9ec20e96ed3b351fa298623225cea932d87e47a99d74902964be
              • Instruction ID: d4f33eef7c89d4275636cf8f247b4f4670071a5f1a44a54ed3e9f8ac1eb98ac3
              • Opcode Fuzzy Hash: 84eb2ae627eb9ec20e96ed3b351fa298623225cea932d87e47a99d74902964be
              • Instruction Fuzzy Hash: 209119B19093819BD720DF24CC41B9BB7E5BF88310F144E2EE699A3241EB38B544DB5B
              Function 00F457B0 Relevance: 3.1, APIs: 2, Instructions: 119synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateMutexW.KERNELBASE(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,010022F8,000000FF), ref: 00F45836
              • GetLastError.KERNEL32(?,?,00000008,?,?,?,?,?,?,?,?,?,?,?,010022F8,000000FF), ref: 00F45870
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateErrorLastMutex
              • String ID:
              • API String ID: 1925916568-0
              • Opcode ID: 88ba4f2cf2f72f6f7c7f5fc91d252f068116d5664e9e854e075371e9e8da5fbe
              • Instruction ID: 521d0a0bc868d8b918d1f93444af58a15e9b65fec4fb454d24df4352901dee95
              • Opcode Fuzzy Hash: 88ba4f2cf2f72f6f7c7f5fc91d252f068116d5664e9e854e075371e9e8da5fbe
              • Instruction Fuzzy Hash: 02418F769087409FD710EF58C881A1FBBE5BF84B50F054A1DF98597712DB39E804EBA2
              Function 00F6FD60 Relevance: 3.1, APIs: 2, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f84f234a6ec292cc929b716a7dd15257868afe0145f97741de08bb267e1b40e
              • Instruction ID: f58af6c7e20cdbe5b50aa0078feb37a75eaebc2d2af1d6e7878cf03e89a4d005
              • Opcode Fuzzy Hash: 5f84f234a6ec292cc929b716a7dd15257868afe0145f97741de08bb267e1b40e
              • Instruction Fuzzy Hash: 3D31BEB59003099FCB14DF29E8C0566BBE4FF88320B54416EED188B34AE735E958DF86
              Function 00FDC756 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
                • Part of subcall function 00FDB267: __decode_pointer.LIBCMT ref: 00FDB272
              • __lock_file.LIBCMT ref: 00FDC7A6
                • Part of subcall function 00FE01FF: __lock.LIBCMT ref: 00FE0224
              • __fclose_nolock.LIBCMT ref: 00FDC7B0
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 717694121-0
              • Opcode ID: c4e7d6071e5a05d32db3a8cd3a38c5cf05a006af91d312dc4b6f992b38e8d8e6
              • Instruction ID: 85e5530830b12efe2c1f8300cfda570d79ddea7bfe938c4810ab7fdea50dba26
              • Opcode Fuzzy Hash: c4e7d6071e5a05d32db3a8cd3a38c5cf05a006af91d312dc4b6f992b38e8d8e6
              • Instruction Fuzzy Hash: DBF0C271C006469AC721AB3A8C02A5E7AA16F84330F29821AF0789A2D1DF7C4541BF85
              Function 00F1F140 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
              Download Yara Rule
              APIs
              • std::exception::exception.LIBCMT ref: 00F1F15F
                • Part of subcall function 00FDAE7C: _strlen.LIBCMT ref: 00FDAE96
                • Part of subcall function 00FDAE7C: _malloc.LIBCMT ref: 00FDAE9F
                • Part of subcall function 00FDAE7C: _strcpy_s.LIBCMT ref: 00FDAEB1
              • __CxxThrowException@8.LIBCMT ref: 00F1F176
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8RaiseThrow_malloc_strcpy_s_strlenstd::exception::exception
              • String ID:
              • API String ID: 3160936874-0
              • Opcode ID: 40af6a61f8f0492c95b987ab3f2082917673ef5e6ec2fcd488aa72b7a0bb6c4d
              • Instruction ID: 19e12d4479b99852c98e8c677599a3f362cfc789fcbeb7614b8d6843156e2429
              • Opcode Fuzzy Hash: 40af6a61f8f0492c95b987ab3f2082917673ef5e6ec2fcd488aa72b7a0bb6c4d
              • Instruction Fuzzy Hash: 02E09BF190420066D708EB24CC45A5B3797ABD4320F88CF2DF4A941299EB3C91199657
              Function 00F481B0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • std::exception::exception.LIBCMT ref: 00F481CF
                • Part of subcall function 00FDAE7C: _strlen.LIBCMT ref: 00FDAE96
                • Part of subcall function 00FDAE7C: _malloc.LIBCMT ref: 00FDAE9F
                • Part of subcall function 00FDAE7C: _strcpy_s.LIBCMT ref: 00FDAEB1
              • __CxxThrowException@8.LIBCMT ref: 00F481E6
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8RaiseThrow_malloc_strcpy_s_strlenstd::exception::exception
              • String ID:
              • API String ID: 3160936874-0
              • Opcode ID: 3c09fc2d2f183999b07e7d1e4d31311d788774e4ad3ad5473eaeebcacd03b3aa
              • Instruction ID: 18edf09e13c551e65c56bbd3f7adcc22e738323b90797fcfeec4cedafa37ee06
              • Opcode Fuzzy Hash: 3c09fc2d2f183999b07e7d1e4d31311d788774e4ad3ad5473eaeebcacd03b3aa
              • Instruction Fuzzy Hash: 9AE0D8F541420066E704FF24CC45D5F7BAAABD4314F80CF1EF4B941295EB78D2199657
              Function 00F12B40 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • std::exception::exception.LIBCMT ref: 00F12B5F
                • Part of subcall function 00FDAE7C: _strlen.LIBCMT ref: 00FDAE96
                • Part of subcall function 00FDAE7C: _malloc.LIBCMT ref: 00FDAE9F
                • Part of subcall function 00FDAE7C: _strcpy_s.LIBCMT ref: 00FDAEB1
              • __CxxThrowException@8.LIBCMT ref: 00F12B76
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8RaiseThrow_malloc_strcpy_s_strlenstd::exception::exception
              • String ID:
              • API String ID: 3160936874-0
              • Opcode ID: 244f605a744dee549bf9360bcf1b6814c9e0a2c6de17ec98fdde81654977351f
              • Instruction ID: 1778308939c9feaede1e72afab972640e287d58e2e05b5bf51a3604280bce985
              • Opcode Fuzzy Hash: 244f605a744dee549bf9360bcf1b6814c9e0a2c6de17ec98fdde81654977351f
              • Instruction Fuzzy Hash: B6E0D8F140420066D704FF64CC4595B3BAAABD4310F80CE1EF4B9811D5E73891189A57
              Function 00F34D00 Relevance: 3.0, APIs: 2, Instructions: 22timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,00000014,00000000,00000000), ref: 00F34D18
              • SetTimer.USER32(?,00000015,00000320,00000000), ref: 00F34D27
                • Part of subcall function 00F49650: GetWindow.USER32(?,00000004), ref: 00F4965E
                • Part of subcall function 00F49650: ShowWindow.USER32(?,00000001), ref: 00F4966C
                • Part of subcall function 00F49650: EnableWindow.USER32(00000000,00000000), ref: 00F4967A
                • Part of subcall function 00F49650: IsWindow.USER32(?), ref: 00F4969E
                • Part of subcall function 00F49650: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00F496B3
                • Part of subcall function 00F49650: EnableWindow.USER32(00000000,00000001), ref: 00F496D4
                • Part of subcall function 00F49650: SetFocus.USER32(00000000), ref: 00F496D7
                • Part of subcall function 00F49650: TranslateMessage.USER32(?), ref: 00F496F3
                • Part of subcall function 00F49650: DispatchMessageW.USER32(?), ref: 00F496FE
                • Part of subcall function 00F49650: IsWindow.USER32(?), ref: 00F4970F
                • Part of subcall function 00F49650: EnableWindow.USER32(00000000,00000001), ref: 00F4971C
                • Part of subcall function 00F49650: SetFocus.USER32(00000000), ref: 00F4971F
                • Part of subcall function 00F49650: PostQuitMessage.USER32(?), ref: 00F49731
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$EnableMessage$FocusTimer$CallbackDispatchDispatcherPostQuitShowTranslateUser
              • String ID:
              • API String ID: 4004917197-0
              • Opcode ID: 5b605699ef030c2f3583c191305cfc8086464ee1eaf9605d6d3d8915c2c5af1f
              • Instruction ID: 9a58ba318f76a54ea4ee32d1524f2d738d692e3acbe6adc216cffd42e59e8b55
              • Opcode Fuzzy Hash: 5b605699ef030c2f3583c191305cfc8086464ee1eaf9605d6d3d8915c2c5af1f
              • Instruction Fuzzy Hash: 7AD05E72780B1572E121666CAC02F4AA25E5B88B20F114116B304BF1C58AE9F8019798
              Function 00F6F650 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F6F68F
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 7beb29e7faad6b24f17a27226d1f04ae6ca06af564a2f00c68a8a4b6de5ce203
              • Instruction ID: f53b2219913ded2354a1335e93fbc7f1469aa5b61a42758386eee30d6e8debfa
              • Opcode Fuzzy Hash: 7beb29e7faad6b24f17a27226d1f04ae6ca06af564a2f00c68a8a4b6de5ce203
              • Instruction Fuzzy Hash: 547171B2E043018BD320DA78EC81A1677E59F91374F144B3DF9A5C72E2E765E908D752
              Function 00F541C0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
              Download Yara Rule
              APIs
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F54401
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CallProcWindow
              • String ID:
              • API String ID: 2714655100-0
              • Opcode ID: c375c089ed389576a27ecb1fd5347084a693c0e9011798fba6b2f82a7258acdd
              • Instruction ID: f92260473239c88a0c7e2bc90443a6e5520601d06a6f1fc4cd924bc523e4b435
              • Opcode Fuzzy Hash: c375c089ed389576a27ecb1fd5347084a693c0e9011798fba6b2f82a7258acdd
              • Instruction Fuzzy Hash: C6712A7121424AAFE314CE49C888E7BB7BCFBD8309F24494CB69147261D771BD49EBA1
              Function 00F6FB80 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(B80A74C0,0002A2E9,00000000,00000000,?,?,?,00F702D9,?,?,?,?,?,00000000), ref: 00F6FBB7
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: b3ff1ae4068abf005c5db6826e04257809c6dd153b4ebb1ffa4e29013af9c1fd
              • Instruction ID: 09229afdb674d00c3f21c7a8a4fbeb1a8c6fa6e9dabd5540bebce007ca99e18d
              • Opcode Fuzzy Hash: b3ff1ae4068abf005c5db6826e04257809c6dd153b4ebb1ffa4e29013af9c1fd
              • Instruction Fuzzy Hash: C75174B2D052169BD720CF68F940A26B3A4AF45374F144B39EC61872D2D731ED1CE792
              Function 00F6FE70 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40e222d8a7e1b9b23c8c5e97565ee86aaa3fec0953f7e8819aba457b320d0acb
              • Instruction ID: 81ef8849e4289a1102beab5d2b304c0a318b65adb78ae6f4bb2ed06a9d4c696b
              • Opcode Fuzzy Hash: 40e222d8a7e1b9b23c8c5e97565ee86aaa3fec0953f7e8819aba457b320d0acb
              • Instruction Fuzzy Hash: 27518776A007018FC730CF29E88061AB7E0FF95325F144A2EE89687B61D776E94CDB91
              Function 00F910A0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00F910BC
                • Part of subcall function 00FDE798: __FF_MSGBANNER.LIBCMT ref: 00FDE7BB
                • Part of subcall function 00FDE798: __NMSG_WRITE.LIBCMT ref: 00FDE7C2
                • Part of subcall function 00FDE798: RtlAllocateHeap.NTDLL(00000000,?), ref: 00FDE80F
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AllocateHeap_malloc
              • String ID:
              • API String ID: 501242067-0
              • Opcode ID: d60c084cedc967828ddb8997e43d15c50f72619c9e83109321c40d255bc386fd
              • Instruction ID: 845dbb1ec9d7e8d4c78781214ac43489bd098f83c07e420b6b2e00325c513512
              • Opcode Fuzzy Hash: d60c084cedc967828ddb8997e43d15c50f72619c9e83109321c40d255bc386fd
              • Instruction Fuzzy Hash: 7021466910C3D54FD7268B698880436FFE69EEA304B0DC4EEE4D54B353D12BE94AE721
              Function 00F6F357 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,?,00000000,?,00000000,00F7076F,?), ref: 00F6F3AE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: d71fb8e3c406b09cd67c11c991636e3e46447a086bf10e4313607ff6d079df2f
              • Instruction ID: fe2a0d3a2fa8ce34ad25a91c466c4fc6fadece176108b3f94160cf716eae4146
              • Opcode Fuzzy Hash: d71fb8e3c406b09cd67c11c991636e3e46447a086bf10e4313607ff6d079df2f
              • Instruction Fuzzy Hash: 3C21F0B1A087429BE720DF18E88271ABB91EB50364F14443EE685C7353D375D99C9386
              Function 00F6F355 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,00000000,00000000,?,?,00000000,?,00000000,00F7076F,?), ref: 00F6F3AE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: b39551bb66a390fba696d74984b60caa8889c0b27e153d58737e16255e509069
              • Instruction ID: f0a790231f168f2b7be7f6a8d4235c06b7661b030413dcfe098b0360fd223d0f
              • Opcode Fuzzy Hash: b39551bb66a390fba696d74984b60caa8889c0b27e153d58737e16255e509069
              • Instruction Fuzzy Hash: 1A2121B1E087429BE720DF28E88271ABB91EB50364F14443EE681C7393D335D98CE386
              Function 00F49580 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,00000000), ref: 00F495F1
                • Part of subcall function 00F499A0: _memset.LIBCMT ref: 00F499AE
                • Part of subcall function 00F499A0: GetClassInfoExW.USER32(00000000,00000000), ref: 00F499D5
                • Part of subcall function 00F499A0: GetClassInfoExW.USER32(00F10000,00000000), ref: 00F499F1
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ClassInfo$CreateWindow_memset
              • String ID:
              • API String ID: 834990534-0
              • Opcode ID: db06c7c3f9a1c9aaf7f5398efa2a3d639dcfa13ed76b093cf6f9713724911fc9
              • Instruction ID: 395225b11f6c1dcecfa18d82962cf053a8527975c1c164363ca6b59790087693
              • Opcode Fuzzy Hash: db06c7c3f9a1c9aaf7f5398efa2a3d639dcfa13ed76b093cf6f9713724911fc9
              • Instruction Fuzzy Hash: 18112AB13145155F8B14DF9CDC50DAB77E9AF8D310B148249FD48C3381EA66EC11CBA5
              Function 00F695B0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • GdiplusStartup.GDIPLUS(?,?,00000000,?,00F7AD5A,8F2D4ADD,?,00000000,00FFFC88,000000FF,00F52A03,00000000), ref: 00F696BE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: GdiplusStartup
              • String ID:
              • API String ID: 2503201367-0
              • Opcode ID: f29a3e46a3e7c5c600a6597dc7c7f17d6a26b95937504215bab4410901dd9cba
              • Instruction ID: 0f8d15d153e551c6f5be5cc10ecac26dc1bcd7f693dda452cb45f9e5b7cd0317
              • Opcode Fuzzy Hash: f29a3e46a3e7c5c600a6597dc7c7f17d6a26b95937504215bab4410901dd9cba
              • Instruction Fuzzy Hash: 96318EB050AB40CED3A1DF3895417A3BBE2AB95314F108A5EE0EE87241EB332175DF11
              Function 00F6F040 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000404,00F6F3C3,00000404,00000001), ref: 00F6F05F
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 1b1bc06c6a3f976c350cc28026cef802a08a09b01e321fc7a9f1c2035b16379e
              • Instruction ID: 46057683900b881489d074a2e1257b8a3c5b6fba628dbc567057601647f28516
              • Opcode Fuzzy Hash: 1b1bc06c6a3f976c350cc28026cef802a08a09b01e321fc7a9f1c2035b16379e
              • Instruction Fuzzy Hash: 6E0162726082157FE314CE69EC80AA6B7A9FB88314F148569F554C7541D332EC54D7E0
              Function 00F126D0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • std::_String_base::_Xlen.LIBCPMT ref: 00F126DB
                • Part of subcall function 00FDA04C: __EH_prolog3.LIBCMT ref: 00FDA053
                • Part of subcall function 00FDA04C: __CxxThrowException@8.LIBCMT ref: 00FDA07E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
              • String ID:
              • API String ID: 1675473389-0
              • Opcode ID: 9535840bd936af5a078c1e75f24e8041c5dd5d403ce8e2726b897c551c176e81
              • Instruction ID: 4b4ad3c63f2513c40552cd7c26646f4ce1326bae07bce9ed2ae6b97c4f1735ee
              • Opcode Fuzzy Hash: 9535840bd936af5a078c1e75f24e8041c5dd5d403ce8e2726b897c551c176e81
              • Instruction Fuzzy Hash: 12F05E32B145214A9FB9EE79AD418BB32E7EFD4720329CA2DE482CB1C4DD2098C56355
              Function 00FDC54E Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00FDC595
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
                • Part of subcall function 00FDB267: __decode_pointer.LIBCMT ref: 00FDB272
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __decode_pointer__getptd_noexit__lock_file
              • String ID:
              • API String ID: 3158947991-0
              • Opcode ID: b73575392c7a2532d17bf1fbafe19108e067421db34ece378cb27bbff79d5093
              • Instruction ID: 40334fdb5c612b814b6d88a3aec6c86d2efdfe51e85f289e85ecf8fc94930a8f
              • Opcode Fuzzy Hash: b73575392c7a2532d17bf1fbafe19108e067421db34ece378cb27bbff79d5093
              • Instruction Fuzzy Hash: 69F0A471C0021AEBCF22BFB5AC0298E3B62AF04710F088466F4145A251DB398A50FFD1
              Function 00FDF89C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • __calloc_impl.LIBCMT ref: 00FDF8AF
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __calloc_impl__getptd_noexit
              • String ID:
              • API String ID: 1948755799-0
              • Opcode ID: 94d0ac00552a7d5b6355c5a4d03805b78c6e78311afaf8b3052fbd07bdf09e04
              • Instruction ID: 5e7291e4ff052a382a24b85b05ab980b858754f71b2ae7fd4b38904af574d494
              • Opcode Fuzzy Hash: 94d0ac00552a7d5b6355c5a4d03805b78c6e78311afaf8b3052fbd07bdf09e04
              • Instruction Fuzzy Hash: 5BE06D3190021AFBCF209A91DD01A9D73A99F40360F044076AD01AB201EAB88F08F7A1
              Function 00F80E90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00000000), ref: 00F80ED0
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 009cbdb2ba07ca43777cd4200f8dc1e066de10e9561ea3e93973d5565479246a
              • Instruction ID: 7791e6bcbabefb4e05e8e78c30efacc9322c003e48e889f90340dbe839add662
              • Opcode Fuzzy Hash: 009cbdb2ba07ca43777cd4200f8dc1e066de10e9561ea3e93973d5565479246a
              • Instruction Fuzzy Hash: 05E06D706002159FD368DA28D584BABB3A2EB94320F414A6DF99687240CA79AC95DB60
              Function 00F110B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNELBASE(00000003,00000000,00000004,000000FF,?,?,00000000,00000000,00F185D6,00000003), ref: 00F110CB
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWide
              • String ID:
              • API String ID: 626452242-0
              • Opcode ID: 14413bfee3343e64a8a41d8d1761130c976473f8cde03b5edb344a636c12263c
              • Instruction ID: bc07e21a0c7f34cabda44874430f3d13aa2ff49b1817a2aacfbd36b15ddcf89f
              • Opcode Fuzzy Hash: 14413bfee3343e64a8a41d8d1761130c976473f8cde03b5edb344a636c12263c
              • Instruction Fuzzy Hash: C3D02E72B9822179E63042318C0AF63A5C89BA4F20F20C7147650D61C8EA64E8C0C2B4
              Function 00FE4796 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
              Download Yara Rule
              APIs
              • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00FE47AB
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: 19373c9747afcfc07e484c2b5a336ede61e094e41368818ec8d48f6194c0ccf1
              • Instruction ID: 279c449c7540b61667aa7d98df97e7f715728bdf9fa37861991a531f5cb235ab
              • Opcode Fuzzy Hash: 19373c9747afcfc07e484c2b5a336ede61e094e41368818ec8d48f6194c0ccf1
              • Instruction Fuzzy Hash: 60D05E729603486EDB219FB668087623BDCD384395F048439B84CC6144FA7AD950DB40
              Function 00FDCF4E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __waccess_s
              • String ID:
              • API String ID: 4272103461-0
              • Opcode ID: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
              • Instruction ID: 2413c95b14b51669e985ff0dfda046dde548fe6ef99dee383802bc29f5e9262d
              • Opcode Fuzzy Hash: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
              • Instruction Fuzzy Hash: 9CC09B7305410D7F9F055DE5EC01C593F5AD7C07707144116F91C89591DD32D551A5C0
              Function 00FDD02A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __fsopen
              • String ID:
              • API String ID: 3646066109-0
              • Opcode ID: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
              • Instruction ID: ee37ed7445ac277533e259abdbe4ffcffa0475b608ffaf76e59330ece9888de6
              • Opcode Fuzzy Hash: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
              • Instruction Fuzzy Hash: 44C09B7344010C77CF111A82DC02E453F1F97C0760F044011FB1C191619577DA61D5D9
              Function 00F6E9F0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • _calloc.LIBCMT ref: 00F6E9FA
                • Part of subcall function 00FDF89A: __calloc_impl.LIBCMT ref: 00FDF8AF
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __calloc_impl_calloc
              • String ID:
              • API String ID: 2108883976-0
              • Opcode ID: 4e2182e4b423de67d637deb6ccc7b446b136eacaa7299d7c5a54af367c121ca9
              • Instruction ID: 6587b82a4c8c71f1511dd359bdc047d4c790b5dd60db9e84a69b62dc0c1af91f
              • Opcode Fuzzy Hash: 4e2182e4b423de67d637deb6ccc7b446b136eacaa7299d7c5a54af367c121ca9
              • Instruction Fuzzy Hash: F9B012B95042007FC508E710DC41C2BB39AEFC4201F848D1DBC4946300E539DC08D623

              Non-executed Functions

              Function 00FEAFA9 Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ___getlocaleinfo
              • String ID:
              • API String ID: 1937885557-0
              • Opcode ID: 77f6aa72a95c27c4c9a4d89ad5578ec5411739d8a9a1ef6ddc25b9ae69f14d63
              • Instruction ID: aae54744e9a39159708f35c46af409e6b10debbfd64947526eaa98c3b559759d
              • Opcode Fuzzy Hash: 77f6aa72a95c27c4c9a4d89ad5578ec5411739d8a9a1ef6ddc25b9ae69f14d63
              • Instruction Fuzzy Hash: 35E1F3B290025DBEFF12DAE1CC41DFF7BBDEB44788F04052BB255D6041EA74AA05AB60
              Function 00FBA1D0 Relevance: 53.1, APIs: 17, Strings: 13, Instructions: 554networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FBA20F
              • __wcstoui64.LIBCMT ref: 00FBA2CC
              • __wcstoui64.LIBCMT ref: 00FBA2F8
              • getsockname.WS2_32(?,?,?), ref: 00FBA383
              • WSAGetLastError.WS2_32 ref: 00FBA391
              • _strncpy.LIBCMT ref: 00FBA3DA
              • WSAGetLastError.WS2_32 ref: 00FBA4D9
              • htons.WS2_32(00000000), ref: 00FBA549
              • bind.WS2_32(?,?,?), ref: 00FBA563
              • WSAGetLastError.WS2_32 ref: 00FBA571
              • getsockname.WS2_32 ref: 00FBA5B9
              • WSAGetLastError.WS2_32 ref: 00FBA5E6
              • getsockname.WS2_32(?,?,?), ref: 00FBA68F
              • WSAGetLastError.WS2_32 ref: 00FBA699
              • listen.WS2_32(?,00000001), ref: 00FBA6D5
              • WSAGetLastError.WS2_32 ref: 00FBA6DF
                • Part of subcall function 00FD0610: GetLastError.KERNEL32(?,00000000,00000000,?,00FA8580,00000004,00000000), ref: 00FD0614
                • Part of subcall function 00FD0610: _strerror.LIBCMT ref: 00FD0649
                • Part of subcall function 00FD0610: _strncpy.LIBCMT ref: 00FD0653
                • Part of subcall function 00FD0610: _strrchr.LIBCMT ref: 00FD06AB
                • Part of subcall function 00FD0610: _strrchr.LIBCMT ref: 00FD06C6
                • Part of subcall function 00FD0610: GetLastError.KERNEL32 ref: 00FD06EE
                • Part of subcall function 00FD0610: SetLastError.KERNEL32(?), ref: 00FD06FD
              • htons.WS2_32(?), ref: 00FBA746
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast$getsockname$__wcstoui64_strncpy_strrchrhtons$_memset_strerrorbindlisten
              • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
              • API String ID: 2164481949-2383553807
              • Opcode ID: 912339c55cfbd1336a6140608413ed3cc255d78dbf3a6c2f7d25183cf9dd338a
              • Instruction ID: f38df58e13214feda6975bcf566a4f58ca4d0ec3cfb2ab69da8ddc19bbd0a552
              • Opcode Fuzzy Hash: 912339c55cfbd1336a6140608413ed3cc255d78dbf3a6c2f7d25183cf9dd338a
              • Instruction Fuzzy Hash: 2802D4B1904341ABD321AF66CC45FBB73E9EF85304F04491DF48587242EB7AD905ABA3
              Function 00F15090 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 264encryptionfileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,8F2D4ADD,?,?,00000000), ref: 00F150FB
              • CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00FFE068), ref: 00F15116
              • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000000), ref: 00F1515A
              • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000), ref: 00F15186
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00F1520F
              • CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 00F15233
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F15254
              • CryptGetHashParam.ADVAPI32 ref: 00F15278
              • CryptGetHashParam.ADVAPI32 ref: 00F152EA
              • _sprintf.LIBCMT ref: 00F1530F
              • CryptDestroyHash.ADVAPI32(?,00000000,00000000), ref: 00F1534D
              • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F1536B
              • GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 00F1519F
                • Part of subcall function 00F96A40: GetLocalTime.KERNEL32(?,00000000,74DF2EE0,00F1553E,Install recomand return=%ld,?), ref: 00F96A71
                • Part of subcall function 00F96A40: _memset.LIBCMT ref: 00F96A83
                • Part of subcall function 00F96A40: GetCurrentThreadId.KERNEL32 ref: 00F96AA3
                • Part of subcall function 00F96A40: __snprintf.LIBCMT ref: 00F96AB6
                • Part of subcall function 00F96A40: _vswprintf_s.LIBCMT ref: 00F96AD7
                • Part of subcall function 00F96A40: OutputDebugStringA.KERNELBASE(?), ref: 00F96B06
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Crypt$Hash$File$CloseContextCreateHandleParam$AcquireCurrentDataDebugDestroyLocalOutputReadReleaseSizeStringThreadTime__snprintf_memset_sprintf_vswprintf_s
              • String ID: %02x$CreateFile go wrong $CryptAcquireContext go wrong$CryptCreateHash go wrong$CryptDestroyHash go wrong$CryptHashData go wrong$CryptReleaseContext go wrong$GetFileSize go wrong$ReadFile go wrong$get length wrong$lpReadFileBuffer allocation failed$pbHash allocation failed
              • API String ID: 1612529147-576794067
              • Opcode ID: b7010b2e6cc008f521e31a4ce80b81e9beddb891fe638256a729d5b8ae6f2e04
              • Instruction ID: 66dc9bbf0fd4be082e920c755eab27919ea73719203d870a283189bf32635d20
              • Opcode Fuzzy Hash: b7010b2e6cc008f521e31a4ce80b81e9beddb891fe638256a729d5b8ae6f2e04
              • Instruction Fuzzy Hash: B79105B1508300EFE710EF64DC41B6BB7E9AB84B44F04452CF486E7241D779E94497A3
              Function 00F26F50 Relevance: 39.1, APIs: 3, Strings: 19, Instructions: 625COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00F26F9C
                • Part of subcall function 00FDB986: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00F163C6,00000000,8F2D4ADD), ref: 00FDB991
                • Part of subcall function 00FDB986: __aulldiv.LIBCMT ref: 00FDB9B1
                • Part of subcall function 00F159E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F15A79
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
                • Part of subcall function 00F121D0: _memcpy_s.LIBCMT ref: 00F12255
              • _memset.LIBCMT ref: 00F27546
              • GetLocaleInfoW.KERNEL32(00000400,00001002,?,00000104), ref: 00F27565
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Time_memcpy_s$FileInfoIos_base_dtorLocaleSystem__aulldiv__time64_memsetstd::ios_base::_
              • String ID: Country$DOWNLOAD_VERSION$DOWNLOAD_VERSION_USER_INFO$Downloadfrom$Downloadfrom$Elapsedtime$Errorinfo$Install_Finish$Install_Language$Language$Pageid$Result$Result_Install_Program$Test_id$Version$Versionnumber$Versionnumber$exeNumber$result_fail
              • API String ID: 137583597-966982631
              • Opcode ID: 3160a3e918bbe2faea67af4b679c8dfbbded62de75e530d937fc92621adc553c
              • Instruction ID: edca1a4877202594cae5c000228cc278ba38cc2745b043821aa81f931960b8f8
              • Opcode Fuzzy Hash: 3160a3e918bbe2faea67af4b679c8dfbbded62de75e530d937fc92621adc553c
              • Instruction Fuzzy Hash: 08428AB050C3C0ABD325EB698C81B9FBBE5AFC8700F584A2DF58857241DB799548DB93
              Function 00F18260 Relevance: 35.5, APIs: 7, Strings: 13, Instructions: 470stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F176C0: GetSystemInfo.KERNEL32 ref: 00F17733
                • Part of subcall function 00F176C0: GetVersionExW.KERNEL32 ref: 00F1774C
                • Part of subcall function 00F176C0: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00F1775C
                • Part of subcall function 00F176C0: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00F1776E
                • Part of subcall function 00F176C0: FreeLibrary.KERNEL32(00000000), ref: 00F1779A
              • lstrlenW.KERNEL32(?), ref: 00F182B3
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 00F182E1
              • lstrlenW.KERNEL32(00000004,00000000,download_setup_url_free_before_win7,00000023), ref: 00F18435
              • lstrlenW.KERNEL32(00000004,00000000,download_setup_url_trial_before_win7), ref: 00F184FB
              • lstrlenA.KERNEL32(?,?,ad_,00000003,?,?,DOWNLOAD_VERSION), ref: 00F18618
              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000001), ref: 00F18644
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: lstrlen$ByteCharLibraryMultiWide$AddressFreeInfoLoadProcSystemVersion
              • String ID: DOWNLOAD_VERSION$Download_Failed$Download_Old$Url$ad_$download_setup_url_ad_before_win7$download_setup_url_free_before_win7$download_setup_url_trial_before_win7$free$the system's name is $the system's version is greater than or equal win7$the system's version is smaller than win7$trial
              • API String ID: 3529924728-3496699267
              • Opcode ID: 0c5f10f08fb714fdccff1157f7063935fe1dd1b02c8b4c78426cb51bb954aa4d
              • Instruction ID: aa84bfae9dee187d1a857fb46947431a15d9f29350e27ed637850b83cc3d3f7a
              • Opcode Fuzzy Hash: 0c5f10f08fb714fdccff1157f7063935fe1dd1b02c8b4c78426cb51bb954aa4d
              • Instruction Fuzzy Hash: 49024531D00354DBDB20DBB4CD417DEBB76AF45350F14819CE409AB282DF799A86EB92
              Function 00F3C710 Relevance: 28.8, APIs: 2, Strings: 14, Instructions: 822COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F16FE0: GetTimeZoneInformation.KERNEL32(01014D18,01014D18), ref: 00F1705D
                • Part of subcall function 00F16FE0: swprintf.LIBCMT ref: 00F17110
              • _memset.LIBCMT ref: 00F3CDA5
              • GetLocaleInfoW.KERNEL32(00000400,00001002,?,00000104,?,?,?), ref: 00F3CDC4
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: InfoInformationLocaleTimeZone_memcpy_s_memsetswprintf
              • String ID: Click_Install$Country$DIR$DOWNLOAD_VERSION$FreeVersionName$H4f$Home_Installer$Install_Path$LANG$Language$Pageid$Timezone$exeNumber$productContrastPage
              • API String ID: 4036348029-1938298312
              • Opcode ID: beac668028dd1d01b78978cb6dddf04601a4cd5b9878dccd66eed3be0f341648
              • Instruction ID: 5b9226ebb88fbee581e58d11e8cd9e572472576b31ab4cce2accc8477960f683
              • Opcode Fuzzy Hash: beac668028dd1d01b78978cb6dddf04601a4cd5b9878dccd66eed3be0f341648
              • Instruction Fuzzy Hash: F4729BB19083809BD731EF65C882B9FB7E5BF94310F048A2EF58957241DBB89548DB93
              Function 00F2C820 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 458stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F1BB00: std::_String_base::_Xlen.LIBCPMT ref: 00F1BB5C
                • Part of subcall function 00F1BB00: _memcpy_s.LIBCMT ref: 00F1BBB6
              • lstrlenW.KERNEL32(?,00000000,download_setup_url_trial), ref: 00F2C945
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00F2C97E
              • lstrlenW.KERNEL32(?,00000000,00000001), ref: 00F2C9E0
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00F2CA19
              • lstrlenA.KERNEL32(?,?,00000000,00000000,000000FF,000000FF,DOWNLOAD_VERSION,00000010,?,?,?,?,?,?,00000018), ref: 00F2CB7D
              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000001,?,?,?,?,?,?,00000018), ref: 00F2CBAF
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen$String_base::_Xlen_memcpy_sstd::_
              • String ID: DOWNLOAD_VERSION$Download_Default$Download_Failed$Url$do not need check md5$download_setup_url_free$download_setup_url_trial$free
              • API String ID: 1177619202-1148718834
              • Opcode ID: c86e7c071bc9b3eb8c356b7ba225f2938331c4fcdeba173d53599b9a71165f31
              • Instruction ID: 4ad9cc7fc31e30edfb1a0730730e45c9ab613eb00ba11135b8beb2094138bb4f
              • Opcode Fuzzy Hash: c86e7c071bc9b3eb8c356b7ba225f2938331c4fcdeba173d53599b9a71165f31
              • Instruction Fuzzy Hash: 1502D0B1D01268DBDB20DFA8CC41BDEBBB5BF44310F1482ADE419A7281DB795A84DF91
              Function 00F16390 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 349stringCOMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00F163C1
                • Part of subcall function 00FDB986: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00F163C6,00000000,8F2D4ADD), ref: 00FDB991
                • Part of subcall function 00FDB986: __aulldiv.LIBCMT ref: 00FDB9B1
                • Part of subcall function 00F159E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F15A79
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F164FC
              • lstrlenA.KERNEL32(010151FC,00000000,00000000,000000FF,?,000000FF,?,Elapsedtime,0000000B,?), ref: 00F16637
              • MultiByteToWideChar.KERNEL32(00000003,00000000,010151FC,000000FF,?,00000001), ref: 00F16666
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Time$ByteCharFileIos_base_dtorMultiSystemUnothrow_t@std@@@Wide__aulldiv__ehfuncinfo$??2@__time64lstrlenstd::ios_base::_
              • String ID: Average_Networkspeed$Cdn$Downloading$Elapsedtime$Errorinfo$Failed$Result$Result_Download_Program$Success
              • API String ID: 2797415940-1120128802
              • Opcode ID: cd20cdbcc8d1bffdc0dad3c73aa2eebfb9bf851eaefc89a2dd9a3c17b147d2f5
              • Instruction ID: ee77a5f176aa03e7619c842bce3aa85229a370c6493da8c67914f51a30c6d9ab
              • Opcode Fuzzy Hash: cd20cdbcc8d1bffdc0dad3c73aa2eebfb9bf851eaefc89a2dd9a3c17b147d2f5
              • Instruction Fuzzy Hash: 14D1B371D01248EBDF01DFE9CC81ADFBBB5AF44314F18412DE505B7241EA796A84DB91
              Function 00F26110 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 200shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F1BB00: std::_String_base::_Xlen.LIBCPMT ref: 00F1BB5C
                • Part of subcall function 00F1BB00: _memcpy_s.LIBCMT ref: 00F1BBB6
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
                • Part of subcall function 00F16280: GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,?,Click_Close,0000000B), ref: 00F1628D
                • Part of subcall function 00F16280: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,Click_Close,0000000B), ref: 00F16294
              • ExitWindowsEx.USER32(00000006,00040000), ref: 00F2636A
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Process_memcpy_s$CurrentExitOpenString_base::_TokenWindowsXlenstd::_
              • String ID: Click_Close$Click_Later$Click_Restart$Later$Restart$RestartPCTipDialog.xml$Restart_Prompt$btn_Restartnow$lb_RestartText$lb_RestartTip
              • API String ID: 2925917507-3534793505
              • Opcode ID: 3a39417cb569e3fa39c4c4de55f84984bbfb8f6e943c3f5a928645f0baa3486a
              • Instruction ID: 43eaf1197b71d8d26c24583f7d82a83ac1f2af17f52666f1c9f9d4e98e97617e
              • Opcode Fuzzy Hash: 3a39417cb569e3fa39c4c4de55f84984bbfb8f6e943c3f5a928645f0baa3486a
              • Instruction Fuzzy Hash: C08191709083C09BD720EF38C94279BBBE5AB85714F54455DF5884B282DBBA9449CBE3
              Function 00F49760 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00F4978C
              • GetParent.USER32(?), ref: 00F497A8
              • GetWindow.USER32(?,00000004), ref: 00F497B4
              • MonitorFromWindow.USER32 ref: 00F497FC
              • GetMonitorInfoW.USER32(00000000), ref: 00F49803
              • IsIconic.USER32(00000000), ref: 00F4982E
              • GetWindowRect.USER32(00000000,?), ref: 00F4983E
              • SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00F498E1
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$MonitorRect$FromIconicInfoParent
              • String ID: (
              • API String ID: 1680950861-3887548279
              • Opcode ID: 99f61b66fb4eae799dffc6d5e603ef53fa3720e028a07a97a09f75998c167510
              • Instruction ID: 595e0e9f5373f0b0cd0b704f2ff41118489612ef339e665af1be18994b3ab694
              • Opcode Fuzzy Hash: 99f61b66fb4eae799dffc6d5e603ef53fa3720e028a07a97a09f75998c167510
              • Instruction Fuzzy Hash: EC51F3B1A083019FC350CF2DC984A1BFBE6BB89750F458A2DF999D3254E775E9048B92
              Function 00FD0610 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00000000,00000000,?,00FA8580,00000004,00000000), ref: 00FD0614
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
              • _strerror.LIBCMT ref: 00FD0649
                • Part of subcall function 00FE25F6: __getptd_noexit.LIBCMT ref: 00FE25FD
              • _strncpy.LIBCMT ref: 00FD0653
              • FormatMessageA.KERNEL32(00001000,00000000,?,00000000,?,000000FF,00000000), ref: 00FD0682
              • _strrchr.LIBCMT ref: 00FD06AB
              • _strrchr.LIBCMT ref: 00FD06C6
              • GetLastError.KERNEL32 ref: 00FD06EE
              • SetLastError.KERNEL32(?), ref: 00FD06FD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast$__getptd_noexit_strrchr$FormatMessage_strerror_strncpy
              • String ID: Unknown error %d (%#x)
              • API String ID: 2622127435-2414550090
              • Opcode ID: 1eddcd6f329a5b40d6866819df5b114cddd133e3f3a2f63241248532f649a642
              • Instruction ID: cc33e794544c5d4013ee8e3377ee09d0c8949c7f33b003bdeebf7a64b76a93a3
              • Opcode Fuzzy Hash: 1eddcd6f329a5b40d6866819df5b114cddd133e3f3a2f63241248532f649a642
              • Instruction Fuzzy Hash: 3221DB71A012426AE63227359C45F3F769A9FD2755F0C003AF8459B382EE6ED810B7B2
              Function 00F3E3E0 Relevance: 15.4, APIs: 4, Strings: 6, Instructions: 382COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: .ini$Click_Language$Home_Installer$Install_Language$Language$text
              • API String ID: 0-1637465603
              • Opcode ID: 9b3569c2f3a4cdd6c7b8e21b50815486829aad6395e7fc3f01a83d9b480539a3
              • Instruction ID: 7a0716777ee74fa2bcbdb8f38bd095f9f28e17edb12bf0896724adfc799770cf
              • Opcode Fuzzy Hash: 9b3569c2f3a4cdd6c7b8e21b50815486829aad6395e7fc3f01a83d9b480539a3
              • Instruction Fuzzy Hash: DCE1B171D00348DBDF10EFA8CC41BDEBBB5AF54324F18466DE409A7281EB759A84DB92
              Function 00F23110 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 378stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 00F232CF
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000007,00000000,00000000), ref: 00F23300
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID: H4f$ProductName$successfully to download setup.exe ,url:%s$win_
              • API String ID: 3109718747-1349602888
              • Opcode ID: f53b66ba5a70969bbc7160e659ea8c029d9da5c10c1d6d2da65e8fc99e5a441e
              • Instruction ID: 7474151eb68ac50f1f15c71117e5af139216599715ccb60dba0d78e6781ef7d3
              • Opcode Fuzzy Hash: f53b66ba5a70969bbc7160e659ea8c029d9da5c10c1d6d2da65e8fc99e5a441e
              • Instruction Fuzzy Hash: 25E103B1D00254EBDB10DFA8DC46B9EBBB5AF04314F14425DF805AB381DB79AA44DBA2
              Function 00FCEF40 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 407COMMON
              Download Yara Rule
              APIs
              • _swscanf.LIBCMT ref: 00FCF00A
                • Part of subcall function 00FDFA6E: _vscan_fn.LIBCMT ref: 00FDFA85
              • _swscanf.LIBCMT ref: 00FCF0C4
              • _swscanf.LIBCMT ref: 00FCF0F5
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
              • __wcstoi64.LIBCMT ref: 00FCF125
                • Part of subcall function 00FE0949: strtoxl.LIBCMT ref: 00FE096A
              Strings
              • %31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 00FCEFFF
              • %02d:%02d%n, xrefs: 00FCF0EF
              • %02d:%02d:%02d%n, xrefs: 00FCF0BE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _swscanf$__getptd_noexit__wcstoi64_vscan_fnstrtoxl
              • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]
              • API String ID: 3019234080-1523987602
              • Opcode ID: d753a5912ea035c19d92d472be23e1ce54c0c020fd3ed104cdf42762b7ba4020
              • Instruction ID: 0ea56fbd784338f6691eda38676e51406a44f95360f12892d21a961b1e5b99a7
              • Opcode Fuzzy Hash: d753a5912ea035c19d92d472be23e1ce54c0c020fd3ed104cdf42762b7ba4020
              • Instruction Fuzzy Hash: 8EE1AFB1E083428FC714DF29CA42A6BF7E2ABD4720F544A3EF495C7291E775C9489B42
              Function 00F176C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetSystemInfo.KERNEL32 ref: 00F17733
              • GetVersionExW.KERNEL32 ref: 00F1774C
              • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00F1775C
              • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00F1776E
              • FreeLibrary.KERNEL32(00000000), ref: 00F1779A
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Library$AddressFreeInfoLoadProcSystemVersion
              • String ID: RtlGetNtVersionNumbers$ntdll.dll
              • API String ID: 993833964-1263206204
              • Opcode ID: be0d71fe2dd05f639b968914c2a839cdae2698444445a80894f5609b46ecbd62
              • Instruction ID: 4cdef26ce1f1fee0ec8ee28f3cded4e1f127629e620c16b251495a8cc309416b
              • Opcode Fuzzy Hash: be0d71fe2dd05f639b968914c2a839cdae2698444445a80894f5609b46ecbd62
              • Instruction Fuzzy Hash: 3F517D7110C386DBD330EF58DC45BDBB3E8BB84714F504A1DF5A993280EB39A5889B62
              Function 00F3B2B0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 370windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F44A70: GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,00F3B2FC,8F2D4ADD,?,?,?), ref: 00F44A7D
                • Part of subcall function 00F44A70: GetProcAddress.KERNEL32(00000000), ref: 00F44A84
                • Part of subcall function 00F1BB00: std::_String_base::_Xlen.LIBCPMT ref: 00F1BB5C
                • Part of subcall function 00F1BB00: _memcpy_s.LIBCMT ref: 00F1BBB6
                • Part of subcall function 00F15860: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?,8F2D4ADD), ref: 00F15903
                • Part of subcall function 00F15860: _memset.LIBCMT ref: 00F1591D
                • Part of subcall function 00F15860: RegQueryValueExW.ADVAPI32(00000200,?,00000000,?,?,00000200), ref: 00F15959
                • Part of subcall function 00F15860: RegCloseKey.ADVAPI32(8F2D4ADD), ref: 00F1598F
              • IsWindow.USER32(?), ref: 00F3B6BD
              • PostMessageW.USER32(?,00000010,00000001,00000000), ref: 00F3B6D0
              • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 00F3B73C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressCloseExecuteHandleMessageModuleOpenPostProcQueryShellString_base::_ValueWindowXlen_memcpy_s_memsetstd::_
              • String ID: DisplayIcon$RegistryAddress$RegistryName
              • API String ID: 3497597177-1137452039
              • Opcode ID: 2be9e471532f4c9a3a19537c1df258f7b04a093b7185402acfaf6b9a1644c095
              • Instruction ID: f7a37dfc3b5c804b4550f3eb89e5b5eb97e4dcb1893a6e0b16cd310999edc3e5
              • Opcode Fuzzy Hash: 2be9e471532f4c9a3a19537c1df258f7b04a093b7185402acfaf6b9a1644c095
              • Instruction Fuzzy Hash: BAE16AB1908380DFD320DF68C881B9BBBE5BF98710F044A2EF59987241EB799444DB97
              Function 00F14B80 Relevance: 9.1, APIs: 6, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • IsIconic.USER32(?), ref: 00F14B96
              • GetWindowRect.USER32(?,?), ref: 00F14BCB
              • OffsetRect.USER32(?,?,?), ref: 00F14BE4
              • CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 00F14C0A
              • SetWindowRgn.USER32(?,00000000,00000001), ref: 00F14C19
              • DeleteObject.GDI32(00000000), ref: 00F14C20
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect$Window$CreateDeleteIconicObjectOffsetRound
              • String ID:
              • API String ID: 2749569207-0
              • Opcode ID: f16d37ddf1d2fd37e5ba5bf0a5a24e3341c71d02b21b2a8fbec2ba4f45d11a1f
              • Instruction ID: 18147ad66ce46ee4e34ae5e5bb2e0bb9dbbc39bf1f2b8c29ca6cb762c0341ecd
              • Opcode Fuzzy Hash: f16d37ddf1d2fd37e5ba5bf0a5a24e3341c71d02b21b2a8fbec2ba4f45d11a1f
              • Instruction Fuzzy Hash: 19215CB66083019FD314CF69D88496BF7E9FBD8714F00492EF98AC3200DA36E945CB62
              Function 00F54DE0 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON
              Download Yara Rule
              APIs
              • IsIconic.USER32(?), ref: 00F54DE8
              • GetWindowRect.USER32(?,?), ref: 00F54E0F
              • OffsetRect.USER32(?,?,?), ref: 00F54E28
              • CreateRoundRectRgn.GDI32(?,?,?,?,00000004,00000004), ref: 00F54E50
              • SetWindowRgn.USER32(?,00000000,00000001), ref: 00F54E5F
              • DeleteObject.GDI32(00000000), ref: 00F54E66
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect$Window$CreateDeleteIconicObjectOffsetRound
              • String ID:
              • API String ID: 2749569207-0
              • Opcode ID: 2434b5cb2266d76133a9d856e43f1aa6ee48e2284f9646f7bdda03e145a23f22
              • Instruction ID: adbb21b7c4db43252cd03068a7c7728c7d3cf32aee76b432729f2ddf955bd9b0
              • Opcode Fuzzy Hash: 2434b5cb2266d76133a9d856e43f1aa6ee48e2284f9646f7bdda03e145a23f22
              • Instruction Fuzzy Hash: 6011FBB5504302AFD314DF28C844AABBBE9FB88714F008A1DF999C3340D736E855CBA6
              Function 00F16280 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,?,Click_Close,0000000B), ref: 00F1628D
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,Click_Close,0000000B), ref: 00F16294
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00F162B0
              • AdjustTokenPrivileges.ADVAPI32 ref: 00F162DC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
              • String ID: SeShutdownPrivilege
              • API String ID: 2349140579-3733053543
              • Opcode ID: d29b967675643f97bf2134423a84b6d908ff37c00904df5f0aaa3f8b2f5860b1
              • Instruction ID: ca4016e4e16ee6e1e132092bdcf71f286cb0b2ca31dc7f0dc4a305a20a9d66fc
              • Opcode Fuzzy Hash: d29b967675643f97bf2134423a84b6d908ff37c00904df5f0aaa3f8b2f5860b1
              • Instruction Fuzzy Hash: 30F03070644301ABE720DF54DD0AF6B77A8BF84B01F44850CB689D9185D7BA95149B62
              Function 00F45480 Relevance: 7.6, APIs: 5, Instructions: 121processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F454D8
              • Process32FirstW.KERNEL32 ref: 00F4552D
              • CloseHandle.KERNEL32(00000000), ref: 00F45537
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
              • String ID:
              • API String ID: 1083639309-0
              • Opcode ID: d95c29f230be570fae827cba1fd1e7cb6413940efbeeabff405d4050744475d3
              • Instruction ID: f18e00e2b300e1c672402d0c08c8343c7feaa3a51a2aa9c8b5662c4f30f27fde
              • Opcode Fuzzy Hash: d95c29f230be570fae827cba1fd1e7cb6413940efbeeabff405d4050744475d3
              • Instruction Fuzzy Hash: B04174B15093809BD730FB64CC89BAFB7E9BF84714F14492EF58987242EA39A5049753
              Function 00FDADFF Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00FE46E3
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FE46F8
              • UnhandledExceptionFilter.KERNEL32(01013338), ref: 00FE4703
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00FE471F
              • TerminateProcess.KERNEL32(00000000), ref: 00FE4726
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID:
              • API String ID: 2579439406-0
              • Opcode ID: a5c4e4ba0c945a6ad16f05e6df8c4c65132300a4cbd8d3953f8ddc2d545a876f
              • Instruction ID: 463cd1867f3186a9a67a545ec2c8fddead3060e46993aa2d5a7305aed678277a
              • Opcode Fuzzy Hash: a5c4e4ba0c945a6ad16f05e6df8c4c65132300a4cbd8d3953f8ddc2d545a876f
              • Instruction Fuzzy Hash: 3B21F2B8811A04FFD321DF26F4846443BACFB09314F10941AE48987B48E7BF5A828F59
              Function 00F4AB50 Relevance: 7.5, APIs: 5, Instructions: 33keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyState.USER32(00000011), ref: 00F4AB5C
              • GetKeyState.USER32(00000002), ref: 00F4AB6A
              • GetKeyState.USER32(00000001), ref: 00F4AB76
              • GetKeyState.USER32(00000010), ref: 00F4AB82
              • GetKeyState.USER32(00000012), ref: 00F4AB8E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: State
              • String ID:
              • API String ID: 1649606143-0
              • Opcode ID: a2a80610b067c5fd958bb91bc240d40448f8efab9d59dcc0e224e079f8dfe529
              • Instruction ID: 16cdd445b7b8f9a6a0063e957aeff5407a38edc26316791166342886acb6e9c8
              • Opcode Fuzzy Hash: a2a80610b067c5fd958bb91bc240d40448f8efab9d59dcc0e224e079f8dfe529
              • Instruction Fuzzy Hash: 05E0126BEC166610ED1031D91C01FE999568FE0FE4F8301A4ED88371C8DDCA0D4326B3
              Function 00F14C60 Relevance: 3.1, APIs: 2, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • IsIconic.USER32(?), ref: 00F14CAD
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F14D2A
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CallIconicProcWindow
              • String ID:
              • API String ID: 799844899-0
              • Opcode ID: b3fda8a7d5a8001776f746c68bd6b81b35fed0703bc80a38815002efdc0472dc
              • Instruction ID: 8536ca30649f31d8d0f61492c1e772539373f676be0438fd11fdeed34c02a4a3
              • Opcode Fuzzy Hash: b3fda8a7d5a8001776f746c68bd6b81b35fed0703bc80a38815002efdc0472dc
              • Instruction Fuzzy Hash: 1F217C736042099BC710DF69F844AEBB7A8EBC4721F00896AFD54C7240DA36E9559BE1
              Function 00FB12F0 Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CurrentProcesshtons
              • String ID:
              • API String ID: 2530476045-0
              • Opcode ID: e951a99ba54fdc0935596768b38466c5e452e6a00c1d20631183c540b762bf7d
              • Instruction ID: 115678c56014179ac7919361547a4c87cde23a8d87181639757d2de0f5e69768
              • Opcode Fuzzy Hash: e951a99ba54fdc0935596768b38466c5e452e6a00c1d20631183c540b762bf7d
              • Instruction Fuzzy Hash: E80157B4514B419EC3609F79D490656BBF0FF28300B049A6E98EAC7B11E3B5A588CB95
              Function 00FA52D0 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
              Download Yara Rule
              Strings
              • -----BEGIN PUBLIC KEY-----, xrefs: 00FA52E3
              • -----END PUBLIC KEY-----, xrefs: 00FA5309
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----
              • API String ID: 0-1157147699
              • Opcode ID: d217018e532d3d16a6bf33b531f967e90654ce7174aeebf7abe282e8a08ceacd
              • Instruction ID: 792f5f7c418cc1428fc5379ff112506f59de0b0390d574f3f203a897524a5896
              • Opcode Fuzzy Hash: d217018e532d3d16a6bf33b531f967e90654ce7174aeebf7abe282e8a08ceacd
              • Instruction Fuzzy Hash: F0210BB6A047011BDB255A2CA8407B6B7D9DBD27A2F44057EF8C5C3241D764E805D6A1
              Function 00FAE0C0 Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON
              Download Yara Rule
              APIs
              • recv.WS2_32(?,?,00000001,00000002), ref: 00FAE0F2
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: recv
              • String ID:
              • API String ID: 1507349165-0
              • Opcode ID: 933577bdcc5449469979307fd8b35cd9e0e5979b0f808ae15972f6dabf5466b1
              • Instruction ID: f4054cc657e2bc031576a8c5b0ba7fe86944ac52c897459ccdc8de081b41c17f
              • Opcode Fuzzy Hash: 933577bdcc5449469979307fd8b35cd9e0e5979b0f808ae15972f6dabf5466b1
              • Instruction Fuzzy Hash: 06E086F0A043016EE6208734CC4DFA632D5AB51725FC8C6B4F418C24D1E7B9DC54E611
              Function 00F537C0 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Iconic
              • String ID:
              • API String ID: 110040809-0
              • Opcode ID: 13969d24a836e18503cf8b3c17ca6dfab82c42207bd7daec07fc7ff04fffb2dc
              • Instruction ID: 7e9cc838713c148b81f283553ff89eeb3a90285a06243a0d5cf879920f506d8b
              • Opcode Fuzzy Hash: 13969d24a836e18503cf8b3c17ca6dfab82c42207bd7daec07fc7ff04fffb2dc
              • Instruction Fuzzy Hash: 28D0C9B5614305ABC3158F30C64471A7BE4AB45381F04CC29A44186190DB36C400CB20
              Function 00FD0280 Relevance: 94.7, APIs: 4, Strings: 50, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00000000,?,00FD066B,?,00000004,?,00FA8580,00000004,00000000), ref: 00FD028A
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
              • _strncpy.LIBCMT ref: 00FD04AB
              • GetLastError.KERNEL32(00000004,00000000), ref: 00FD04C8
              • SetLastError.KERNEL32(?), ref: 00FD04D7
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast$__getptd_noexit_strncpy
              • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
              • API String ID: 226764833-3442644082
              • Opcode ID: 1abe781cf148b1d4fd99d27791ccf2d409dc6281a8ec40b383ba72092744b5c8
              • Instruction ID: 14750fcf70b21414f9d4915fe6d837d974e26778ea1f8c2f6f15edd10dc83986
              • Opcode Fuzzy Hash: 1abe781cf148b1d4fd99d27791ccf2d409dc6281a8ec40b383ba72092744b5c8
              • Instruction Fuzzy Hash: E441C12362824A8761E6D118D105F39625BFB83328FBC813FABC2EE381CD259C417762
              Function 00FB9820 Relevance: 73.9, APIs: 25, Strings: 17, Instructions: 427libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FB8AD0: _memset.LIBCMT ref: 00FB8AF8
                • Part of subcall function 00FB8AD0: _memset.LIBCMT ref: 00FB8B12
                • Part of subcall function 00FB8240: WSAStartup.WS2_32(00000002,8F2D4ADD), ref: 00FB825A
                • Part of subcall function 00FD0F50: GetModuleHandleW.KERNEL32(kernel32,00000000,00000000,?,00FA861E,secur32.dll,?,?,?,00F9D0EA), ref: 00FD0F5A
              • GetLastError.KERNEL32 ref: 00FB98AB
              • GetProcAddress.KERNEL32(00000000,WSACreateEvent), ref: 00FB98D7
              • GetLastError.KERNEL32 ref: 00FB98E1
              • FreeLibrary.KERNEL32(00000000), ref: 00FB98F7
              Strings
              • failed to find WSACreateEvent function (%u), xrefs: 00FB98E8
              • WSAEnumNetworkEvents, xrefs: 00FB9965
              • FreeLibrary(wsock2) failed (%u), xrefs: 00FB9D15
              • failed to find WSAEventSelect function (%u), xrefs: 00FB993D
              • Time-out, xrefs: 00FB9CCA
              • WSAEnumNetworkEvents failed (%d), xrefs: 00FB9BAC
              • , xrefs: 00FB9C3D
              • failed to load WS2_32.DLL (%u), xrefs: 00FB98B2
              • WSACloseEvent failed (%d), xrefs: 00FB9CF1
              • WSACreateEvent failed (%d), xrefs: 00FB99B7
              • failed to find WSAEnumNetworkEvents function (%u), xrefs: 00FB997C
              • failed to find WSACloseEvent function (%u), xrefs: 00FB9921
              • WSACloseEvent, xrefs: 00FB990A
              • WSAEventSelect, xrefs: 00FB9928
              • WSACreateEvent, xrefs: 00FB98D1
              • d, xrefs: 00FB9A47
              • WS2_32.DLL, xrefs: 00FB9894
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast_memset$AddressFreeHandleLibraryModuleProcStartup
              • String ID: $FreeLibrary(wsock2) failed (%u)$Time-out$WS2_32.DLL$WSACloseEvent$WSACloseEvent failed (%d)$WSACreateEvent$WSACreateEvent failed (%d)$WSAEnumNetworkEvents$WSAEnumNetworkEvents failed (%d)$WSAEventSelect$d$failed to find WSACloseEvent function (%u)$failed to find WSACreateEvent function (%u)$failed to find WSAEnumNetworkEvents function (%u)$failed to find WSAEventSelect function (%u)$failed to load WS2_32.DLL (%u)
              • API String ID: 1460278797-3724274948
              • Opcode ID: 17cce1d605d127ace70fa77fd9fb9ad273846d3493bb764c13346d34cb393285
              • Instruction ID: 90b951712f2662c58e3053595b7c59e29eaf006afc24b4c2e3ea9b0c992049c0
              • Opcode Fuzzy Hash: 17cce1d605d127ace70fa77fd9fb9ad273846d3493bb764c13346d34cb393285
              • Instruction Fuzzy Hash: 4CE1F8B1A083019FD720DF65CC84EAB7BE8EF84324F14852DFA4587241D6BAD845DFA2
              Function 00FD0710 Relevance: 70.2, APIs: 7, Strings: 33, Instructions: 190windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast$_strrchr$FormatMessage__getptd_noexit_strncpy
              • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_TOKEN$SEC_E_LOGON_DENIED$SEC_E_MESSAGE_ALTERED$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_OUT_OF_SEQUENCE$SEC_E_QOP_NOT_SUPPORTED$SEC_E_SECPKG_NOT_FOUND$SEC_E_TARGET_UNKNOWN$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
              • API String ID: 501956867-2070339000
              • Opcode ID: b6c16ccad21a9ea1f60162e94bffab9a6a43fb8516cadb5efd7c8d6e1972c928
              • Instruction ID: 10c93d6ba7e1d71af6af7e53112d31cf304c3b33496d52e5372ee8d0f50c894b
              • Opcode Fuzzy Hash: b6c16ccad21a9ea1f60162e94bffab9a6a43fb8516cadb5efd7c8d6e1972c928
              • Instruction Fuzzy Hash: 0051DE3264C345DBD2215A18DC81B7A7296BBC1B08F98442BB4C2DF389DE6D9890B367
              Function 00F5AE70 Relevance: 48.5, APIs: 32, Instructions: 479COMMON
              Download Yara Rule
              APIs
              • IntersectRect.USER32(?,?,?), ref: 00F5AEC2
                • Part of subcall function 00F709E0: GetClipBox.GDI32(?,?), ref: 00F709FC
                • Part of subcall function 00F709E0: CreateRectRgnIndirect.GDI32(?), ref: 00F70A0D
                • Part of subcall function 00F709E0: CreateRectRgnIndirect.GDI32(?), ref: 00F70A17
                • Part of subcall function 00F709E0: ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 00F70A20
              • IntersectRect.USER32(?,?,?), ref: 00F5AFCE
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B025
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B055
              • SelectClipRgn.GDI32(?,?), ref: 00F5B0B8
              • DeleteObject.GDI32(?), ref: 00F5B0BF
              • DeleteObject.GDI32(?), ref: 00F5B0C6
              • SelectClipRgn.GDI32(?,?), ref: 00F5B0E9
              • DeleteObject.GDI32(?), ref: 00F5B0F6
              • DeleteObject.GDI32(?), ref: 00F5B0FD
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B199
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B1CD
              • SelectClipRgn.GDI32(?,?), ref: 00F5B1DD
              • SelectClipRgn.GDI32(?,?), ref: 00F5B206
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B220
              • SelectClipRgn.GDI32(?,?), ref: 00F5B26B
              • DeleteObject.GDI32(?), ref: 00F5B278
              • DeleteObject.GDI32(?), ref: 00F5B27F
              • SelectClipRgn.GDI32(?,?), ref: 00F5B296
              • DeleteObject.GDI32(?), ref: 00F5B29F
              • DeleteObject.GDI32(?), ref: 00F5B2A6
              • SelectClipRgn.GDI32(?,?), ref: 00F5B2B2
              • DeleteObject.GDI32(?), ref: 00F5B2B5
              • DeleteObject.GDI32(?), ref: 00F5B2BC
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B325
              • SelectClipRgn.GDI32(?,?), ref: 00F5B369
              • DeleteObject.GDI32(?), ref: 00F5B370
              • DeleteObject.GDI32(?), ref: 00F5B377
              • IntersectRect.USER32(?,?,00000000), ref: 00F5B3B7
              • SelectClipRgn.GDI32(?,?), ref: 00F5B3EE
              • DeleteObject.GDI32(?), ref: 00F5B3F5
              • DeleteObject.GDI32(?), ref: 00F5B3FC
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: DeleteObject$ClipRect$Select$Intersect$CreateIndirect
              • String ID:
              • API String ID: 2241121588-0
              • Opcode ID: 2828ba12f74b4a2193732af1bdc6e9d9085ea17973c29144030cdefd8a60dcf9
              • Instruction ID: bf16ee9ba3aa38dda0284942e990a05a3fee249c7e3ef8decc0da97de6e37c30
              • Opcode Fuzzy Hash: 2828ba12f74b4a2193732af1bdc6e9d9085ea17973c29144030cdefd8a60dcf9
              • Instruction Fuzzy Hash: B20229756042019FCB15DF68C880AAAB7AAFFC9310F14866DFE558B355CB36E805CBA1
              Function 00F7E1B0 Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 418COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(?,?,?,?,00F68CCD,?,?), ref: 00F7E491
              • __wcstoui64.LIBCMT ref: 00F7E4A3
              • CharNextW.USER32(?,?,?,?,00F68CCD,?,?), ref: 00F7E4FA
              • __wcstoui64.LIBCMT ref: 00F7E50C
              • CharNextW.USER32(?,?,?,?,00F68CCD,?,?), ref: 00F7E561
              • __wcstoui64.LIBCMT ref: 00F7E573
              • CharNextW.USER32(?,?,?,?,00F68CCD,?,?), ref: 00F7E5CA
              • __wcstoui64.LIBCMT ref: 00F7E5DC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext__wcstoui64
              • String ID: disabledimage$fadedelta$fivestatusimage$focusedimage$focusedtextcolor$foreimage$hotbkcolor$hotforeimage$hotimage$hottextcolor$normalimage$pushedimage$pushedtextcolor
              • API String ID: 216335860-1272733750
              • Opcode ID: 1511480b5ae9c252987104f8f7e41c14723598a026f37f5678043e90bbe768cf
              • Instruction ID: db3f2aa00049805409841e7ba44f436e097b6b03e227151656110af137df7a26
              • Opcode Fuzzy Hash: 1511480b5ae9c252987104f8f7e41c14723598a026f37f5678043e90bbe768cf
              • Instruction Fuzzy Hash: C7C1B653B1000147DA35AF38D8415BA7297BBB9B347D8CAABE149CB295E723CC84E313
              Function 00FC7160 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC71AE
              • __allrem.LIBCMT ref: 00FC71E1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC71EF
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC71FF
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7233
              • __allrem.LIBCMT ref: 00FC7263
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7271
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7281
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC72B4
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC72E7
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC730C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
              • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
              • API String ID: 632788072-2102732564
              • Opcode ID: 62b8c3da0d4297b20e98361efd0f2b2caf786fc9ed43dc4613383a089a077859
              • Instruction ID: 3537a17d474af53b1743b701801a41dd2487a3048bba494712ca3a41c0e3978e
              • Opcode Fuzzy Hash: 62b8c3da0d4297b20e98361efd0f2b2caf786fc9ed43dc4613383a089a077859
              • Instruction Fuzzy Hash: 2F41C2E2B8534235F031746A6E83F7BA02D9BD1F55F28042DBA02F90D3E6D96890647D
              Function 00F74DB5 Relevance: 32.0, APIs: 15, Strings: 3, Instructions: 468COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F49FD0: _malloc.LIBCMT ref: 00F4A01D
              • CharNextW.USER32(?), ref: 00F74E17
              • __wcstoi64.LIBCMT ref: 00F74E41
              • CharNextW.USER32(?,?,?,?,000000FF), ref: 00F74E67
              • CharNextW.USER32(?,?,?,?,000000FF), ref: 00F74E8D
              • __wcslwr.LIBCMT ref: 00F74EE9
              • SelectObject.GDI32(00000000), ref: 00F74FE9
              • CharNextW.USER32(?), ref: 00F7590D
              • CharNextW.USER32(?), ref: 00F7591C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext$ObjectSelect__wcslwr__wcstoi64_malloc
              • String ID: bold$italic$underline
              • API String ID: 2718116904-1406305012
              • Opcode ID: 0ec4cd54a278dc007bfec25eead1bd36958b01c114ae876e04421417df485c2f
              • Instruction ID: b64c3367b4371c68be38b0dafda0fdd314ea6e32744c2b0173b0785d98569aba
              • Opcode Fuzzy Hash: 0ec4cd54a278dc007bfec25eead1bd36958b01c114ae876e04421417df485c2f
              • Instruction Fuzzy Hash: C30260B0A083419BD724DF24C884BABB7E5EF85710F04881EF989D7241E779E945DBA3
              Function 00FA0800 Relevance: 31.9, APIs: 2, Strings: 16, Instructions: 406COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64_strncmp
              • String ID: %25$/$://$Invalid IPv6 address format$No valid port number in proxy string (%s)$Please URL encode %% as %%25, see RFC 6874.$Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$[$http:$https$socks$socks4$socks4a$socks5$socks5h
              • API String ID: 540414501-672486822
              • Opcode ID: 92dbd6f248ee3c6fffd910a105b58beac27020bfab089b81166b733232da9013
              • Instruction ID: 71e38a3cb854b77a1004f381189b586284c9d4c1f01f8d109f9b4eae244b5b9d
              • Opcode Fuzzy Hash: 92dbd6f248ee3c6fffd910a105b58beac27020bfab089b81166b733232da9013
              • Instruction Fuzzy Hash: 69D15AF1E043015BE7309F15EC85B677BD59F86364F080429F8C98A243EB3AD949E7A2
              Function 00FB54D0 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 183COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64
              • String ID: %s (%d)$%s (%d) %s (%d)$%s (%ld)$%s (%ld)$Malformed ACK packet, rejecting$blksize$blksize is larger than max supported$blksize is smaller than min supported$blksize parsed from OACK$got option=(%s) value=(%s)$invalid blocksize value in OACK packet$invalid tsize -:%s:- value in OACK packet$requested$server requested blksize larger than allocated$tsize$tsize parsed from OACK
              • API String ID: 398114495-895336422
              • Opcode ID: 8f6539b7120af0f6dc6f003c5138b9ae2ef428b6a719bc04e70544410652d521
              • Instruction ID: e1a4b3359699d5c91bb67b30f0d5d284ac40e5d95b9b22b6b8b995bf1b5ba65a
              • Opcode Fuzzy Hash: 8f6539b7120af0f6dc6f003c5138b9ae2ef428b6a719bc04e70544410652d521
              • Instruction Fuzzy Hash: 4E416371B443016BE611A917BC42FF77349D7C1F6AF440039FD4C9A243EA5E9A09AAA2
              Function 00F711F0 Relevance: 30.3, APIs: 20, Instructions: 266windowCOMMON
              Download Yara Rule
              APIs
              • CreateCompatibleDC.GDI32(?), ref: 00F71200
              • CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00F71276
              • SelectObject.GDI32(00000000,00000000), ref: 00F71295
              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00F712C2
              • SelectObject.GDI32(00000000,?), ref: 00F712CE
              • DeleteObject.GDI32(?), ref: 00F712F4
              • DeleteDC.GDI32(00000000), ref: 00F712FB
              • CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00F71357
              • SelectObject.GDI32(00000000,00000000), ref: 00F71376
              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00F7139A
              • SelectObject.GDI32(00000000,?), ref: 00F713A6
              • SelectObject.GDI32(00000000,?), ref: 00F7142F
              • DeleteDC.GDI32(00000000), ref: 00F714D0
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$Select$CreateDelete$Section$CompatibleStretch
              • String ID:
              • API String ID: 1102575708-0
              • Opcode ID: 05a88d6f7f57558a4b053fe8786c445857cac325fbc352131683002422f34789
              • Instruction ID: 34383995977d755ccac48aaed169e3a49c9c714b77aa14793049d6582430e47d
              • Opcode Fuzzy Hash: 05a88d6f7f57558a4b053fe8786c445857cac325fbc352131683002422f34789
              • Instruction Fuzzy Hash: B2914DB1604300AFD714DF68D885A6BBBF9FF88310F148A1EF94993345D776E8508BA2
              Function 00F76F40 Relevance: 30.2, APIs: 20, Instructions: 222COMMON
              Download Yara Rule
              APIs
              • GdipCreateFromHDC.GDIPLUS(?,?,?,00000000), ref: 00F76F59
              • GdipSetSmoothingMode.GDIPLUS(?,00000004,?,?,?,00000000), ref: 00F76F69
              • GdipCreatePen1.GDIPLUS(?,?,00000000,00000004,?,00000004,?,?,?,00000000), ref: 00F76F83
              • GdipCreateSolidFill.GDIPLUS ref: 00F76FAE
              • GdipCreatePath.GDIPLUS(00000000,?), ref: 00F76FCA
              • GdipAddPathArcI.GDIPLUS(?,?,?,00000000,?), ref: 00F76FFB
              • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,00000000,?), ref: 00F7701D
              • GdipAddPathArcI.GDIPLUS(?,?,?,?,?,00000000,?), ref: 00F77056
              • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F77079
              • GdipAddPathArcI.GDIPLUS(?,?,?,?,?,?,?,00000000,?), ref: 00F770B0
              • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F770CD
              • GdipAddPathArcI.GDIPLUS(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F770FC
              • GdipAddPathLineI.GDIPLUS(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7711E
              • GdipFillPath.GDIPLUS(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00F7713A
              • GdipDrawPath.GDIPLUS(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 00F7714A
              • GdipClosePathFigure.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00F77154
              • GdipDeletePath.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00F77166
              • GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F77170
              • GdipDeletePen.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7717A
              • GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F77180
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Gdip$Path$CreateDeleteLine$Fill$BrushCloseDrawFigureFromGraphicsModePen1SmoothingSolid
              • String ID:
              • API String ID: 496263768-0
              • Opcode ID: bde7af276fa96c460005457768f54a8b68886e8313da2e14bfc0eba3bc45ad6a
              • Instruction ID: 5c6a4c562fe2edd6b10e9a71af3051f070491412367946e276efbc7ad92da077
              • Opcode Fuzzy Hash: bde7af276fa96c460005457768f54a8b68886e8313da2e14bfc0eba3bc45ad6a
              • Instruction Fuzzy Hash: 867108B0618306AFD714EF69CD85E2BBBE9EFC8740F10891DF98883255D674EC059B62
              Function 00F753D7 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 456COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext
              • String ID: $file$res$restype
              • API String ID: 3213498283-2182986002
              • Opcode ID: 08d8af0164d22143bd47e0395b8eb049633b8ee8fee65c5cb11333821daedc84
              • Instruction ID: 3977aa2ef5de8a187a718c02e994aa4a68da2ffe84e9a70ebba058cd6bb807ee
              • Opcode Fuzzy Hash: 08d8af0164d22143bd47e0395b8eb049633b8ee8fee65c5cb11333821daedc84
              • Instruction Fuzzy Hash: EF0290749087858BDB30DF24C884BAFB3E5AF94710F48882EE88D97241E779E945DB53
              Function 00F79640 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 355timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F4F730: GetWindowRect.USER32(?,?), ref: 00F4F754
                • Part of subcall function 00F4F730: ScreenToClient.USER32(?,?), ref: 00F4F76C
                • Part of subcall function 00F4F730: ScreenToClient.USER32(?,?), ref: 00F4F77A
              • GetCaretBlinkTime.USER32(00000000), ref: 00F79687
              • SetTimer.USER32(?,00000014,00000000), ref: 00F79694
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F796AB
              • GetClientRect.USER32(?,?), ref: 00F79733
              • InvalidateRect.USER32(?,?,00000000), ref: 00F79743
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ClientRect$ScreenWindow$BlinkCallCaretInvalidateProcTimeTimer
              • String ID: return
              • API String ID: 3851949828-2812165903
              • Opcode ID: a7606b2329b923ce02396edd73ee139e05646165f68a6657e2570fd9f3adc205
              • Instruction ID: 7fdf72032a63f075cff33f766de5f1ef5f7c53b394bdeb81cd80f4eba56b2707
              • Opcode Fuzzy Hash: a7606b2329b923ce02396edd73ee139e05646165f68a6657e2570fd9f3adc205
              • Instruction Fuzzy Hash: C5C18075A042009FDB14DF68D884A6AB7E5EBC9320F00C6AEFD5D8B356C675DC11CBA2
              Function 00F78E30 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 318COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext__wcstoui64
              • String ID: itemhottextcolor$itemminwidth$itemtextcolor$selitemhottextcolor$selitemtextcolor$true$visiblecheckbtn$visiblefolderbtn
              • API String ID: 216335860-1882295018
              • Opcode ID: 2f4854379d6acc4690974c78f778c6684307daa00695914cf9beec8c0074dd34
              • Instruction ID: 20ecfc8e220be8dc5f5d3d2c443a4e3cfe2010b680a8878b5a6a11bd8606832a
              • Opcode Fuzzy Hash: 2f4854379d6acc4690974c78f778c6684307daa00695914cf9beec8c0074dd34
              • Instruction Fuzzy Hash: B6A1F9627540014BDB25AF38CC44ABA7393BBB5770BD4862BE14ACB294DB63DC85D363
              Function 00FB8AD0 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 200COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset_strncpy$_swscanf
              • String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$1$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
              • API String ID: 193792928-1116758244
              • Opcode ID: c4f9a830261996ea5d613c57565ffb72aa22b0171a0feba298fea3b60a9fc497
              • Instruction ID: f1e41a36ec88275ddc7f861e63f7268cfd5f9d84ce2781aa7bb77b80fddfe6d0
              • Opcode Fuzzy Hash: c4f9a830261996ea5d613c57565ffb72aa22b0171a0feba298fea3b60a9fc497
              • Instruction Fuzzy Hash: 9071A2B29043059FD721EF65CC81EE7B7E8AF98384F44482EF59947241EB34E509DBA2
              Function 00F7A600 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 400windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000CF,?,00000000), ref: 00F7A6A3
              • SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 00F7A8C4
              • CharNextW.USER32(?), ref: 00F7AA31
              • __wcstoui64.LIBCMT ref: 00F7AA47
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessageSend$CharNext__wcstoui64
              • String ID: autoselall$disabledimage$focusedimage$hotimage$maxchar$nativebkcolor$normalimage$numberonly$password$readonly$true
              • API String ID: 2158325730-3096893876
              • Opcode ID: cf1bdcdadd5c8c8a86641afdb472821407296eb1b029a94e4b33c02c34ba52e7
              • Instruction ID: 0499a78d20850a88f62b3dcbb29dd59643680df0d0d78902ca43a5e5d9c564c7
              • Opcode Fuzzy Hash: cf1bdcdadd5c8c8a86641afdb472821407296eb1b029a94e4b33c02c34ba52e7
              • Instruction Fuzzy Hash: 47C1E452B1010296E614AF34C8016BE7263AFF1774B4BC62AD959CB299F313CD96E353
              Function 00F48A40 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 349COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(00000000,00000000,?,?,?,00F48A31,00000000,00000000,?,?,?,?,?,00F4865C), ref: 00F48A5E
              • CharNextW.USER32(00000000), ref: 00F48A99
              • CharNextW.USER32(00000000), ref: 00F48AD9
              • CharNextW.USER32(00000000), ref: 00F48B10
              • _realloc.LIBCMT ref: 00F48B49
              • CharNextW.USER32(00000000,?), ref: 00F48BF9
              • CharNextW.USER32(?,?,0000003C,?), ref: 00F48D1D
              • CharNextW.USER32(?), ref: 00F48D57
              • CharNextW.USER32(?), ref: 00F48D8D
                • Part of subcall function 00F49230: _wcsncpy.LIBCMT ref: 00F4923A
                • Part of subcall function 00F49230: _wcsncpy.LIBCMT ref: 00F49257
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext$_wcsncpy$_realloc
              • String ID: Error parsing element name$Expected end-tag start$Expected start tag$Expected start-tag closing$Unmatched closing tag$gfff
              • API String ID: 2427325080-2742108210
              • Opcode ID: 9d97254ae7ab90c7507c46d8f878fe3ce8a3d3bfb9c31892bdfc2b8df0fc5239
              • Instruction ID: b16f1e98cbc7b869af2931e26c4bac213d712aa0224ea7e76511ac8671277b7f
              • Opcode Fuzzy Hash: 9d97254ae7ab90c7507c46d8f878fe3ce8a3d3bfb9c31892bdfc2b8df0fc5239
              • Instruction Fuzzy Hash: D9C1B531E002018FC724EF28D444A6EBBF1FF953A0B55846EECC58B290EBB99D86D750
              Function 00F15580 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 189windowprocessCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F155BF
              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F15626
              • GetLastError.KERNEL32 ref: 00F15630
              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000C8,000004FF), ref: 00F156C4
              • GetExitCodeProcess.KERNEL32(?,?), ref: 00F156E9
              • GetLastError.KERNEL32(?,00000000,?,?), ref: 00F156F7
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F15772
              • TranslateMessage.USER32(?), ref: 00F15796
              • DispatchMessageW.USER32(?), ref: 00F1579D
              • CloseHandle.KERNEL32(?,?,00000000,?,?), ref: 00F157B3
              • CloseHandle.KERNEL32(?,?,00000000,?,?), ref: 00F157BA
                • Part of subcall function 00F96A40: GetLocalTime.KERNEL32(?,00000000,74DF2EE0,00F1553E,Install recomand return=%ld,?), ref: 00F96A71
                • Part of subcall function 00F96A40: _memset.LIBCMT ref: 00F96A83
                • Part of subcall function 00F96A40: GetCurrentThreadId.KERNEL32 ref: 00F96AA3
                • Part of subcall function 00F96A40: __snprintf.LIBCMT ref: 00F96AB6
                • Part of subcall function 00F96A40: _vswprintf_s.LIBCMT ref: 00F96AD7
                • Part of subcall function 00F96A40: OutputDebugStringA.KERNELBASE(?), ref: 00F96B06
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Message$CloseErrorHandleLastProcess_memset$CodeCreateCurrentDebugDispatchExitLocalMultipleObjectsOutputPeekStringThreadTimeTranslateWait__snprintf_vswprintf_s
              • String ID: D$Install ErrCode= %ld$Install ErrCode=%d$Install return=%ld
              • API String ID: 467620243-3459061465
              • Opcode ID: db685fc37800342ef103bfba869614e8e88076b805766af4fc745104250956b6
              • Instruction ID: a76e406bc698355925757a52fee38ca0d81d608031de99c2b975d18ba4b41ba8
              • Opcode Fuzzy Hash: db685fc37800342ef103bfba869614e8e88076b805766af4fc745104250956b6
              • Instruction Fuzzy Hash: 40615DB1908380DBD730DF64D841B9BB7E9AFD4B40F04492EF68997240DB7A9544DB93
              Function 00F98EF0 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 485stringthreadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F1A270: std::_String_base::_Xlen.LIBCPMT ref: 00F1A2BF
                • Part of subcall function 00F1A270: _memcpy_s.LIBCMT ref: 00F1A32A
              • CreateThread.KERNEL32(00000000,00000000,00F99BC0,?,00000000,00000000), ref: 00F99167
              • CloseHandle.KERNEL32(00000000), ref: 00F99183
              • __time64.LIBCMT ref: 00F991AF
              • _rand.LIBCMT ref: 00F991B7
              • lstrlenW.KERNEL32(?,?,?,?), ref: 00F9921C
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,?), ref: 00F9924C
              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F9933A
              • lstrlenA.KERNEL32(?), ref: 00F993D3
              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000001), ref: 00F99405
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen$CloseCreateHandleIos_base_dtorString_base::_ThreadXlen__time64_memcpy_s_randstd::_std::ios_base::_
              • String ID: %s %d download info code:%d$%s %d redownload info count:%d$&tmpTime_=$CHttpHelper::GetDownloadInfo$TestID
              • API String ID: 1102782826-1444138739
              • Opcode ID: d5cb56f13667fc3884c1fb2f72c1edb0622078f2cf6788997b57812d1f6ad6c8
              • Instruction ID: 503fd632b5dd11f20d1e7b6c3cdb2bfd18da6aa87d4b5ed63489a1b3b3178f63
              • Opcode Fuzzy Hash: d5cb56f13667fc3884c1fb2f72c1edb0622078f2cf6788997b57812d1f6ad6c8
              • Instruction Fuzzy Hash: C212DFB1D042589FEF20DFA8CC81BDEBBB5AF45310F1541A9E109A7341DB785E84DBA2
              Function 00F2C170 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 322stringwindowCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(00000004,00000000,InterceptWebEventY), ref: 00F2C223
              • lstrlenW.KERNEL32(00000004,00000000,InterceptWebEventX), ref: 00F2C2C4
              • lstrlenW.KERNEL32(00000004,00000000,InterceptWebEventCloseX), ref: 00F2C365
              • lstrlenW.KERNEL32(00000004,00000000,InterceptWebEventCloseY), ref: 00F2C409
              • GetWindowRect.USER32(?,?), ref: 00F2C45C
              • ClientToScreen.USER32(?,?), ref: 00F2C4A2
              • PtInRect.USER32(?,?,?), ref: 00F2C4BA
              • SendMessageW.USER32(?,000000A1,00000002,?), ref: 00F2C4DA
                • Part of subcall function 00F110B0: WideCharToMultiByte.KERNELBASE(00000003,00000000,00000004,000000FF,?,?,00000000,00000000,00F185D6,00000003), ref: 00F110CB
              • PtInRect.USER32(?,?,?), ref: 00F2C4F3
              • SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 00F2C514
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: lstrlen$Rect$MessageSend$ByteCharClientMultiScreenWideWindow
              • String ID: InterceptWebEventCloseX$InterceptWebEventCloseY$InterceptWebEventX$InterceptWebEventY
              • API String ID: 4024436429-2061605471
              • Opcode ID: 27bcbe2c9da3b7dccde8592c04cda699887f37fc413287f6dc88b13a9da46efd
              • Instruction ID: 393bc9e474fe65bc852419a3218e4551ec1066a05b42eb958152162165ddcee4
              • Opcode Fuzzy Hash: 27bcbe2c9da3b7dccde8592c04cda699887f37fc413287f6dc88b13a9da46efd
              • Instruction Fuzzy Hash: 40C1D0B1E00324DFCB10EFA4DC45BAEBBB5AB48710F244529E405AB381DB79AD41EBD1
              Function 00FB8DB0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 197networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FB8DE2
              • _memset.LIBCMT ref: 00FB8DF5
              • _swscanf.LIBCMT ref: 00FB8EBF
              • send.WS2_32(?,?,00000002,00000000), ref: 00FB8F42
              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000007F), ref: 00FB8F4C
              • send.WS2_32(?,?,?,00000000), ref: 00FB8FF4
              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000007F), ref: 00FB8FFE
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast_memsetsend$_swscanf
              • String ID: %127[^,],%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s%c%s$Sending data failed (%d)
              • API String ID: 3960926081-3318542072
              • Opcode ID: c72506e8792364f48251a107e11467abb37def2afbc06ee9994c20d1600881a7
              • Instruction ID: 8b25c84456deacf676d029a97bc361edc00b4054ee3bb89acf1eb2a0306a5500
              • Opcode Fuzzy Hash: c72506e8792364f48251a107e11467abb37def2afbc06ee9994c20d1600881a7
              • Instruction Fuzzy Hash: 1361F571744346AFE335DB14CC82FF773A9AB84744F04062CFA895B2C2DEB5A9099B91
              Function 00F68A40 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 245COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext__wcstoui64
              • String ID: foreimage$group$selected$selectedbkcolor$selectedhotimage$selectedimage$selectedtextcolor$true
              • API String ID: 216335860-3444983114
              • Opcode ID: 18349b80293a44a4faf16bcffc879ffac4acf424dbc304b4725bb094e43f63be
              • Instruction ID: 93b7f0a66bbb0e4483b515e6eda5059671e11ec2158f1c078eb2bba0e4fec1bd
              • Opcode Fuzzy Hash: 18349b80293a44a4faf16bcffc879ffac4acf424dbc304b4725bb094e43f63be
              • Instruction Fuzzy Hash: 2B71E5A2A1010256D714AF78C84167772A7EFB57F4B48476EE951CB298FB23CC87E320
              Function 00F96FA0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 233synchronizationthreadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00000000,00F972F0,00000000,00000000,00000000), ref: 00F971BE
                • Part of subcall function 00F12BB0: std::_String_base::_Xlen.LIBCPMT ref: 00F12BE7
                • Part of subcall function 00F12BB0: _memcpy_s.LIBCMT ref: 00F12C36
              • WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00F9724F
              • CloseHandle.KERNEL32(00000000), ref: 00F97256
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseCreateHandleObjectSingleString_base::_ThreadWaitXlen_memcpy_sstd::_
              • String ID: &downloader_num=$&install_finish_downloader=false$&install_finish_downloader=true$&install_start_downloader=false$&install_start_downloader=true$&url=$GUID$UpdateEventUrl$uid=
              • API String ID: 3702222336-3402532700
              • Opcode ID: 3ccb689a5a450f3c882dbd564ad617e48e2ec22ab1a5bd306d0aacea9e268e06
              • Instruction ID: b8f25b86307dbc7e6e401b55b991e2f9fd6fe54749e4d9c4e682dd41953c2f67
              • Opcode Fuzzy Hash: 3ccb689a5a450f3c882dbd564ad617e48e2ec22ab1a5bd306d0aacea9e268e06
              • Instruction Fuzzy Hash: 4F91CFB1918380ABE720EF64C842B5FBBE5BF84710F144A2DF68947341DB39A844DB93
              Function 00FB5720 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207networkCOMMON
              Download Yara Rule
              APIs
              • sendto.WS2_32(?,00000000,00000004,00000000,?,?), ref: 00FB57B9
              • __time64.LIBCMT ref: 00FB57E6
              • sendto.WS2_32(?,?,00000004,00000000,000000CC,?), ref: 00FB5847
              • WSAGetLastError.WS2_32(?,00000004,00000000,000000CC,?,?,?), ref: 00FB5851
              • sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 00FB5952
              Strings
              • Timeout waiting for block %d ACK. Retries = %d, xrefs: 00FB58A4
              • Received last DATA packet block %d again., xrefs: 00FB5771
              • tftp_rx: internal error, xrefs: 00FB5964
              • Received unexpected DATA packet block %d, expecting block %d, xrefs: 00FB57F6
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: sendto$ErrorLast__time64
              • String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
              • API String ID: 4265266248-1785996722
              • Opcode ID: 0c8e39d5d9e06dab718a21fd2a0cbcf7f2124d75e41df2ab2b9a78c0727cc263
              • Instruction ID: 686742dbd21a287a85d6a61627ed24938fbf2c195019d99edaf1531660971406
              • Opcode Fuzzy Hash: 0c8e39d5d9e06dab718a21fd2a0cbcf7f2124d75e41df2ab2b9a78c0727cc263
              • Instruction Fuzzy Hash: BE61B4B1200B009BE731AF35DC81FAB73E9EF84715F14491DF58AC7282EA7AE4459B61
              Function 00F79270 Relevance: 21.2, APIs: 14, Instructions: 179windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F79470: IntersectRect.USER32(?,?,?), ref: 00F79586
              • SendMessageW.USER32(?,00000030,?,00000001), ref: 00F79330
              • SendMessageW.USER32(?,000000C5,?,00000000), ref: 00F79347
              • SendMessageW.USER32(?,000000CC,?,00000000), ref: 00F79368
              • SetWindowTextW.USER32(?,?), ref: 00F79380
              • SendMessageW.USER32(?,000000B9,00000000,00000000), ref: 00F793A8
              • SendMessageW.USER32(?,000000D3,00000003,00000000), ref: 00F793B7
              • EnableWindow.USER32(?,00000000), ref: 00F793D2
              • SendMessageW.USER32(?,000000CF,00000000,00000000), ref: 00F793F3
              • ShowWindow.USER32(?,00000004), ref: 00F793FB
              • SetFocus.USER32(?), ref: 00F79405
              • GetWindowTextLengthW.USER32(?), ref: 00F7941B
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F79436
              • GetWindowTextLengthW.USER32(?), ref: 00F79449
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F7945A
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessageSend$Window$Text$Length$EnableFocusIntersectRectShow
              • String ID:
              • API String ID: 2848147740-0
              • Opcode ID: befa880a77e1b02308a91d1f9ac31b7421e71f44746ab97a944db398c1b00e23
              • Instruction ID: 25b71be296e48b223429cf390ae06592cac23c1cdcdce9b67510a23585a880b4
              • Opcode Fuzzy Hash: befa880a77e1b02308a91d1f9ac31b7421e71f44746ab97a944db398c1b00e23
              • Instruction Fuzzy Hash: EB519FB5700701AFE314DB68CC85F66B7AABB88700F048659F9189B391C7B6FC51CB91
              Function 00F602C0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 130memoryCOMMON
              Download Yara Rule
              APIs
              • SysAllocString.OLEAUT32(errorLine), ref: 00F60319
              • SysAllocString.OLEAUT32(errorCharacter), ref: 00F60324
              • SysAllocString.OLEAUT32(errorCode), ref: 00F6032F
              • SysAllocString.OLEAUT32(errorMessage), ref: 00F6033A
              • SysAllocString.OLEAUT32(errorUrl), ref: 00F60345
              • SysFreeString.OLEAUT32 ref: 00F603F6
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: String$Alloc$Free
              • String ID: ($errorCharacter$errorCode$errorLine$errorMessage$errorUrl
              • API String ID: 2383597386-2821095632
              • Opcode ID: 14e3ddc318044667fff7bda63879467336267d7688efa766439a30e2b0a3d047
              • Instruction ID: 48e0c93f3bec276fe42d849877f39ea61609aaacae40cee9d35cd425e85c2e6b
              • Opcode Fuzzy Hash: 14e3ddc318044667fff7bda63879467336267d7688efa766439a30e2b0a3d047
              • Instruction Fuzzy Hash: CB4175716043059FC210DF68D880E5BB7E8EBC8714F208A2EF588CB265DB71E905CBA2
              Function 00F4C7C6 Relevance: 19.9, APIs: 13, Instructions: 366COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$RectRestore
              • String ID:
              • API String ID: 1490976877-0
              • Opcode ID: 181c75f009d53cb63e2ebc3dae30ea7ffcc5d51d09852ec2fa2d6c5b467b93d7
              • Instruction ID: a99325ec5f80feabaa5c76ce90b31e9e2a5c254872c4d7aa88df2f58a0f44a68
              • Opcode Fuzzy Hash: 181c75f009d53cb63e2ebc3dae30ea7ffcc5d51d09852ec2fa2d6c5b467b93d7
              • Instruction Fuzzy Hash: 01F12F755083408FD754CF28C884B9ABBF6BFC8310F19896DED898B355DB34A845DBA2
              Function 00F50100 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$Select_memset$CreateDeleteFontIndirectMetricsStockText__itow_wcsncpy
              • String ID:
              • API String ID: 278288231-0
              • Opcode ID: a27ac01ad221bdf0c9d9f9f7cc3ceed649c2bd6702bee96580de9aa52d975b95
              • Instruction ID: 2e181f4e8c74f6f001ab8d185afb1069473be18c4eb9a4f0bbd715bf69396153
              • Opcode Fuzzy Hash: a27ac01ad221bdf0c9d9f9f7cc3ceed649c2bd6702bee96580de9aa52d975b95
              • Instruction Fuzzy Hash: 84618F719083849FE730DF34CC45B9BBBE4AF88310F04891DBA88C7242EB799948DB52
              Function 00F256C0 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 185stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,00000000,InstallIntervalTime,?,?,?,8F2D4ADD), ref: 00F2574D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: !$3$<$InstallIntervalTime$K$T$]$progressValue$slrProgress$text$value
              • API String ID: 1659193697-919299193
              • Opcode ID: 1b1eaf3a5605e4e6c07a42256ef7c2f7a0a827189a2fa1ace35fb92760136be1
              • Instruction ID: 8c75cf847996d788643733ad2287052892582caef86fcb39511db4ed06138da5
              • Opcode Fuzzy Hash: 1b1eaf3a5605e4e6c07a42256ef7c2f7a0a827189a2fa1ace35fb92760136be1
              • Instruction Fuzzy Hash: 83710770D01358DBDF20EFA9D84A78EBBB1EF00714F14415DE8056B281DBB9AA48DB92
              Function 00FB6170 Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 331COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: %I64d$%s%c%s%c$TFTP file name too long$blksize$netascii$octet$tftp_send_first: internal error$timeout$tsize
              • API String ID: 0-1678188727
              • Opcode ID: 18d3cc1f50f1f2e043f9aea20d4b92c3075e43cd97a90b77a727d7bcdd292747
              • Instruction ID: dbf593668d7df3612353ebdf3c0751dcf4811cf2c41207e84d3896265c60130d
              • Opcode Fuzzy Hash: 18d3cc1f50f1f2e043f9aea20d4b92c3075e43cd97a90b77a727d7bcdd292747
              • Instruction Fuzzy Hash: F2B1C3B1A002409BD714DF29CC96BAB77E6FFC4714F48452DF8498B382DA79E805CB96
              Function 00F253E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199filestringCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00F240BA,C0000000,00000003,00000000,00000003,00000080,00000000,8F2D4ADD,00000007,00000000,?), ref: 00F2544C
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00F25463
              • SetFilePointer.KERNEL32(?,-FFFFF800,00000000,00000001), ref: 00F25487
              • _memset.LIBCMT ref: 00F254A6
              • ReadFile.KERNEL32(?,?,00000104,?,00000000), ref: 00F254C3
              • lstrlenA.KERNEL32(?,?), ref: 00F254E7
              • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000001), ref: 00F25519
              • CloseHandle.KERNEL32(?,8F2D4ADD,00000007,00000000,?), ref: 00F2568B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: File$ByteCharCloseCreateHandleMultiPointerReadSizeWide_memsetlstrlen
              • String ID: Install_Failed$errInfo$error_info
              • API String ID: 403388370-415826701
              • Opcode ID: efdd05ba88fe5980aefc1c9e0010f752b394c11460b85ae43db384f1a803086b
              • Instruction ID: 004ffdcb65414806d37fcc6f30ced6a1cde99f29f689c8eb0e4fd9107ec57983
              • Opcode Fuzzy Hash: efdd05ba88fe5980aefc1c9e0010f752b394c11460b85ae43db384f1a803086b
              • Instruction Fuzzy Hash: EF71F471D00228ABDB20DF64CC85BEEB7B9EF48714F5441A9E509A7280EB795F84CF90
              Function 00FD0F50 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 162libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32,00000000,00000000,?,00FA861E,secur32.dll,?,?,?,00F9D0EA), ref: 00FD0F5A
              • GetProcAddress.KERNEL32(00000000,LoadLibraryExW), ref: 00FD0F78
              • _wcspbrk.LIBCMT ref: 00FD0F88
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressHandleModuleProc_wcspbrk
              • String ID: AddDllDirectory$LoadLibraryExW$kernel32
              • API String ID: 3039737319-3974551115
              • Opcode ID: 15fa87ce569364b0603c6d395a1c1308d13c0ba7eae454c77ee00e5a5149efb6
              • Instruction ID: faf2d3e5e848c49a33bb7b52a8673663246095c8414e3acac590a070020f0aad
              • Opcode Fuzzy Hash: 15fa87ce569364b0603c6d395a1c1308d13c0ba7eae454c77ee00e5a5149efb6
              • Instruction Fuzzy Hash: E84138327053015BD3305B68AC45BABB39AFF84761F18452AFD82CB348EF6AE9549790
              Function 00FDA9CF Relevance: 18.1, APIs: 12, Instructions: 139COMMON
              Download Yara Rule
              APIs
              • ____lc_handle_func.LIBCMT ref: 00FDAA03
              • ____lc_codepage_func.LIBCMT ref: 00FDAA0B
              • __GetLocaleForCP.LIBCPMT ref: 00FDAA34
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDAA4A
              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?,00000000,00F13388,00000000,?,?,?,?), ref: 00FDAA69
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDAA77
              • ___pctype_func.LIBCMT ref: 00FDAA9C
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDAAC2
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDAADA
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDAAF2
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000,00000000,00000001,?,00000000,00F13388,00000000,?,?,?,?), ref: 00FDAAFF
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?,00000000,00F13388,00000000,?,?,?,?), ref: 00FDAB30
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
              • String ID:
              • API String ID: 3819326198-0
              • Opcode ID: 03d11c70420e9ff0314d705804b22afda650ad1fcbdaff00193bed6a833cd1ba
              • Instruction ID: b84d6e9c65f0bc0b6a171a8acf9fda50bb56c12c561e7fa69e0975b8883e5eaa
              • Opcode Fuzzy Hash: 03d11c70420e9ff0314d705804b22afda650ad1fcbdaff00193bed6a833cd1ba
              • Instruction Fuzzy Hash: 2241EB31504242EEDB215F35DC41B793BAAAF05361F198227F855CA292E738CD90FB56
              Function 00F26440 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 305stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              • lstrlenW.KERNEL32(?,DOWNLOAD_VERSION,00000010), ref: 00F26685
              • lstrlenA.KERNEL32(?,00000000,00000000,000000FF,00000000,00000001,00000003), ref: 00F26708
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F26774
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: lstrlen$ExecuteShell_memcpy_s
              • String ID: Click_Download_Offline$DOWNLOAD_VERSION$Download_Failed$download_setup_url_free$download_setup_url_trial$free$open
              • API String ID: 825883226-2322613642
              • Opcode ID: f90f7ae500b8d24dba410a27194a5b095313e6103f0107272295c15936c364e2
              • Instruction ID: e049ad1813c7fc14a011aa32acf1e4e033888629f1d4927c5227cf28927856a1
              • Opcode Fuzzy Hash: f90f7ae500b8d24dba410a27194a5b095313e6103f0107272295c15936c364e2
              • Instruction Fuzzy Hash: 09C10371D01358EBDF10DFA8DC417EEBB75AF44300F1441AEE409AB281DB795A85DB91
              Function 00F75862 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext
              • String ID:
              • API String ID: 3213498283-3916222277
              • Opcode ID: fd70d3b2d2859abc9638f49f99fef4e64dae71103ced52ca6b98c9e81e384621
              • Instruction ID: eb541ffa942b91e28e7ade9ebd79734558065da00bee73149378a70034c172e6
              • Opcode Fuzzy Hash: fd70d3b2d2859abc9638f49f99fef4e64dae71103ced52ca6b98c9e81e384621
              • Instruction Fuzzy Hash: 07A18FB0A087818BD724DF24D885BABB7E5AFC5310F04882EE989D7341D739E945DB53
              Function 00F7587A Relevance: 16.8, APIs: 11, Instructions: 296COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext$__wcstoi64
              • String ID:
              • API String ID: 1114731063-0
              • Opcode ID: 7da5d6d1c63b9a69b38ee3b034b9332f2c53f317ad7113c169d7c07810846793
              • Instruction ID: 225782aebdece58a920da8e775dabeddaf768004f46ee093aacbf75146f32c75
              • Opcode Fuzzy Hash: 7da5d6d1c63b9a69b38ee3b034b9332f2c53f317ad7113c169d7c07810846793
              • Instruction Fuzzy Hash: C1B16DB0A083818BD724DF24D885BABB7E5AF85310F04882EF989D7241E779E945DB53
              Function 00F7D600 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 356COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect
              • String ID: P$menu
              • API String ID: 400858303-3578578207
              • Opcode ID: 447b0135d3dd5a8bd65981d5c95df70eda4ec1baedcb3270584e32a590577d8e
              • Instruction ID: 2000597b10724c2950b8f5231999691e3ae202ee9a55a34982ee46a7936e63c7
              • Opcode Fuzzy Hash: 447b0135d3dd5a8bd65981d5c95df70eda4ec1baedcb3270584e32a590577d8e
              • Instruction Fuzzy Hash: 17B1A476B002004BCB20DF68D8C0A6973B6AF85371F5885BBEE4D8F246DA36DC599761
              Function 00FA9820 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • _swscanf.LIBCMT ref: 00FA987F
                • Part of subcall function 00FDFA6E: _vscan_fn.LIBCMT ref: 00FDFA85
              • __wcstoui64.LIBCMT ref: 00FA9953
              Strings
              • RESOLVE %s:%d is - old addresses discarded!, xrefs: 00FA9ADD
              • %255[^:]:%d, xrefs: 00FA9879
              • Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 00FA9A55
              • Ignoring resolve address '%s', missing IPv6 support., xrefs: 00FA9A05
              • Resolve address '%s' found illegal!, xrefs: 00FA9A77
              • Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 00FA988F
              • Added %s:%d:%s to DNS cache, xrefs: 00FA9B47
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoui64_swscanf_vscan_fn
              • String ID: %255[^:]:%d$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$Ignoring resolve address '%s', missing IPv6 support.$RESOLVE %s:%d is - old addresses discarded!$Resolve address '%s' found illegal!
              • API String ID: 1797087322-3873099096
              • Opcode ID: 4f07946e349cdc15823c862ebd18d81df5bf45ed3bdc8466ff84c00ae52b8b9e
              • Instruction ID: 80e6b9f4158f8a19455d565a4282b0df40772be0d39de16987e399d27ebcd5ec
              • Opcode Fuzzy Hash: 4f07946e349cdc15823c862ebd18d81df5bf45ed3bdc8466ff84c00ae52b8b9e
              • Instruction Fuzzy Hash: A1A1B2B290C3416FD720DF24DC85F6B77D9AB86354F04453DF88987242E6B9E908D7A2
              Function 00F7F4C0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 247COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64
              • String ID: imm$step$thumbhotimage$thumbimage$thumbpushedimage$thumbsize$true
              • API String ID: 398114495-535450508
              • Opcode ID: 3fe208642cc1c7bda0dcdc1253ef6563e16066f9f84072b6ae9155536c06bea8
              • Instruction ID: a49420649debed2ac15c89f746a2ef049945d3338e73d8b27911de501cd221cc
              • Opcode Fuzzy Hash: 3fe208642cc1c7bda0dcdc1253ef6563e16066f9f84072b6ae9155536c06bea8
              • Instruction Fuzzy Hash: 37719353B1000156DB35AE38DC81AB57392FB75B30BD8867BE949CB298E623DD48D352
              Function 00F52EE1 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 244COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$_malloc_memset
              • String ID: Container$ScrollBar$TabLayout$cover$true
              • API String ID: 1497606448-799656983
              • Opcode ID: 35534758b6cbe022f2150cd2cb7137518b31fbf0288ff6f0311c1d1b07233108
              • Instruction ID: b1a0e44c6eff1713704c6024f4cc76d83b7136159086f64d6f921b46c6f35ff2
              • Opcode Fuzzy Hash: 35534758b6cbe022f2150cd2cb7137518b31fbf0288ff6f0311c1d1b07233108
              • Instruction Fuzzy Hash: 0181E872A043428BD720DF58C881B6EB3E5BFC8395F14052DEE8987241EB75DE49E782
              Function 00F52FC7 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 235COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$_malloc_memset
              • String ID: ListHeader$TileLayout$WebBrowser$cover$true
              • API String ID: 1497606448-1509296067
              • Opcode ID: c9759b2a4cc4751d8210c0f9a47f10ebfb8913a3f5eb7493090c5a656f1e4c65
              • Instruction ID: ad134871b065e5b96ff200ebe5c8d0850afeb86f0bf4d564bb2b34a22e1c1ad2
              • Opcode Fuzzy Hash: c9759b2a4cc4751d8210c0f9a47f10ebfb8913a3f5eb7493090c5a656f1e4c65
              • Instruction Fuzzy Hash: 1B81C771A043429BD720DF58CC81B6EB3E5AFD4395F44052DEE8987241EB35DA49EB82
              Function 00FC6D30 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 223COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FDD02A: __fsopen.LIBCMT ref: 00FDD037
              • _fgets.LIBCMT ref: 00FC6E2F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __fsopen_fgets
              • String ID: $%s%s%s$HOME$_netrc$default$login$machine$password
              • API String ID: 1017413239-828792305
              • Opcode ID: 988f73feea19c19780a82991391233920308659d8bb219763f8dbafc80c0926e
              • Instruction ID: 60b951644eb9112bf46b66f7020656823336d84522de0ad36a9b8337dc4cb7e7
              • Opcode Fuzzy Hash: 988f73feea19c19780a82991391233920308659d8bb219763f8dbafc80c0926e
              • Instruction Fuzzy Hash: 1F71E37190D3439BD721DA28EE06FAB7AD46F85328F04051DF884C6241E779D948E792
              Function 00F9EBA0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 213COMMON
              Download Yara Rule
              APIs
              • _swscanf.LIBCMT ref: 00F9EBC6
                • Part of subcall function 00FDFA6E: _vscan_fn.LIBCMT ref: 00FDFA85
              • __wcstoi64.LIBCMT ref: 00F9EDCB
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64_swscanf_vscan_fn
              • String ID: %s://%s%s%s:%d%s%s%s$;type=%c$IPv6 closing bracket followed by '%c'$Port number ended with '%c'$Port number out of range$[%*45[0123456789abcdefABCDEF:.]%c$]
              • API String ID: 1561003206-1118921868
              • Opcode ID: 932ff04b7b43c39ffe9d53387b2f26310519870496b4cf2a81b94a73487e3127
              • Instruction ID: f4cddb245682867d40492aad11084c28f24d539d498a57027c1f612c25be45aa
              • Opcode Fuzzy Hash: 932ff04b7b43c39ffe9d53387b2f26310519870496b4cf2a81b94a73487e3127
              • Instruction Fuzzy Hash: A1712E719047459BFB20DF39DC41BAB73D5EF84711F48442EE48E8B341E639A544DB62
              Function 00F54E90 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 208COMMON
              Download Yara Rule
              APIs
              • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 00F54FF1
              • MonitorFromWindow.USER32(?,00000001), ref: 00F55030
              • GetMonitorInfoW.USER32(00000000), ref: 00F55037
              • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 00F55098
              • GetParent.USER32(?), ref: 00F550DF
              • GetParent.USER32(?), ref: 00F550E6
              • GetParent.USER32(00000000), ref: 00F550EB
              • ShowWindow.USER32(?,00000005), ref: 00F550F7
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$Parent$MonitorPoints$FromInfoShow
              • String ID: (
              • API String ID: 2070885993-3887548279
              • Opcode ID: 8198028913a203e7bb5c922ec64bf11d3dbb1bc1dd74355fac5f2f5cda053f76
              • Instruction ID: 2f1b10d178b97d8d94fa27c65969ce0d36a081a880a6e0c6cedb5f2df73a4e19
              • Opcode Fuzzy Hash: 8198028913a203e7bb5c922ec64bf11d3dbb1bc1dd74355fac5f2f5cda053f76
              • Instruction Fuzzy Hash: 5E81E2B4A087019FC354CF28C990A5ABBE1BF88700F508A2DF999C7351EB74E945CF96
              Function 00F538E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$Client$RectScreenZoomed
              • String ID: Button$Option$Text
              • API String ID: 1353371937-3941267017
              • Opcode ID: 7631092a3edd9658a4e9d08ee77def54899f821c4626912fcb9dfa571847f31d
              • Instruction ID: 20cb75fe60fece96b2ffa41ad08c550075c7c6ffa70fa08fef5f9c651ac9fbc6
              • Opcode Fuzzy Hash: 7631092a3edd9658a4e9d08ee77def54899f821c4626912fcb9dfa571847f31d
              • Instruction Fuzzy Hash: FD519E367042014BC324CE6DE880D6BB3E6FBC8351F044A2EF985C7345D635ED599B91
              Function 00FB5280 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 144COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00FB5292
                • Part of subcall function 00FDB986: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00F163C6,00000000,8F2D4ADD), ref: 00FDB991
                • Part of subcall function 00FDB986: __aulldiv.LIBCMT ref: 00FDB9B1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB52E4
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB5348
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB53A0
              • __time64.LIBCMT ref: 00FB53D6
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Time__time64$FileSystem__aulldiv
              • String ID: Connection time-out$gfff$gfff$set timeouts for state %d; Total %ld, retry %d maxtry %d
              • API String ID: 2699399908-870032562
              • Opcode ID: 2886c78874be5151cd1a8a7a3b2330ff376f62281bad66c071fac13d72fa5036
              • Instruction ID: 93fee85771e7f8c66f84a5768800404bc0c6a273b712beb09b01fc3e778f65cf
              • Opcode Fuzzy Hash: 2886c78874be5151cd1a8a7a3b2330ff376f62281bad66c071fac13d72fa5036
              • Instruction Fuzzy Hash: 684184B1A01B049BD724DF2ADC41B57B3EABB88740F088A2DE885CB745E778F8019B50
              Function 00F544F0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 134windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(?), ref: 00F54563
              • PostMessageW.USER32(?,00000010,00000001,00000000), ref: 00F54577
              • SendMessageW.USER32(?,00000112,0000F020,?), ref: 00F545DE
              • SendMessageW.USER32(?,00000112,0000F030,?), ref: 00F5462E
              • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 00F5465B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Message$Send$PostWindow
              • String ID: closebtn$maxbtn$minbtn$restorebtn
              • API String ID: 1810902224-318950520
              • Opcode ID: 8c655eea359cd9363a2a04c7cebafc22814839bf3dab4bd3f962a53fa3161402
              • Instruction ID: 0c6c77c8fa8ebc4348728e8af6d13882ec67fd3adf76a526a5cb2f1dd54cb3ef
              • Opcode Fuzzy Hash: 8c655eea359cd9363a2a04c7cebafc22814839bf3dab4bd3f962a53fa3161402
              • Instruction Fuzzy Hash: 5C41C9366002019BD624DF24D841BB67362AB74B69F488628FF96CB185F732F989E750
              Function 00FDE2EA Relevance: 15.1, APIs: 10, Instructions: 95COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __calloc_crt.LIBCMT ref: 00FDE303
                • Part of subcall function 00FE4289: __calloc_impl.LIBCMT ref: 00FE429A
                • Part of subcall function 00FE4289: Sleep.KERNEL32(00000000), ref: 00FE42B1
              • __calloc_crt.LIBCMT ref: 00FDE327
              • __calloc_crt.LIBCMT ref: 00FDE343
              • __copytlocinfo_nolock.LIBCMT ref: 00FDE368
              • __setlocale_nolock.LIBCMT ref: 00FDE375
              • ___removelocaleref.LIBCMT ref: 00FDE381
              • ___freetlocinfo.LIBCMT ref: 00FDE388
              • __setmbcp_nolock.LIBCMT ref: 00FDE3A0
              • ___removelocaleref.LIBCMT ref: 00FDE3B5
              • ___freetlocinfo.LIBCMT ref: 00FDE3BC
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
              • String ID:
              • API String ID: 2969281212-0
              • Opcode ID: 4726374a0838e7108ad883b03bf632fda5dd2b077191c32fe51a532393524c2b
              • Instruction ID: 614a5712a22284c84c494b4ea24e23bfd79d585442dc89a030d3213c702844a3
              • Opcode Fuzzy Hash: 4726374a0838e7108ad883b03bf632fda5dd2b077191c32fe51a532393524c2b
              • Instruction Fuzzy Hash: 8C21D636504600EBE7217F2ADC06A2E7BE7EF91760B28442FF4845B391DB399800B651
              Function 00FAE8B0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 343COMMON
              Download Yara Rule
              Strings
              • After %ldms connect time, move on!, xrefs: 00FAEA22
              • Connection failed, xrefs: 00FAEB85
              • Connection time-out, xrefs: 00FAE94F
              • connect to %s port %ld failed: %s, xrefs: 00FAEB14
              • L', xrefs: 00FAEA30
              • Failed to connect to %s port %ld: %s, xrefs: 00FAED1E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: After %ldms connect time, move on!$Connection failed$Connection time-out$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
              • API String ID: 0-47163629
              • Opcode ID: 61b9a277a8441a9cc06fc7954ae686d84b6a4331c4fc2644101babe06d864c42
              • Instruction ID: a6fb1820dc79768a594c15dbf48cc0996e5bc79864f1ae00a4cd2de0aec16dcd
              • Opcode Fuzzy Hash: 61b9a277a8441a9cc06fc7954ae686d84b6a4331c4fc2644101babe06d864c42
              • Instruction Fuzzy Hash: E9D1DDB5A04701AFD314DF28D885B6BB7E5FF8A324F444A1DF85987391E734A840DB92
              Function 00FA53A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strncmp
              • String ID: public key hash: sha256//%s$;sha256//$sha256//
              • API String ID: 909875538-2998214618
              • Opcode ID: d1e656d4bf6d89656f9101653dbd08a7d91498001927218d8fa91d62313d1f93
              • Instruction ID: 1d719dc42f001e31a80d1478d24dab7a6629a0af060ee47121712f424388ceae
              • Opcode Fuzzy Hash: d1e656d4bf6d89656f9101653dbd08a7d91498001927218d8fa91d62313d1f93
              • Instruction Fuzzy Hash: D3A17EF2E047015BD7209E24CC9076FB79AEB82B34F884529FD855B301E73AED459791
              Function 00F65120 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: @$headerclick
              • API String ID: 0-2283687668
              • Opcode ID: 3d8c8ec5e1ae89cdc6574ff041d6b6d48357fd171eb43ab5dd9f641d640e07e2
              • Instruction ID: 4dc7767bd990fa3c69872468703474f6e3a271afc430da93c5113d263aefb613
              • Opcode Fuzzy Hash: 3d8c8ec5e1ae89cdc6574ff041d6b6d48357fd171eb43ab5dd9f641d640e07e2
              • Instruction Fuzzy Hash: 0DA1B172B006008BCB20DF68D881A6973A2EF85761F1846BADD49DF346DA36D845DBA0
              Function 00F7AF30 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253COMMON
              Download Yara Rule
              APIs
              • PtInRect.USER32(?,?,?), ref: 00F7AFAC
              • PtInRect.USER32(?,?,?), ref: 00F7B005
              • PtInRect.USER32(?,?,?), ref: 00F7B057
              • PtInRect.USER32(?,?,?), ref: 00F7B0D1
              • LoadCursorW.USER32(00000000,00007F89), ref: 00F7B0F2
              • SetCursor.USER32(00000000), ref: 00F7B0F9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect$Cursor$Load
              • String ID: link
              • API String ID: 1264107634-917281265
              • Opcode ID: a081a4ad510c9eef572e7064ace3a7d6090ef8a7c57e094bb8b393b6fc40471d
              • Instruction ID: d4e7b7287df24df47681b5bfe179eecc34ccff7e73af8b7a4cd3a619aeb3a01a
              • Opcode Fuzzy Hash: a081a4ad510c9eef572e7064ace3a7d6090ef8a7c57e094bb8b393b6fc40471d
              • Instruction Fuzzy Hash: 3381A771B002029BC724DF58D880BAAF3A5FBC5321F50866BE968D7241DB71EC65D7D2
              Function 00FC8900 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strncmp
              • String ID: ../$/..$/../$/./
              • API String ID: 909875538-456519384
              • Opcode ID: a0e956f3ffb2306993312dbd70e2906e91df17678884f6d18288683d2d5dcd72
              • Instruction ID: 582cbc701d739054d9d7525f44abe1c57c4e362380eebb2be5e6177ad16651af
              • Opcode Fuzzy Hash: a0e956f3ffb2306993312dbd70e2906e91df17678884f6d18288683d2d5dcd72
              • Instruction Fuzzy Hash: 1871E852D081836AD7211A345E53F767F965B627E4F1C016ED8C6CB282EA2BCD0EE352
              Function 00F53196 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 228COMMON
              Download Yara Rule
              APIs
              • __wcsicoll.LIBCMT ref: 00F5319C
              • __wcsicoll.LIBCMT ref: 00F531DD
              • _memset.LIBCMT ref: 00F533AE
                • Part of subcall function 00FDB3B2: _malloc.LIBCMT ref: 00FDB3CC
                • Part of subcall function 00F666B0: _memset.LIBCMT ref: 00F66754
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll_memset$_malloc
              • String ID: "$ListHBoxElement$ListTextElement$cover$true
              • API String ID: 2079756205-2093988976
              • Opcode ID: 8671c8351e3e6e4c35d9183243c3ad473e94867b00e9f00ba9c9c3b21401551d
              • Instruction ID: e87ee6a1d2c2dd4d4498261e65c1e45c9fe7ff85efcaa09c639203b152549bb6
              • Opcode Fuzzy Hash: 8671c8351e3e6e4c35d9183243c3ad473e94867b00e9f00ba9c9c3b21401551d
              • Instruction Fuzzy Hash: B981E671A043429FD720DF58C881B6EB3E5AFC8395F14052DEE8987241EB75DE49EB82
              Function 00F53239 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll$_malloc_memset
              • String ID: $$HorizontalLayout$ListLabelElement$cover$true
              • API String ID: 1497606448-4185467953
              • Opcode ID: 15ebfa1d5f9a62091b8038ac446ed091ad4d96519a57ecc9853b246b1f840b73
              • Instruction ID: 4af6350f168bfd0fca44a8f5edb69a7a82231092790456bede499f9391e599a1
              • Opcode Fuzzy Hash: 15ebfa1d5f9a62091b8038ac446ed091ad4d96519a57ecc9853b246b1f840b73
              • Instruction Fuzzy Hash: 9F71E671A043428BDB20DF58C881B6EB3E5AFC8395F44052DEE8987241EB35DE49EB42
              Function 00F26B50 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __time64
              • String ID: Click_Exit_Bottomwindow$Download_Failed$Downloading$Elapsedtime$Installing$result_abort$wizardTab
              • API String ID: 399556195-3862032578
              • Opcode ID: 3ecd60537c8dca39c0cc6a9db65c781ee45997fc033d6c4e05ee3353f59ed224
              • Instruction ID: f33165fad6b72b0931bbbbc9e5f8524c8d3be110dd5c7ae7b16bc59cc28544be
              • Opcode Fuzzy Hash: 3ecd60537c8dca39c0cc6a9db65c781ee45997fc033d6c4e05ee3353f59ed224
              • Instruction Fuzzy Hash: F871B2311083809BC361EBA4DC51BCBB7E9AF95310F444A2DF59867286EB78A548D7B3
              Function 00F44060 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 156timeCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,00000048,00000104,8F2D4ADD,00000008,?,?,00000000), ref: 00F440AF
              • _strrchr.LIBCMT ref: 00F440BC
              • GetLocalTime.KERNEL32 ref: 00F44105
              • _fprintf.LIBCMT ref: 00F441BE
              • _fprintf.LIBCMT ref: 00F441DF
              • OutputDebugStringA.KERNEL32(?), ref: 00F44205
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _fprintf$DebugFileLocalModuleNameOutputStringTime_strrchr
              • String ID: MyLogInfo: %d:%d:%d:%d $\log.txt
              • API String ID: 3038678317-2026191470
              • Opcode ID: a02f129a6c82d1d660290990a860e39067eba2ea2eed06cd1ccdf0f7537bb6d4
              • Instruction ID: c98665ce31713459e4185a3be6e4a0f910d8e10701353d902b2635569cf72fdc
              • Opcode Fuzzy Hash: a02f129a6c82d1d660290990a860e39067eba2ea2eed06cd1ccdf0f7537bb6d4
              • Instruction Fuzzy Hash: 27519EB18083809FD321DF64C881AABFBE9BFC9700F44492EF58997201EA79A544DB57
              Function 00FC7020 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7060
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7090
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC70EF
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7121
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd$--:--:--
              • API String ID: 885266447-1858174321
              • Opcode ID: 15338b7c3e701f3f768655810094a0576890726ff5fe5e878f98e0279806a853
              • Instruction ID: 7830abdd30a35e4b85e5e4ac364316b45a56cc8f3e8e825cc4a195f1847c4783
              • Opcode Fuzzy Hash: 15338b7c3e701f3f768655810094a0576890726ff5fe5e878f98e0279806a853
              • Instruction Fuzzy Hash: 7B316A727483457EF220EA69AC83F3BB79CDBC5F54F04461CF204AB182D9A5AC8093A0
              Function 00F7EF60 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 447COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: @$valuechanged
              • API String ID: 0-1855188102
              • Opcode ID: 3c6a608ec26089c6d83bceef656ff8e4b5eda84f54d39b287f04899addd9e04b
              • Instruction ID: 293969a59251687270ec7b075f9791561457ac6e3cd368e4ffe4ce9cff663986
              • Opcode Fuzzy Hash: 3c6a608ec26089c6d83bceef656ff8e4b5eda84f54d39b287f04899addd9e04b
              • Instruction Fuzzy Hash: 34F18276B002418BCB14DE3CC8C579977A2BBC4720F1982BADD0D9F28ECA75AC59D791
              Function 00F167B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 188libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,H4f,ProductTestidSubKeyName,00000017), ref: 00F16908
              • GetProcAddress.KERNEL32(00000000), ref: 00F1690F
                • Part of subcall function 00F15860: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?,8F2D4ADD), ref: 00F15903
                • Part of subcall function 00F15860: _memset.LIBCMT ref: 00F1591D
                • Part of subcall function 00F15860: RegQueryValueExW.ADVAPI32(00000200,?,00000000,?,?,00000200), ref: 00F15959
                • Part of subcall function 00F15860: RegCloseKey.ADVAPI32(8F2D4ADD), ref: 00F1598F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressCloseHandleModuleOpenProcQueryValue_memset
              • String ID: GetNativeSystemInfo$H4f$ProductTestidSubKeyName$ProductVerSubKey$kernel32
              • API String ID: 2143101283-471212024
              • Opcode ID: 0ef3557093f78fa46212ae35d840a7aed18e20b8892e4be5bd7ae1abd3d7edea
              • Instruction ID: 8ca9c0f0530d6f4ee6ab564d42003360d4d5f14ecad141d302ce9def49f76618
              • Opcode Fuzzy Hash: 0ef3557093f78fa46212ae35d840a7aed18e20b8892e4be5bd7ae1abd3d7edea
              • Instruction Fuzzy Hash: FC71A0B1908380DFD324DF29D842B4BBBE5AB94714F44891DF0C987282D7B9D548DBA3
              Function 00F66980 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • PtInRect.USER32(?,?,?), ref: 00F669F0
              • PtInRect.USER32(?,?,?), ref: 00F66A42
              • PtInRect.USER32(?,?,?), ref: 00F66A9A
              • LoadCursorW.USER32(00000000,00007F89), ref: 00F66ABB
              • SetCursor.USER32(00000000), ref: 00F66AC2
              • PtInRect.USER32(?,?,?), ref: 00F66B3D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect$Cursor$Load
              • String ID: link
              • API String ID: 1264107634-917281265
              • Opcode ID: 1b1b83621634787303fb7fd482934a9f62e297385e939b1a8227915c012d1b36
              • Instruction ID: daa2805777f53bac52784927eabfd7d42d6d108bdda903b81f9216f2cdcb0377
              • Opcode Fuzzy Hash: 1b1b83621634787303fb7fd482934a9f62e297385e939b1a8227915c012d1b36
              • Instruction Fuzzy Hash: 0B518171B007029BC724DF68D881A6AF3A5FFC5724F008629E968E7241DB75EC25DBD1
              Function 00FB9210 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLasthtonssend
              • String ID: Sending data failed (%d)
              • API String ID: 2027122571-2319402659
              • Opcode ID: a93629e9e2fefcad7fe71ca32a99386f0dcc3efc2d84bd0bb9f1f18ef70d0a44
              • Instruction ID: e088868b03e28116f44a329963a5cfc92ed96a6de594d21898b4a09fc30dfbc7
              • Opcode Fuzzy Hash: a93629e9e2fefcad7fe71ca32a99386f0dcc3efc2d84bd0bb9f1f18ef70d0a44
              • Instruction Fuzzy Hash: 2941F6746083829FD712CF69CC81AA67BA9FF69350F240645FA99CB381D774A910CF61
              Function 00F25200 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127fileCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F25280
              • GetTempPathW.KERNEL32(00000104,?,?,00000000,?), ref: 00F25292
              • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000002,00000080,00000000,?,00000000,000000FF,01016248,00000001,?,?,H4f,SetupLogName), ref: 00F2536F
              • CloseHandle.KERNEL32(00000000), ref: 00F25388
              • DeleteFileW.KERNEL32(00000000), ref: 00F25396
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: File$CloseCreateDeleteHandlePathTemp_memset
              • String ID: H4f$SetupLogName
              • API String ID: 1280845822-4248536123
              • Opcode ID: 98777dc4125db281de4be29f6e0d1f16656fe827b25aee8a4b6a76deccb8f2c0
              • Instruction ID: c3216586e4bee3b55fbd9d119bb30f8e04a4f851eb0ed2027b91e5dd65d736c8
              • Opcode Fuzzy Hash: 98777dc4125db281de4be29f6e0d1f16656fe827b25aee8a4b6a76deccb8f2c0
              • Instruction Fuzzy Hash: 4B41E7B1504380AFD320EF28DC8AB5FBBE9AB84714F44451DF5858B281D7BEE944CB92
              Function 00F17220 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81COMMON
              Download Yara Rule
              APIs
              • GetSystemMetrics.USER32(00000059), ref: 00F172BE
              • GetSystemMetrics.USER32(00000059), ref: 00F172CF
              Strings
              • Microsoft Windows 2000, xrefs: 00F172FF
              • Microsoft Windows Server 2003, xrefs: 00F172C6
              • Microsoft Windows Server 2003 R2, xrefs: 00F172D6
              • Microsoft Windows XP Professional x64 Edition, xrefs: 00F17298
              • Microsoft Windows XP, xrefs: 00F172F6
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MetricsSystem
              • String ID: Microsoft Windows 2000$Microsoft Windows Server 2003$Microsoft Windows Server 2003 R2$Microsoft Windows XP$Microsoft Windows XP Professional x64 Edition
              • API String ID: 4116985748-3210145729
              • Opcode ID: f3f1116fe4d4371abd652585206cecd0fd7390a625f0c3eb29e422519b7a2576
              • Instruction ID: ab58702335ae6b4095356c64d6f5fcf877bacd3b1f5c77315bdac29065251934
              • Opcode Fuzzy Hash: f3f1116fe4d4371abd652585206cecd0fd7390a625f0c3eb29e422519b7a2576
              • Instruction Fuzzy Hash: D821D372A4C3419BC328EF2DDD01B8777E4EB88B24F00452EF449C7680D6BAD444ABA6
              Function 00FA8990 Relevance: 12.3, APIs: 8, Instructions: 310networkCOMMON
              Download Yara Rule
              APIs
              • select.WS2_32(00000005,00000000,00000000,?,?), ref: 00FA8C0E
              • WSAGetLastError.WS2_32(?,?,?,?,?), ref: 00FA8C19
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastselect
              • String ID:
              • API String ID: 215497628-0
              • Opcode ID: 90110b64aca4798e881c43d85ebd21e0251e27c9ffabac253ce4d95fc283a305
              • Instruction ID: 253755a187dd112395ad90a38a63d49d7f5473fa84e653e1c4846af8b60d997e
              • Opcode Fuzzy Hash: 90110b64aca4798e881c43d85ebd21e0251e27c9ffabac253ce4d95fc283a305
              • Instruction Fuzzy Hash: 5AB1B5B1D047418FC734DF18C88066BB7E5FFC53B0F148A2EE499872A0EBB599469B52
              Function 00F16F80 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 33libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(Wininet.dll), ref: 00F16F86
              • GetProcAddress.KERNEL32(00000000,InternetCheckConnectionA), ref: 00F16F99
              • FreeLibrary.KERNEL32(00000000), ref: 00F16FCA
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Library$AddressFreeLoadProc
              • String ID: InternetCheckConnectionA$Wininet.dll$https://www.baidu.com/$https://www.google.com/
              • API String ID: 145871493-516931071
              • Opcode ID: cdd7b4bb04d1daec8f5ff7b414c00cda550df2e4700d06a50e3c94008395125d
              • Instruction ID: 9b288e5ba372378635a31c706b73daa34e6cd35182ad64c60073d86e58ca21ea
              • Opcode Fuzzy Hash: cdd7b4bb04d1daec8f5ff7b414c00cda550df2e4700d06a50e3c94008395125d
              • Instruction Fuzzy Hash: F8F0A03265431166D632123A7C49FEB2E994BD7F60F040018F880E914CEAAFC88292A1
              Function 00F822E0 Relevance: 12.2, APIs: 8, Instructions: 240fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F4A110: _wcsncpy.LIBCMT ref: 00F4A1A1
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00F823BC
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F8240A
              • CloseHandle.KERNEL32(00000000), ref: 00F82411
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F82388
                • Part of subcall function 00F49FD0: _malloc.LIBCMT ref: 00F4A01D
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F82564
              • GetFileSize.KERNEL32(00000000,00000000), ref: 00F82574
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00F8259D
              • CloseHandle.KERNEL32(00000000), ref: 00F825A4
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: File$CloseCreateHandleReadSize$_malloc_wcsncpy
              • String ID:
              • API String ID: 2364347979-0
              • Opcode ID: fda2a26ceb2d5541a7bacb2f65598bb733f46030c73cd4c4cf0c8ab2b382fd41
              • Instruction ID: 27defbf14e486dc9a574019af6678d9bae09f8258e3ab1b7087761b3e0dbc3c0
              • Opcode Fuzzy Hash: fda2a26ceb2d5541a7bacb2f65598bb733f46030c73cd4c4cf0c8ab2b382fd41
              • Instruction Fuzzy Hash: 8D8127B2948340EBD771EF24DC85B5F73E8AF84720F184A19F4859B281EB79E9049793
              Function 00FC58E0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 377COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strncmp
              • String ID: I32$I64
              • API String ID: 909875538-3980630743
              • Opcode ID: a721b5086170cd4b312f56f87b49f4a64a00086f1a063d9ea115adb2e21f665f
              • Instruction ID: 2493a578f697aa50c19855cdf246f645135cf3b7ea5dbcbd22d99d45181f0fd5
              • Opcode Fuzzy Hash: a721b5086170cd4b312f56f87b49f4a64a00086f1a063d9ea115adb2e21f665f
              • Instruction Fuzzy Hash: 18E1F2B2904706CFD304CF14CA81F69B7A0FF84B58F28896DD84A4B252E77AF596DB41
              Function 00F4B2A0 Relevance: 10.8, APIs: 7, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(?), ref: 00F4B379
              • DestroyWindow.USER32(?,?,?,?,?,?), ref: 00F4B3A9
              • DeleteDC.GDI32(?), ref: 00F4B3CC
              • DeleteDC.GDI32(?), ref: 00F4B3D9
              • DeleteObject.GDI32(?), ref: 00F4B3E6
              • DeleteObject.GDI32(?), ref: 00F4B3F3
              • ReleaseDC.USER32(?,?), ref: 00F4B407
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Delete$Object$DestroyErrorFreeHeapLastReleaseWindow___sbh_find_block___sbh_free_block__lock
              • String ID:
              • API String ID: 3455866663-0
              • Opcode ID: 0b3fd8d9a1a71ff3f85aecfceb5fc63407e8deb29d3832b7dc0132c3079f0916
              • Instruction ID: f2ca030349259713afd61ae885b38c43b5d3339c14ed0dc01f8643277d2204e3
              • Opcode Fuzzy Hash: 0b3fd8d9a1a71ff3f85aecfceb5fc63407e8deb29d3832b7dc0132c3079f0916
              • Instruction Fuzzy Hash: 329162B1A007019BE620DF75CC85BABB7EDAF54710F094929F85AC7242EB39F904E761
              Function 00F532AD Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 204COMMON
              Download Yara Rule
              APIs
              • __wcsicoll.LIBCMT ref: 00F532B3
              • _memset.LIBCMT ref: 00F533AE
                • Part of subcall function 00FDB3B2: _malloc.LIBCMT ref: 00FDB3CC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll_malloc_memset
              • String ID: %$ListContainerElement$cover$true
              • API String ID: 773177119-1578051369
              • Opcode ID: 9223701dd2c9b29cda44e4ed79d1a4d30e423b7800a6add8428d7de364116896
              • Instruction ID: f32b8645be6f3d81c304bfad5ee8ce9bda4679fd52e60325f482e22fce5bad35
              • Opcode Fuzzy Hash: 9223701dd2c9b29cda44e4ed79d1a4d30e423b7800a6add8428d7de364116896
              • Instruction Fuzzy Hash: CD71A331A042429BD720DF58C881B6EB3E5BFC8395F54052DEE8987241EB35DE49EB42
              Function 00F83390 Relevance: 10.7, APIs: 7, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F01), ref: 00F833F4
              • SetCursor.USER32(00000000), ref: 00F833FB
              • IsWindow.USER32(?), ref: 00F83488
              • ShowWindow.USER32(?,00000001), ref: 00F83498
              • ReleaseCapture.USER32 ref: 00F83510
              • IsWindow.USER32(?), ref: 00F8356E
              • ShowWindow.USER32(?,00000001), ref: 00F8357E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Window$CursorShow$CaptureLoadRelease
              • String ID:
              • API String ID: 3716655541-0
              • Opcode ID: 7893e792a19c5c6e7d94c990d3acc79aea55da8e8694db57f6afa281d646bc40
              • Instruction ID: 86753e78d66a5da91f901fc3214c523d9ab964ba0173f497e498c8556000dcda
              • Opcode Fuzzy Hash: 7893e792a19c5c6e7d94c990d3acc79aea55da8e8694db57f6afa281d646bc40
              • Instruction Fuzzy Hash: 2951D671B002039BDA25EF68D884BF9B396BF84720F184265E919CB361CB36ED51E7D1
              Function 00F978D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 165threadsynchronizationCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F1A270: std::_String_base::_Xlen.LIBCPMT ref: 00F1A2BF
                • Part of subcall function 00F1A270: _memcpy_s.LIBCMT ref: 00F1A32A
                • Part of subcall function 00F121D0: _memcpy_s.LIBCMT ref: 00F12255
              • CreateThread.KERNEL32(00000000,00000000,00F97BC0,?,00000000,00000000), ref: 00F979EA
              • CreateThread.KERNEL32(00000000,00000000,00F98910,?,00000000,00000000), ref: 00F97A7B
                • Part of subcall function 00F96740: PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 00F9676E
                • Part of subcall function 00F96740: TranslateMessage.USER32(?), ref: 00F9678A
                • Part of subcall function 00F96740: DispatchMessageW.USER32(?), ref: 00F96791
              • CloseHandle.KERNEL32(00000000), ref: 00F97A8B
              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00F97A90
              • CloseHandle.KERNEL32(00000000), ref: 00F97A9D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Message$CloseCreateHandleThread_memcpy_s$DispatchObjectPeekSingleString_base::_TranslateWaitXlenstd::_
              • String ID: .temp
              • API String ID: 1980237086-2462334126
              • Opcode ID: a1724b3a6fc0cd0fd65286c36de05f4e3eafe135c8f9fac9127f95b8e4f04b27
              • Instruction ID: c3f999f346d093d654eac3018cab34a18906df074970aa29f73ff3f277124252
              • Opcode Fuzzy Hash: a1724b3a6fc0cd0fd65286c36de05f4e3eafe135c8f9fac9127f95b8e4f04b27
              • Instruction Fuzzy Hash: 2A51CFB150C3849BEB21EF28CC41B8FBBE5AB85710F104A2DF69847391DB79A544CB93
              Function 00F48EB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              APIs
              • CharNextW.USER32(00000000,00000000,?,?,?,00F48BDA,?), ref: 00F48F21
              • CharNextW.USER32(00000000,00000000,?,?,?,00F48BDA,?), ref: 00F48F59
              • CharNextW.USER32(00000000,?,00000022,00000000,?,?,?,00F48BDA,?), ref: 00F48FBC
              Strings
              • Error while parsing attributes, xrefs: 00F48FDF
              • Error while parsing attribute string, xrefs: 00F49012
              • Expected attribute value, xrefs: 00F48FF4
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CharNext
              • String ID: Error while parsing attribute string$Error while parsing attributes$Expected attribute value
              • API String ID: 3213498283-2127762582
              • Opcode ID: d83515d12f6113d2ac9dd944ee209c528f4b14767aabdea35b6326f85715d91a
              • Instruction ID: 04e0fe2cd9cef2d505c202ade01157af88520ee849857a98e4bf14f62c145407
              • Opcode Fuzzy Hash: d83515d12f6113d2ac9dd944ee209c528f4b14767aabdea35b6326f85715d91a
              • Instruction Fuzzy Hash: 9B41B332A002408FD320BF6CD840A5AB7F6FF553B0B50486AE985CB291EBB55CC6E794
              Function 00FC8E30 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 116COMMON
              Download Yara Rule
              APIs
              Strings
              • the ioctl callback returned %d, xrefs: 00FC8F0E
              • Cannot rewind mime/post data, xrefs: 00FC8F7E
              • seek callback returned error %d, xrefs: 00FC8ECA
              • necessary data rewind wasn't possible, xrefs: 00FC8F5B
              • ioctl callback returned error %d, xrefs: 00FC8F21
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _fseek
              • String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
              • API String ID: 2937370855-959247533
              • Opcode ID: 83edd4a473566c26c98f117314977a9f7a735672a6815dc600c8702af63a3ffe
              • Instruction ID: 0b40d5615ed0a6a05acda21db3ed71e51286a5b2534084b8131a76ed7a3e8d3c
              • Opcode Fuzzy Hash: 83edd4a473566c26c98f117314977a9f7a735672a6815dc600c8702af63a3ffe
              • Instruction Fuzzy Hash: D8314671A107006FF231A638ED47FEB72859F927A0F14052CF5589A1C1EBB8B887D295
              Function 00FD0DE0 Relevance: 10.6, APIs: 7, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FD0E64
              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00FD0EB6
              • VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 00FD0EC1
              • VerSetConditionMask.KERNEL32(00000000,?,00000020,?,?,00000001,?), ref: 00FD0ECC
              • VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00FD0ED7
              • VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00FD0EE3
              • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00FD0EEE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ConditionMask$InfoVerifyVersion_memset
              • String ID:
              • API String ID: 3299124433-0
              • Opcode ID: a6c7c7710ed49577f6624fb819bdb4c302d97da356c7af47ad9aaa199365a495
              • Instruction ID: 23b77942c1cbfceb3a30da6782033972657225172bbe9156991f3e69a42b1215
              • Opcode Fuzzy Hash: a6c7c7710ed49577f6624fb819bdb4c302d97da356c7af47ad9aaa199365a495
              • Instruction Fuzzy Hash: A2317271508385ABD325DF648C45BABBBE9ABD9700F084D0EF1C84B381CBB59544DBA3
              Function 00F45650 Relevance: 10.6, APIs: 7, Instructions: 109processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F456C9
              • Process32FirstW.KERNEL32(00000000,?), ref: 00F456E2
              • OpenProcess.KERNEL32(00000001,00000000,0000022C,?,?,?), ref: 00F4571C
              • TerminateProcess.KERNEL32(00000000,00000009), ref: 00F45727
              • CloseHandle.KERNEL32(00000000), ref: 00F4572A
              • Process32NextW.KERNEL32(?,?), ref: 00F45736
              • CloseHandle.KERNEL32(00000000,?), ref: 00F45742
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
              • String ID:
              • API String ID: 2696918072-0
              • Opcode ID: d24e92740dcca68b24f88c38127fa079be4ba4096537e9efe5bd08023053dff1
              • Instruction ID: 4ce5246297ceac6d528515fd2632de7fbfab34defe722cd61ae666ab43d9b107
              • Opcode Fuzzy Hash: d24e92740dcca68b24f88c38127fa079be4ba4096537e9efe5bd08023053dff1
              • Instruction Fuzzy Hash: 0D31B071504344ABD320EF64CC86F6BB7E9FF85754F044A2EF5858B241E639A8048796
              Function 00F4EF30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CountFocusTick
              • String ID: killfocus$setfocus
              • API String ID: 3897604831-1991930995
              • Opcode ID: 03279e378b21e4665a070d12c95195e9d09d0decdcbf5ff6cdf8538ce11f245c
              • Instruction ID: 957e36a1f14af2126f949741c1b11f61a525614ab5583e919eeb11ddcae716fa
              • Opcode Fuzzy Hash: 03279e378b21e4665a070d12c95195e9d09d0decdcbf5ff6cdf8538ce11f245c
              • Instruction Fuzzy Hash: 58411B70A04742AFC754DF28C881B5AFBE1BB88710F108A2DE99DD7381DB75A949CBC5
              Function 00F80AF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97threadCOMMON
              Download Yara Rule
              APIs
              • GetClientRect.USER32(?,?), ref: 00F80B02
              • GetGUIThreadInfo.USER32 ref: 00F80B6D
              • ClientToScreen.USER32(?,?), ref: 00F80B95
              • ScreenToClient.USER32(?,?), ref: 00F80BB4
              • PtInRect.USER32(?,?,00000000), ref: 00F80BC9
                • Part of subcall function 00F74080: CreatePenIndirect.GDI32(?), ref: 00F740B9
                • Part of subcall function 00F74080: SelectObject.GDI32(?,00000000), ref: 00F740C9
                • Part of subcall function 00F74080: MoveToEx.GDI32(?,00000000,?,?), ref: 00F740E6
                • Part of subcall function 00F74080: LineTo.GDI32(?,?,?), ref: 00F740F5
                • Part of subcall function 00F74080: SelectObject.GDI32(?,?), ref: 00F74101
                • Part of subcall function 00F74080: DeleteObject.GDI32(00000000), ref: 00F74104
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ClientObject$RectScreenSelect$CreateDeleteIndirectInfoLineMoveThread
              • String ID: 0
              • API String ID: 3254868366-4108050209
              • Opcode ID: 839c113e0a3776b00368b4c5238fd661f377f3d7e7a2c2562526565dc6f16972
              • Instruction ID: 66e253d44f79faa3547b5400331a531c45d1c719bc9ca2cca771d8067aa357d0
              • Opcode Fuzzy Hash: 839c113e0a3776b00368b4c5238fd661f377f3d7e7a2c2562526565dc6f16972
              • Instruction Fuzzy Hash: 3241D4B46043019FD314DF14C884B5ABBE5BBC9714F108A5DF989873A0DB71E945CB96
              Function 00F1EA40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EA6B
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EA91
              • std::bad_exception::bad_exception.LIBCMT ref: 00F1EB15
              • __CxxThrowException@8.LIBCMT ref: 00F1EB24
              • std::locale::facet::facet_Register.LIBCPMT ref: 00F1EB3B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2820251361-3145022300
              • Opcode ID: 2ee1d4a28977cf59a28cc38c5e09c7b1667a850d4bb237b4e80165e6ea0231c4
              • Instruction ID: 2d65020bbd5c99011f71204aca9987b6d55c9cbef68220357e3f3b9d668a88ac
              • Opcode Fuzzy Hash: 2ee1d4a28977cf59a28cc38c5e09c7b1667a850d4bb237b4e80165e6ea0231c4
              • Instruction Fuzzy Hash: 7C31C3719043009FC725EF14D881B9A77E8FF54320F48451EF89297281DB3EAE45EB92
              Function 00F1EB70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EB9B
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EBC1
              • std::bad_exception::bad_exception.LIBCMT ref: 00F1EC45
              • __CxxThrowException@8.LIBCMT ref: 00F1EC54
              • std::locale::facet::facet_Register.LIBCPMT ref: 00F1EC6B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2820251361-3145022300
              • Opcode ID: b21602d6fffe706c7fe12f932dff95747533cf1eb6a361f3d4158f48cacf07d9
              • Instruction ID: 128a428f332b99c22822f38752ea478c44610f49fb9cce4a3e766027b791ac2d
              • Opcode Fuzzy Hash: b21602d6fffe706c7fe12f932dff95747533cf1eb6a361f3d4158f48cacf07d9
              • Instruction Fuzzy Hash: 7A31C171904300DFD724EF14DC81B9A77E4FB44320F480A1EE89297391EB3AAA84DBD2
              Function 00F1ED70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1ED9B
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EDC1
              • std::bad_exception::bad_exception.LIBCMT ref: 00F1EE45
              • __CxxThrowException@8.LIBCMT ref: 00F1EE54
              • std::locale::facet::facet_Register.LIBCPMT ref: 00F1EE6B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2820251361-3145022300
              • Opcode ID: 5f0b68dcec54bd8ccd716d2c98e750ce9b139f4672ea36edf2e398e455898cc5
              • Instruction ID: 6180fedf4caabf067371dc9f7f576252bda4c0f8c4a50238b8748ef23bec5992
              • Opcode Fuzzy Hash: 5f0b68dcec54bd8ccd716d2c98e750ce9b139f4672ea36edf2e398e455898cc5
              • Instruction Fuzzy Hash: 1931E4759043409FD728EF24D881B9A73E4BF44720F09461EFC9297281DB3AED85DB92
              Function 00F1EF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EF2B
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F1EF51
              • std::bad_exception::bad_exception.LIBCMT ref: 00F1EFD5
              • __CxxThrowException@8.LIBCMT ref: 00F1EFE4
              • std::locale::facet::facet_Register.LIBCPMT ref: 00F1EFFB
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2820251361-3145022300
              • Opcode ID: 046b0dfbe01ec775997db1192db0a21e1316bd4e773e9467513c98899804d53c
              • Instruction ID: 99510f017487bd8d42e998e08142e1f3c294525478436c2c0c712e3aeafedb94
              • Opcode Fuzzy Hash: 046b0dfbe01ec775997db1192db0a21e1316bd4e773e9467513c98899804d53c
              • Instruction Fuzzy Hash: F431D2719043009FC724EF10D881BAA73E4BB44324F48061EFD92973D2DB3AA985DB92
              Function 00F2B4D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F2B4FB
              • std::_Lockit::_Lockit.LIBCPMT ref: 00F2B521
              • std::bad_exception::bad_exception.LIBCMT ref: 00F2B5A5
              • __CxxThrowException@8.LIBCMT ref: 00F2B5B4
              • std::locale::facet::facet_Register.LIBCPMT ref: 00F2B5CB
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
              • String ID: bad cast
              • API String ID: 2820251361-3145022300
              • Opcode ID: c5972d1d6e66128ff6c504413ce4a5f895692d71130cc3cfff85ca33c69bc39e
              • Instruction ID: 542e912b07c4adae914ec5af5e11488ee9ad1d3f102ac5051474438e28b320dc
              • Opcode Fuzzy Hash: c5972d1d6e66128ff6c504413ce4a5f895692d71130cc3cfff85ca33c69bc39e
              • Instruction Fuzzy Hash: 6331B2719043109FC728DF24E882B5A73E4EB54720F08465EFD929B295DB39ED05EB92
              Function 00F173D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87registryCOMMON
              Download Yara Rule
              APIs
              Strings
              • ProductName, xrefs: 00F17489
              • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00F17430
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseOpenQueryValue_memset
              • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 3211720786-1787575317
              • Opcode ID: 6339b5e8f84fd0180a79a37ce0f29e9c54f31a80719df9408604018967ff0553
              • Instruction ID: 7b443a9755f1a4ac302a002e2ad288467176abd9aa84495dd5d5157315173d83
              • Opcode Fuzzy Hash: 6339b5e8f84fd0180a79a37ce0f29e9c54f31a80719df9408604018967ff0553
              • Instruction Fuzzy Hash: BC318C75548341ABD321DF15D849AABBBF9FFC8714F508A1EF089C7240E778A604CB92
              Function 00F4C05E Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F4AB50: GetKeyState.USER32(00000011), ref: 00F4AB5C
                • Part of subcall function 00F4AB50: GetKeyState.USER32(00000002), ref: 00F4AB6A
                • Part of subcall function 00F4AB50: GetKeyState.USER32(00000001), ref: 00F4AB76
                • Part of subcall function 00F4AB50: GetKeyState.USER32(00000010), ref: 00F4AB82
                • Part of subcall function 00F4AB50: GetKeyState.USER32(00000012), ref: 00F4AB8E
              • GetTickCount.KERNEL32 ref: 00F4C0C3
              • GetActiveWindow.USER32 ref: 00F4C13D
              • GetWindow.USER32(?,00000004), ref: 00F4C14A
              • GetWindowLongW.USER32(?,000000F0), ref: 00F4C15B
              • GetParent.USER32(?), ref: 00F4C16F
              • SetFocus.USER32(00000000), ref: 00F4C17C
              • DestroyWindow.USER32(?), ref: 00F4C191
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: State$Window$ActiveCountDestroyFocusLongParentTick
              • String ID:
              • API String ID: 3380778118-0
              • Opcode ID: 389a7f34a0e7b704a4f5465511104da7c113c998cca5241bfd3c2f3a4a4ffe63
              • Instruction ID: 8b5706c51c72f323182de2ee329769aa101e3c068d8d34113f3df151d8c64e88
              • Opcode Fuzzy Hash: 389a7f34a0e7b704a4f5465511104da7c113c998cca5241bfd3c2f3a4a4ffe63
              • Instruction Fuzzy Hash: E3310A74509341CFE775CF64C894B9AB7E2BF88310F048A6EE989DB345DB359801DBA2
              Function 00FE225C Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON
              Download Yara Rule
              APIs
              • ___set_flsgetvalue.LIBCMT ref: 00FE228D
              • __calloc_crt.LIBCMT ref: 00FE2299
              • __getptd.LIBCMT ref: 00FE22A6
              • __initptd.LIBCMT ref: 00FE22AF
              • CreateThread.KERNEL32(?,?,00FE21D9,00000000,?,?), ref: 00FE22DD
              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00FE22E7
              • __dosmaperr.LIBCMT ref: 00FE22FF
                • Part of subcall function 00FE0A22: __getptd_noexit.LIBCMT ref: 00FE0A22
                • Part of subcall function 00FDB267: __decode_pointer.LIBCMT ref: 00FDB272
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
              • String ID:
              • API String ID: 3358092440-0
              • Opcode ID: 1136aaf259c273efb5d7107d289f555ab043edaeca62755a3fa932230286b8e7
              • Instruction ID: bbd6052cacfb758a813b6de954321f9904b36191ae9e3b105dc7f5110ed25c4a
              • Opcode Fuzzy Hash: 1136aaf259c273efb5d7107d289f555ab043edaeca62755a3fa932230286b8e7
              • Instruction Fuzzy Hash: AD11E772500289EFDB11BFA6DC4689E77A9EF14724B10403AF50192151EB79D950BB60
              Function 00F967A0 Relevance: 10.6, APIs: 7, Instructions: 71fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,00F97CC5), ref: 00F967C3
              • CloseHandle.KERNEL32(00000000,?,00F97CC5), ref: 00F967EE
              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,00F97CC5), ref: 00F9681E
              • CloseHandle.KERNEL32(00000000,?,00F97CC5), ref: 00F96829
              • SetEndOfFile.KERNEL32(00000000,?,00F97CC5), ref: 00F9683F
              • CloseHandle.KERNEL32(00000000,?,00F97CC5), ref: 00F9684A
              • CloseHandle.KERNEL32(00000000,?,00F97CC5), ref: 00F96860
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseHandle$File$CreatePointer
              • String ID:
              • API String ID: 2551779904-0
              • Opcode ID: 3eac5a71462ef0fa6fd2c7897296c405380c78232adc1bfa8036d073214d721a
              • Instruction ID: 2b2f694d2d26e11a5e5f53084234e4b8e5fc3ed09bff95012201879364f2bf01
              • Opcode Fuzzy Hash: 3eac5a71462ef0fa6fd2c7897296c405380c78232adc1bfa8036d073214d721a
              • Instruction Fuzzy Hash: 2A11E131508311ABEA21A778EC09B9F37D5AF80334F008B18F1A5E62D4DB39D9858B96
              Function 00FB5508 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64
              • String ID: %s (%d) %s (%d)$blksize$blksize parsed from OACK$got option=(%s) value=(%s)$requested
              • API String ID: 398114495-3145650287
              • Opcode ID: b4692bcdb8db6647b7ac53cda252c1d3d6213aa9a6133aa3c543ac3666947cf1
              • Instruction ID: e09529230b07fc7249e75050de73b0ec040232864e79db2595e000d77ba65cf8
              • Opcode Fuzzy Hash: b4692bcdb8db6647b7ac53cda252c1d3d6213aa9a6133aa3c543ac3666947cf1
              • Instruction Fuzzy Hash: 4E113B71A043025FE611EE12DC86FF77399DB81B19F440928FC88D6243F66DDA449EA2
              Function 00F44410 Relevance: 10.6, APIs: 7, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00F4441D
              • CreateFontW.GDI32(00000014,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,01018708), ref: 00F44444
              • SelectObject.GDI32(00000000,00000000), ref: 00F44454
              • GetTextExtentPoint32W.GDI32(00000000,?,?,00000008), ref: 00F4448E
              • SelectObject.GDI32(00000000,?), ref: 00F4449A
              • DeleteObject.GDI32(00000000), ref: 00F4449D
              • ReleaseDC.USER32(00000000,00000000), ref: 00F444A6
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$Select$CreateDeleteExtentFontPoint32ReleaseText
              • String ID:
              • API String ID: 518467826-0
              • Opcode ID: 95e7510706cd72c88e652e4708781d8a3f21595426a1eb17b436c54f2544e4ca
              • Instruction ID: aac67e195212f2f7ca2f9f08c6478a52682a7f86d67b8c59915072016dcb6f0c
              • Opcode Fuzzy Hash: 95e7510706cd72c88e652e4708781d8a3f21595426a1eb17b436c54f2544e4ca
              • Instruction Fuzzy Hash: 57115E31144201ABC711DF549C85FAB7BA5EB89711F054429F98586204D73AA519CBB1
              Function 00FFA399 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • FindMITargetTypeInstance.LIBCMT ref: 00FFA3EF
                • Part of subcall function 00FFA13B: PMDtoOffset.LIBCMT ref: 00FFA1CB
              • FindVITargetTypeInstance.LIBCMT ref: 00FFA3F6
              • PMDtoOffset.LIBCMT ref: 00FFA406
              • std::bad_exception::bad_exception.LIBCMT ref: 00FFA42C
              • __CxxThrowException@8.LIBCMT ref: 00FFA43A
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FindInstanceOffsetTargetType$Exception@8Throwstd::bad_exception::bad_exception
              • String ID: Bad dynamic_cast!
              • API String ID: 3308565544-2956939130
              • Opcode ID: 36527a05574329f61a04614f31670203b3dd12199ec91c406b796b4a16ccd89b
              • Instruction ID: eb39197076780f91310257799ff805f0a5ca332f3436d8a67991b12d075c368b
              • Opcode Fuzzy Hash: 36527a05574329f61a04614f31670203b3dd12199ec91c406b796b4a16ccd89b
              • Instruction Fuzzy Hash: 3611D5B2A002189FCB04EF74CC42BBE77B5AF44721F144059F609A7262EB39D941AB52
              Function 00F95650 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _sprintf$__floor_pentium4
              • String ID: %.0f$%lf
              • API String ID: 175470247-628172926
              • Opcode ID: 265fa272b820e4591ed472b12e4966ebe7441752e13081294f036852a50bb1c7
              • Instruction ID: dcb226c758ed7a2af3b75e9e4792d243691100f62d36de9ef3bbcf0903a6ef0c
              • Opcode Fuzzy Hash: 265fa272b820e4591ed472b12e4966ebe7441752e13081294f036852a50bb1c7
              • Instruction Fuzzy Hash: 37112C71E0092153D7117E5CEE0A2AA7A60FF01781FC50ED5F9D455296FA3A452C4BC7
              Function 00F70A50 Relevance: 10.6, APIs: 7, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • GetClipBox.GDI32(?,?), ref: 00F70A6C
              • CreateRectRgnIndirect.GDI32(?), ref: 00F70A7D
              • CreateRectRgnIndirect.GDI32(?), ref: 00F70A87
              • CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 00F70AAC
              • CombineRgn.GDI32(?,?,00000000,00000001), ref: 00F70ABC
              • ExtSelectClipRgn.GDI32(?,?,00000001), ref: 00F70AC9
              • DeleteObject.GDI32(00000000), ref: 00F70AEE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateRect$ClipIndirect$CombineDeleteObjectRoundSelect
              • String ID:
              • API String ID: 2381484079-0
              • Opcode ID: 8b2a79a0897ccdc27766e70f26e13650400ec9f6e6658e7cd42429db75b9d991
              • Instruction ID: dae1cd8c780245e3d5db08bbf29cbd914547653f4c5cfe32a01172fa08d19243
              • Opcode Fuzzy Hash: 8b2a79a0897ccdc27766e70f26e13650400ec9f6e6658e7cd42429db75b9d991
              • Instruction Fuzzy Hash: CA21C0B4508700AFD325DF69D98496BBBF9FB88700F008A1DF98AC3214D776E9448F62
              Function 00F95710 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _sprintf
              • String ID: %lld$%llu
              • API String ID: 1467051239-2099202303
              • Opcode ID: 4fd795b2fe63c65c027c410ec324753811d2c543fe9e1bfec613db4dea8e172a
              • Instruction ID: ef6aa32dc90012c3742c735b948080374d1be88d8fe999ec2e420b6e0ff13e7d
              • Opcode Fuzzy Hash: 4fd795b2fe63c65c027c410ec324753811d2c543fe9e1bfec613db4dea8e172a
              • Instruction Fuzzy Hash: 5601F560F40B04D6BD26B9ADBC8693E315BCBC1F71B5C032DF8208A3D5E6559E416327
              Function 00F74110 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • CreatePen.GDI32(?,?,?), ref: 00F74138
              • SelectObject.GDI32(?,00000000), ref: 00F74148
              • GetStockObject.GDI32(00000005), ref: 00F74150
              • SelectObject.GDI32(?,00000000), ref: 00F74158
              • Rectangle.GDI32(?,?,?,?,?), ref: 00F7416A
              • SelectObject.GDI32(?,?), ref: 00F74176
              • DeleteObject.GDI32(00000000), ref: 00F74179
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$Select$CreateDeleteRectangleStock
              • String ID:
              • API String ID: 2689421921-0
              • Opcode ID: ef6f275079df2addd82fc0ff9e147e635e11a6715225ad099a8c7e670a01e92b
              • Instruction ID: d2d442830a6e7839a15894891987b7354154dcbad7ff3829658706cea27aca63
              • Opcode Fuzzy Hash: ef6f275079df2addd82fc0ff9e147e635e11a6715225ad099a8c7e670a01e92b
              • Instruction Fuzzy Hash: 460186B45002007FE215DB25DC88C3BB7FEEBC9612B00C61DF98682645DB7AE8419B31
              Function 00F12280 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
              Download Yara Rule
              APIs
              • std::_String_base::_Xlen.LIBCPMT ref: 00F122C8
              • _memmove_s.LIBCMT ref: 00F1234F
              • _memcpy_s.LIBCMT ref: 00F12384
                • Part of subcall function 00FDA084: __EH_prolog3.LIBCMT ref: 00FDA08B
                • Part of subcall function 00FDA084: __CxxThrowException@8.LIBCMT ref: 00FDA0B6
              • _memmove_s.LIBCMT ref: 00F123C3
              • _memmove_s.LIBCMT ref: 00F12453
              • _memmove_s.LIBCMT ref: 00F12481
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memmove_s$Exception@8H_prolog3String_base::_ThrowXlen_memcpy_sstd::_
              • String ID:
              • API String ID: 3227841680-0
              • Opcode ID: a5e64057cd0c634ee189a8e3185c677f7be18b40037446ea06c33f1560c36865
              • Instruction ID: 843eeb84b33ae59b25dc30c434b2a74c88831f24f6e3fe30fff450eb3bb2e332
              • Opcode Fuzzy Hash: a5e64057cd0c634ee189a8e3185c677f7be18b40037446ea06c33f1560c36865
              • Instruction Fuzzy Hash: 10719F716042058F8708CFA8C9808AEB7E6FFC4754F244A2DE456C7345DB34EE65EB95
              Function 00FD8A50 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 376COMMON
              Download Yara Rule
              Strings
              • GSSAPI handshake failure (invalid security layer), xrefs: 00FD8C22
              • GSSAPI handshake failure (invalid security data), xrefs: 00FD8BC8
              • GSSAPI handshake failure (empty security message), xrefs: 00FD8AA8, 00FD8B96
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
              • API String ID: 0-242323837
              • Opcode ID: 9819995ea9e41e9ce23d56683fbd90c83d91f997c3f005c7d8bcd605a2c31bac
              • Instruction ID: e74cd9194cd97cc7448f3a076f808ce39d35a7f0e7d3cf58832d376cf32119d9
              • Opcode Fuzzy Hash: 9819995ea9e41e9ce23d56683fbd90c83d91f997c3f005c7d8bcd605a2c31bac
              • Instruction Fuzzy Hash: 8ED17DB55043019FC324DB68E894B9BFBE9BFC8354F14491AF58987300DB3AE946CB92
              Function 00FBB2F0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 348COMMON
              Download Yara Rule
              APIs
              Strings
              • Request has same path as previous transfer, xrefs: 00FBB66F
              • Uploading to a URL without a file name!, xrefs: 00FBB5C4
              • no memory, xrefs: 00FBB491
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strncmp_strrchr
              • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!$no memory
              • API String ID: 2449643776-2111548750
              • Opcode ID: eb6fd737cda5a42fb95380256ca0c8a1bff800fa0e187f239816f9ffd09d262e
              • Instruction ID: 62497c34ef314b0b2a0b48e4f49bde74641cf34da36a6b54da9b19c827b37fc8
              • Opcode Fuzzy Hash: eb6fd737cda5a42fb95380256ca0c8a1bff800fa0e187f239816f9ffd09d262e
              • Instruction Fuzzy Hash: CFC1F071A043018FC720DF2ADC80BA677E6FF85320F18452CE9868B245EBB6E909DF51
              Function 00F82600 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00F825CD,00000000), ref: 00F82609
              • GlobalLock.KERNEL32(00000000,?,00F825CD,00000000), ref: 00F82612
              • CreateStreamOnHGlobal.OLE32 ref: 00F82637
              • GdipAlloc.GDIPLUS(00000010), ref: 00F82643
              • GdipLoadImageFromStream.GDIPLUS(00000000,00000004,00000010), ref: 00F8265F
              • GlobalUnlock.KERNEL32(00000000), ref: 00F82688
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Global$AllocGdipStream$CreateFromImageLoadLockUnlock
              • String ID:
              • API String ID: 1747925419-0
              • Opcode ID: e18ba1e529d8ab625c2e8c1e1922545b0b72cb929e2879027a32b769d054e2b1
              • Instruction ID: 4e96aea22583e844c75b951be7175ae264e1fe30e26130fccf0ae1828119c136
              • Opcode Fuzzy Hash: e18ba1e529d8ab625c2e8c1e1922545b0b72cb929e2879027a32b769d054e2b1
              • Instruction Fuzzy Hash: D6118EB6204200AFE2209B55EC88B6BF7ECEF84761F10851EF649C7250E7B69800CBA1
              Function 00F74080 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • CreatePenIndirect.GDI32(?), ref: 00F740B9
              • SelectObject.GDI32(?,00000000), ref: 00F740C9
              • MoveToEx.GDI32(?,00000000,?,?), ref: 00F740E6
              • LineTo.GDI32(?,?,?), ref: 00F740F5
              • SelectObject.GDI32(?,?), ref: 00F74101
              • DeleteObject.GDI32(00000000), ref: 00F74104
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$Select$CreateDeleteIndirectLineMove
              • String ID:
              • API String ID: 191790629-0
              • Opcode ID: 0daff17e1bc81a006bf18b883e516831d8636d21ba32707fe2aca8536a99edf0
              • Instruction ID: 14ea35d6db85078cd36f9211eb40b686db4deb4b6a9430265acecba441b2694f
              • Opcode Fuzzy Hash: 0daff17e1bc81a006bf18b883e516831d8636d21ba32707fe2aca8536a99edf0
              • Instruction Fuzzy Hash: 0F115BB4504301AF9305DF29D88487BBBE9EBCC611F408A1DF8DAC3205DB39E9569F62
              Function 00FE34D8 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __CreateFrameInfo.LIBCMT ref: 00FE3500
                • Part of subcall function 00FE2A78: __getptd.LIBCMT ref: 00FE2A86
                • Part of subcall function 00FE2A78: __getptd.LIBCMT ref: 00FE2A94
              • __getptd.LIBCMT ref: 00FE350A
                • Part of subcall function 00FE5938: __getptd_noexit.LIBCMT ref: 00FE593B
                • Part of subcall function 00FE5938: __amsg_exit.LIBCMT ref: 00FE5948
              • __getptd.LIBCMT ref: 00FE3518
              • __getptd.LIBCMT ref: 00FE3526
              • __getptd.LIBCMT ref: 00FE3531
              • _CallCatchBlock2.LIBCMT ref: 00FE3557
                • Part of subcall function 00FE2B1D: __CallSettingFrame@12.LIBCMT ref: 00FE2B69
                • Part of subcall function 00FE35FE: __getptd.LIBCMT ref: 00FE360D
                • Part of subcall function 00FE35FE: __getptd.LIBCMT ref: 00FE361B
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
              • String ID:
              • API String ID: 1602911419-0
              • Opcode ID: 01f9273c1e752075a77bd985d297317fc27766dabb1430974e6391f25ece5a78
              • Instruction ID: b1134464fdde0b51307aa4237c0353445699eccd11a164b759086ea24ff91869
              • Opcode Fuzzy Hash: 01f9273c1e752075a77bd985d297317fc27766dabb1430974e6391f25ece5a78
              • Instruction Fuzzy Hash: 8511C6B1D01249DFDB00EFA5C846AED7BB0FF08715F50806AF854AB352DB389A51AF54
              Function 00F80DE0 Relevance: 9.0, APIs: 6, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00F80DE9
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F80DFA
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F80E03
              • ReleaseDC.USER32(00000000,00000000), ref: 00F80E0A
              • MulDiv.KERNEL32(000009EC,?,?), ref: 00F80E23
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F80E31
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: 02a13ed2e1459db4d980cc7c3940f60bb63d93d633cba36de94bc00907dbc062
              • Instruction ID: 918d252e59b7d79e3a62d0df484aea4b0bbf1ca146ae6402f4d6b5259466a69f
              • Opcode Fuzzy Hash: 02a13ed2e1459db4d980cc7c3940f60bb63d93d633cba36de94bc00907dbc062
              • Instruction Fuzzy Hash: 15F090B1640314AFE310DBA1CC46F1BBFADEB49751F018015FA4087280DB77A8108BA1
              Function 00FAE340 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 262COMMON
              Download Yara Rule
              Strings
              • Trying %s..., xrefs: 00FAE405
              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00FAE3DF
              • Immediate connect fail for %s: %s, xrefs: 00FAE5FC
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: Trying %s...$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
              • API String ID: 0-3338264681
              • Opcode ID: 47cb5c3aff3eb733cb310cb919566d362cfe0c699a530b8111488a40237c67b3
              • Instruction ID: 0ad9eeb041086fa32715dbde56e8ac7e82c9cecec85581e0838a043c755252a7
              • Opcode Fuzzy Hash: 47cb5c3aff3eb733cb310cb919566d362cfe0c699a530b8111488a40237c67b3
              • Instruction Fuzzy Hash: 7091EAB19043409FD720EF24DC42BAF73D9AF99314F44492EF94987242EB799944DBA3
              Function 00F3F0D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 227COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memcpy_s
              • String ID: false$true$visible
              • API String ID: 2001391462-2506262893
              • Opcode ID: d665033a87ef6eff4696a8a779e6ce35b4850f307c842cfc8debfce5dbf13efa
              • Instruction ID: 9864fb1dd68bf9f380690b28c3211267c06ac1233be70995596989348cafd816
              • Opcode Fuzzy Hash: d665033a87ef6eff4696a8a779e6ce35b4850f307c842cfc8debfce5dbf13efa
              • Instruction Fuzzy Hash: 3D913AB1908780DBD330DF2AC881A5BFBE5BF94710F448A1EE48987711D775A948CB93
              Function 00F3F3F0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 227COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memcpy_s
              • String ID: false$true$visible
              • API String ID: 2001391462-2506262893
              • Opcode ID: 291badb6312c1d9da63db1babf92bc119ba966f8454d316d000e889b9224647c
              • Instruction ID: fae4d9c154ed4284e76d38de4130157ba88ba7fb964015e328f0e7b834dff481
              • Opcode Fuzzy Hash: 291badb6312c1d9da63db1babf92bc119ba966f8454d316d000e889b9224647c
              • Instruction Fuzzy Hash: 42914A719087809BD330DF2AC882A5BFBF5BF94710F448A1EE48A87721D775A944CB93
              Function 00F5308D Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 204COMMON
              Download Yara Rule
              APIs
              • __wcsicoll.LIBCMT ref: 00F53093
              • _memset.LIBCMT ref: 00F533AE
                • Part of subcall function 00FDB3B2: _malloc.LIBCMT ref: 00FDB3CC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll_malloc_memset
              • String ID: ChildLayout$cover$true
              • API String ID: 773177119-1244660982
              • Opcode ID: 19b91dc77e054871dbd79b95e6100eeac8f0db237bf824b252a079cf4385a19b
              • Instruction ID: 06ba1b37be6d49ea3fa0ee12b578fcfd0a18f86752ec42e160cbc71dca50cbdd
              • Opcode Fuzzy Hash: 19b91dc77e054871dbd79b95e6100eeac8f0db237bf824b252a079cf4385a19b
              • Instruction Fuzzy Hash: D271A3316042429BDB20DF58C881B6EB3E5BFC8395F54052DEE8987241EB35DE49EB82
              Function 00FAE977 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 188networkCOMMON
              Download Yara Rule
              APIs
              • WSASetLastError.WS2_32(?), ref: 00FAEADD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FAEBA6
              Strings
              • After %ldms connect time, move on!, xrefs: 00FAEA22
              • connect to %s port %ld failed: %s, xrefs: 00FAEB14
              • L', xrefs: 00FAEA30
              • Failed to connect to %s port %ld: %s, xrefs: 00FAED1E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastUnothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: After %ldms connect time, move on!$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
              • API String ID: 4282017882-3625044609
              • Opcode ID: 399adb0f4e180356eda6f0d038ebd364367adcd7615fdbe09d7b876470262be3
              • Instruction ID: d37336efc3deeb6c536898583de583e0f7cc3aa39dd5129809e82231fb874aa2
              • Opcode Fuzzy Hash: 399adb0f4e180356eda6f0d038ebd364367adcd7615fdbe09d7b876470262be3
              • Instruction Fuzzy Hash: E0716CB4A047019FD728DF28C885A6AF7E5FF89720F148A2DF85887351E734E950DB92
              Function 00FAE975 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187networkCOMMON
              Download Yara Rule
              APIs
              • WSASetLastError.WS2_32(?), ref: 00FAEADD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FAEBA6
              Strings
              • After %ldms connect time, move on!, xrefs: 00FAEA22
              • connect to %s port %ld failed: %s, xrefs: 00FAEB14
              • L', xrefs: 00FAEA30
              • Failed to connect to %s port %ld: %s, xrefs: 00FAED1E
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastUnothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: After %ldms connect time, move on!$Failed to connect to %s port %ld: %s$L'$connect to %s port %ld failed: %s
              • API String ID: 4282017882-3625044609
              • Opcode ID: 654bc6d0d876242ce2185693f2ebe1c928fa366ce57065467ccb91128892788f
              • Instruction ID: fa1d8761d7185d61b5f0348b85d7d9d2f310224658ebbe58bc8a3e195e344a45
              • Opcode Fuzzy Hash: 654bc6d0d876242ce2185693f2ebe1c928fa366ce57065467ccb91128892788f
              • Instruction Fuzzy Hash: D2718BB4A047019FD718DF28C885A6AF7E5FF89320F148A2DF85887351E734E950DB92
              Function 00F2D320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155timestringCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F2D39C
              • lstrlenA.KERNEL32(?,?,?,8F2D4ADD), ref: 00F2D3B3
              • KillTimer.USER32(?,?,00000000,8F2D4ADD), ref: 00F2D4BE
              • KillTimer.USER32(?,00000015), ref: 00F2D4C6
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: KillTimer$_memsetlstrlen
              • String ID: receivedAdUrl
              • API String ID: 1213864165-2842485071
              • Opcode ID: 28aab179f0e70d3e9e60512e531a3a4d7d91479192dd6ab4db62de31531cc547
              • Instruction ID: 64f965a087b2bd34c425b0fb7cbcaa2ca6f954ba2c56db58aeeed9a54150367c
              • Opcode Fuzzy Hash: 28aab179f0e70d3e9e60512e531a3a4d7d91479192dd6ab4db62de31531cc547
              • Instruction Fuzzy Hash: 9C5129B2900258AFDF20EFA4DC81BEE73B8BF48310F544569F605A7241DB78AE85D761
              Function 00F401B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F40343
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExecuteShell
              • String ID: H4f$ProductLicenseUrl$ProductPrivacyUrl$open
              • API String ID: 587946157-3632432762
              • Opcode ID: 99759e3041eb072b694ab254892416577e557c6c5bb4e46ff1dfc4d15a1099dd
              • Instruction ID: 0e329c02d79b22df3e486ccf7645ed6b22f1156844eb71b67531b492db6d938e
              • Opcode Fuzzy Hash: 99759e3041eb072b694ab254892416577e557c6c5bb4e46ff1dfc4d15a1099dd
              • Instruction Fuzzy Hash: A451D0B19083809FD720DF64C885B6BBFE9AB84314F54492DF59887381DB7AD848CB93
              Function 00F3F840 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 150COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F3F9C5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExecuteShell
              • String ID: H4f$ProductLicenseUrl$ProductPrivacyUrl$open
              • API String ID: 587946157-3632432762
              • Opcode ID: b564eff52430b8a0f7b8f9e3f0c2e6cdba0d06753330c172e5f9a0446256498b
              • Instruction ID: 97f1cbd981764b45976bd8438b056061dd784319e1b855b335ba6b1955d7d6ab
              • Opcode Fuzzy Hash: b564eff52430b8a0f7b8f9e3f0c2e6cdba0d06753330c172e5f9a0446256498b
              • Instruction Fuzzy Hash: A251D0B19083C0AFD720DF28C885B5BBBE9AB94324F54492DF49987381D779D848CB93
              Function 00F86D50 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcstoi64
              • String ID: childvpadding$columns$itemsize
              • API String ID: 398114495-1858099967
              • Opcode ID: 0ba8e2a1b6483425cad543f543ae2cdb25a6f488b752d3ce0e0cbac2ff4aa634
              • Instruction ID: f4f015e199f3dbfa4a683b59cd1e77ee430de992c42ba2fbe3c42b0ccedd6954
              • Opcode Fuzzy Hash: 0ba8e2a1b6483425cad543f543ae2cdb25a6f488b752d3ce0e0cbac2ff4aa634
              • Instruction Fuzzy Hash: 6E411993B0010157DB20BF28DC419FAB396EBB5B30F84463AF945CB285E622DD44E352
              Function 00F14820 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000008,00000000), ref: 00F14927
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessagePost
              • String ID: btn_ClosePic$btn_close$btn_ok$click
              • API String ID: 410705778-604021180
              • Opcode ID: 28c1a3a1b6dea339484c04b822b51586c7027ec0751935a253d06eecd2b8b98a
              • Instruction ID: a0d2135f2a24c4257b32b061ddb87937f5e3d7b088ad46529e27b8109c51fda9
              • Opcode Fuzzy Hash: 28c1a3a1b6dea339484c04b822b51586c7027ec0751935a253d06eecd2b8b98a
              • Instruction Fuzzy Hash: 7931F471A102429AE624AF24C801BF673A6BFB4B74F844628E585DB2D4E733FCC0E300
              Function 00F355C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00000000,00F35730,00000000,00000000,00000000), ref: 00F3569D
              • CloseHandle.KERNEL32(00000000,?,00F21C99), ref: 00F356A8
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseCreateHandleThread
              • String ID: load h5 FindControl$load h5 SetWebBrowserEventHandler$load h5 end
              • API String ID: 3032276028-2305745512
              • Opcode ID: 3a6965f0b0bc4dc3071ee254b401f4a2949779ed576e2ffd94fd9c696545fb53
              • Instruction ID: e471eaf1ec8a9893517e61acf424db33c6c04c487698eabd0c9f6f259cb01670
              • Opcode Fuzzy Hash: 3a6965f0b0bc4dc3071ee254b401f4a2949779ed576e2ffd94fd9c696545fb53
              • Instruction Fuzzy Hash: B731B1B1908740AFE610EB24CC46B5B77E4BFC0B24F40492CF49686280E779E104DF97
              Function 00F537F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Monitor$FromInfoOffsetRectWindowZoomed
              • String ID: (
              • API String ID: 1941046686-3887548279
              • Opcode ID: dcf9ae1819b74b88dfda9d51d98dea4392d777ab6052159152072cfe6de47711
              • Instruction ID: 8df8292c7c66be6b4509905c94ab62dadf09cc865c9414339c8a7bc488fe4f81
              • Opcode Fuzzy Hash: dcf9ae1819b74b88dfda9d51d98dea4392d777ab6052159152072cfe6de47711
              • Instruction Fuzzy Hash: 7721C2B59083019FC354CF68D584A1BBBE9BB88310F008A2EF899C3351EB35D914CF96
              Function 00FAD630 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58networkCOMMON
              Download Yara Rule
              APIs
              • setsockopt.WS2_32(?,0000FFFF,00000008,00000004,00000004), ref: 00FAD651
              • WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 00FAD6C7
              • WSAGetLastError.WS2_32(?,?), ref: 00FAD6D1
              Strings
              • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 00FAD6D9
              • Failed to set SO_KEEPALIVE on fd %d, xrefs: 00FAD65C
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorIoctlLastsetsockopt
              • String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
              • API String ID: 1819429192-277924715
              • Opcode ID: f928c6fc2807f99619be029aee2af142a1f61a665656e6f637e5d60458a274e1
              • Instruction ID: 781db8188114b4d63aafd8a9e7aae07779e8c6152df786e19ed87a5c5e231366
              • Opcode Fuzzy Hash: f928c6fc2807f99619be029aee2af142a1f61a665656e6f637e5d60458a274e1
              • Instruction Fuzzy Hash: 5611A7F0D44700AFE350AF359C06F1B76E8BF85B00F44892CB64DD61C5FA7996049B66
              Function 00FA8D90 Relevance: 7.8, APIs: 5, Instructions: 286COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e45f4219e71d25050929f85fd50689448d533c19a058c3f42da1df0faefec3aa
              • Instruction ID: f0b35b350909f531621ac4f538b176deca015773534577d94d9c4ea6ad6d83ec
              • Opcode Fuzzy Hash: e45f4219e71d25050929f85fd50689448d533c19a058c3f42da1df0faefec3aa
              • Instruction Fuzzy Hash: DDA1C4B1A083418FC734DF68C88066EF7E5EFC5360F148A2EE499C7250EBB5D9469B42
              Function 00F28680 Relevance: 7.8, APIs: 5, Instructions: 269COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _fgetc$_ungetc
              • String ID:
              • API String ID: 1266601628-0
              • Opcode ID: 013c416185d509c2390c6ba62f34b5dd52a433ce836ea21a280326ed883bd7c4
              • Instruction ID: 19d9e445d11bdbffc8935dec692dbb3616b3e6a4c79a70ecd092c02e3047ecf0
              • Opcode Fuzzy Hash: 013c416185d509c2390c6ba62f34b5dd52a433ce836ea21a280326ed883bd7c4
              • Instruction Fuzzy Hash: A1A1C231A093618FC714DF28D88096EB3E6FF857A4F544A1DF49187281DB35EC46EB92
              Function 00F82E30 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F4F730: GetWindowRect.USER32(?,?), ref: 00F4F754
                • Part of subcall function 00F4F730: ScreenToClient.USER32(?,?), ref: 00F4F76C
                • Part of subcall function 00F4F730: ScreenToClient.USER32(?,?), ref: 00F4F77A
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F82F57
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ClientScreenWindow$CallProcRect
              • String ID:
              • API String ID: 364371123-0
              • Opcode ID: 8ba3b717d3f25bf3b1f3b44a6e7dafca54d53b7e5b9112881751ec801750b56d
              • Instruction ID: 608df94276d080965c46f81a0e54302ef67a271f6d8741c6f8dc88720e1fd7c2
              • Opcode Fuzzy Hash: 8ba3b717d3f25bf3b1f3b44a6e7dafca54d53b7e5b9112881751ec801750b56d
              • Instruction Fuzzy Hash: 38419376700200AFCB24DF59DCC4EAAB76AEB88721F154599FD088B385CA76EC50C7A0
              Function 00F358B0 Relevance: 7.6, APIs: 5, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • GetWindowDC.USER32(00000000), ref: 00F35983
              • SelectObject.GDI32(00000000,00000000), ref: 00F359AE
              • GetTextExtentPointW.GDI32(00000000,?,?,8F2D4ADD), ref: 00F359DD
              • DeleteObject.GDI32(00000000), ref: 00F359E4
              • ReleaseDC.USER32(00000000,00000000), ref: 00F359EF
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Object$DeleteExtentPointReleaseSelectTextWindow
              • String ID:
              • API String ID: 344252577-0
              • Opcode ID: eaf1ecee85966ca5438f01a2883c9c997b4dcabebad93f0135b90c3fdf3126b8
              • Instruction ID: 054cc1dad362d8d7164677501e6971c7374cb9bec837f0680f31e0dcdfe4ff9f
              • Opcode Fuzzy Hash: eaf1ecee85966ca5438f01a2883c9c997b4dcabebad93f0135b90c3fdf3126b8
              • Instruction Fuzzy Hash: C4419D71504741DFDB31DB24C885FABB3E9BF88714F004A1DE58D97241DB39A948DBA2
              Function 00F257EC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 105sleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F96980: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F96A11
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              • Sleep.KERNEL32(?), ref: 00F2591F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Ios_base_dtorSleep_memcpy_sstd::ios_base::_
              • String ID: progressValue$slrProgress$text$value
              • API String ID: 421451183-1230163402
              • Opcode ID: 57fb7e4bc13627b9b593316d850bc3cb374466612884288222f76b416ab3336b
              • Instruction ID: 771103fb91f12b8ca796a49902ab98b80419979a2284cd99d203a08afcb62b49
              • Opcode Fuzzy Hash: 57fb7e4bc13627b9b593316d850bc3cb374466612884288222f76b416ab3336b
              • Instruction Fuzzy Hash: B3411770D01384EBDB20EF69DD4678EBBB1AF00704F14815DE8456B342DB79AA58D792
              Function 00F82BD0 Relevance: 7.6, APIs: 5, Instructions: 91windowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000030,?,00000001), ref: 00F82C5A
              • GetLocalTime.KERNEL32(?), ref: 00F82C96
              • SendMessageW.USER32(00000000,00001002,00000000,?), ref: 00F82CB1
              • ShowWindow.USER32(00000000,00000004), ref: 00F82CB9
              • SetFocus.USER32(00000000), ref: 00F82CC3
                • Part of subcall function 00F82CE0: IntersectRect.USER32(?,?,?), ref: 00F82D68
                • Part of subcall function 00F506E0: __itow.LIBCMT ref: 00F5071D
                • Part of subcall function 00F506E0: SelectObject.GDI32(?,00000000), ref: 00F5077A
                • Part of subcall function 00F506E0: GetTextMetricsW.GDI32(?,00000090), ref: 00F50788
                • Part of subcall function 00F506E0: SelectObject.GDI32(?,?), ref: 00F5079A
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessageObjectSelectSend$FocusIntersectLocalMetricsRectShowTextTimeWindow__itow
              • String ID:
              • API String ID: 353493054-0
              • Opcode ID: 7d9f73196c5af7c15c1b779becc26e9a1e30182ff1ad5044924fed59954f695d
              • Instruction ID: 21ede7c5443c13f624b134314b1890654c57a4143dd4b5ba14914af491ee665c
              • Opcode Fuzzy Hash: 7d9f73196c5af7c15c1b779becc26e9a1e30182ff1ad5044924fed59954f695d
              • Instruction Fuzzy Hash: 293129752407009FD224DF28CC85F2BB3E6ABC8710F108918F59597391DB7AF809CBA4
              Function 00FA25A0 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FCACC0: getaddrinfo.WS2_32(?,?,?,?), ref: 00FCACE7
                • Part of subcall function 00FCACC0: freeaddrinfo.WS2_32(?), ref: 00FCAE19
              • WSAGetLastError.WS2_32 ref: 00FA25F3
              • WSAGetLastError.WS2_32 ref: 00FA25F9
              • EnterCriticalSection.KERNEL32(00000000), ref: 00FA2611
              • LeaveCriticalSection.KERNEL32 ref: 00FA2620
              • LeaveCriticalSection.KERNEL32 ref: 00FA2641
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CriticalSection$ErrorLastLeave$Enterfreeaddrinfogetaddrinfo
              • String ID:
              • API String ID: 4097228590-0
              • Opcode ID: 3d87713b8d70c042324505cd96bc37c949394fff961bd8a7567965bd09bdabe0
              • Instruction ID: 879125fe307a624330c9c031b61932baf6b6cfef3eee41f146fc0715bdfbd5d7
              • Opcode Fuzzy Hash: 3d87713b8d70c042324505cd96bc37c949394fff961bd8a7567965bd09bdabe0
              • Instruction Fuzzy Hash: DC21ACB16007019FD320EF69C985E57B7E9AF88314F00891DF88683644EB3AE844DB61
              Function 00FDA0BC Relevance: 7.6, APIs: 5, Instructions: 55COMMON
              Download Yara Rule
              APIs
              • ____lc_handle_func.LIBCMT ref: 00FDA0CA
                • Part of subcall function 00FE3007: __getptd.LIBCMT ref: 00FE3007
              • ____lc_codepage_func.LIBCMT ref: 00FDA0D2
                • Part of subcall function 00FE2FE1: __getptd.LIBCMT ref: 00FE2FE1
              • __GetLocaleForCP.LIBCPMT ref: 00FDA101
                • Part of subcall function 00FDA8E1: __malloc_crt.LIBCMT ref: 00FDA91F
                • Part of subcall function 00FDA8E1: __CreateLocForCP.LIBCPMT ref: 00FDA92F
                • Part of subcall function 00FDA8E1: InterlockedCompareExchange.KERNEL32(00F1F396,00000000,00000000), ref: 00FDA946
              • ____mb_cur_max_l_func.LIBCMT ref: 00FDA10E
                • Part of subcall function 00FE2FC5: __getptd.LIBCMT ref: 00FE2F9C
              • WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,00000001,?,00000000,00000000,00000000,00000000,?,00000000,-00000050,01028E9C,-00000028,invalid string position,00000044), ref: 00FDA121
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __getptd$ByteCharCompareCreateExchangeInterlockedLocaleMultiWide____lc_codepage_func____lc_handle_func____mb_cur_max_l_func__malloc_crt
              • String ID:
              • API String ID: 4077685425-0
              • Opcode ID: 0d4e2e285f07a43c935a29d47a7ed90cc12e7ca8853eb8ea1cf19e60bf5f5582
              • Instruction ID: 8ade8a903bbb3f4ec0fee506e117d005ba39dcfc6d03a14c3ddfa5c88447f1a1
              • Opcode Fuzzy Hash: 0d4e2e285f07a43c935a29d47a7ed90cc12e7ca8853eb8ea1cf19e60bf5f5582
              • Instruction Fuzzy Hash: F7010432600245AFDB216F24DC09FBA376ADB41770F194026FD049B291EA75EC42EB66
              Function 00FEA053 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00FEA05F
                • Part of subcall function 00FE5938: __getptd_noexit.LIBCMT ref: 00FE593B
                • Part of subcall function 00FE5938: __amsg_exit.LIBCMT ref: 00FE5948
              • __amsg_exit.LIBCMT ref: 00FEA07F
              • __lock.LIBCMT ref: 00FEA08F
              • InterlockedDecrement.KERNEL32(?), ref: 00FEA0AC
              • InterlockedIncrement.KERNEL32(006617F0), ref: 00FEA0D7
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
              • String ID:
              • API String ID: 4271482742-0
              • Opcode ID: e7c16a39b8cfd04113606703cfa4eaac5459979b256a6261d1f8932abd6cdeba
              • Instruction ID: aa2d7f9dde4e625e1923cccf9bac7e0809777e71d2557ff7b1435178bcf29c99
              • Opcode Fuzzy Hash: e7c16a39b8cfd04113606703cfa4eaac5459979b256a6261d1f8932abd6cdeba
              • Instruction Fuzzy Hash: 7901C032D41B61EBD721AB66984A75E77A0BF00B31F044149F950AB2C4C73D7981FBD2
              Function 00F96CD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234sleepstringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00F96D5D
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00F96D8E
              • Sleep.KERNEL32(00000064), ref: 00F96ECB
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiSleepWidelstrlen
              • String ID: iTry=%d,lastCode=%d
              • API String ID: 2904403760-260061475
              • Opcode ID: 0bf17ac87defaf7cf6eb1bd8b1c148266513532fcedee77ca791f6a1d44ebfac
              • Instruction ID: 0d95409c0b83379854afed95ba346e8547fc5860fcab5d685b529791ff7c9ab3
              • Opcode Fuzzy Hash: 0bf17ac87defaf7cf6eb1bd8b1c148266513532fcedee77ca791f6a1d44ebfac
              • Instruction Fuzzy Hash: 458125B1D00318ABEF11EFA4CC42BDE7775AF04704F144229F919AB281EB7DA944DB96
              Function 00F772C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 201COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FDB3B2: _malloc.LIBCMT ref: 00FDB3CC
              • __wcsicoll.LIBCMT ref: 00F77589
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __wcsicoll_malloc
              • String ID: TreeNode$align$left
              • API String ID: 3412207354-2292253626
              • Opcode ID: ff52d0a92228521d6f15d2acea597da19161b36faa9b87603b2336631abbe6e5
              • Instruction ID: 154f734cf158643a37f2b5ecb2c2a3b9b8104939224e51d1af6a35b33626f36f
              • Opcode Fuzzy Hash: ff52d0a92228521d6f15d2acea597da19161b36faa9b87603b2336631abbe6e5
              • Instruction Fuzzy Hash: 2891AC757057429FD304EF38C880B96FBE2BF98704F0446AEE49C97351DB36A8649B92
              Function 00F983D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset_sprintf
              • String ID: %lld-%lld$curl_easy_perform Code:%d
              • API String ID: 1557529856-2717882131
              • Opcode ID: 38751920830aaa25645f0d785e4535a153babb4bd8ba36847164f43bb9cd62bf
              • Instruction ID: e4feaae2da689d2b3895cc885acc31187abb34124b16127825a867fd33320af9
              • Opcode Fuzzy Hash: 38751920830aaa25645f0d785e4535a153babb4bd8ba36847164f43bb9cd62bf
              • Instruction Fuzzy Hash: DC512F71A00600ABFB14EF18DC42F5BB365BF45314F044229F5089B282DB75ED65DBE6
              Function 00FA6CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA5D60: __time64.LIBCMT ref: 00FA5D69
              • _fputs.LIBCMT ref: 00FA6D69
                • Part of subcall function 00FDD02A: __fsopen.LIBCMT ref: 00FDD037
              Strings
              • # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00FA6D64
              • ## Fatal libcurl error, xrefs: 00FA6E36
              • %s, xrefs: 00FA6DC5
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __fsopen__time64_fputs
              • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s
              • API String ID: 601048091-1525338603
              • Opcode ID: b011abe6c98ef231865f6e6cc5f5a49da01b8a988dff2e55103b60030b8a685c
              • Instruction ID: 26b1d928355bbdde49896636bf497d0e52a56b657bda54262389b7f7b2e8aa8d
              • Opcode Fuzzy Hash: b011abe6c98ef231865f6e6cc5f5a49da01b8a988dff2e55103b60030b8a685c
              • Instruction Fuzzy Hash: 18415DB2B002015BD7206A78FC857A7B799EF42375F4C0039FD85C6201EB6EED4996A2
              Function 00FB65D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150COMMON
              Download Yara Rule
              APIs
              • recvfrom.WS2_32(?,?,?,00000000,?), ref: 00FB662F
              Strings
              • Internal error: Unexpected packet, xrefs: 00FB67B7
              • Received too short packet, xrefs: 00FB6672
              • TFTP error: %s, xrefs: 00FB6762
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: recvfrom
              • String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
              • API String ID: 846543921-477593554
              • Opcode ID: 138f4ee88b2fafb67b28f5dc385a4cc4690edae8713fed88fc648e444443d810
              • Instruction ID: c4bdb34bc591d5eb8a5e502ceaa1727ccdf5d439e514f081025d6fb3217f6551
              • Opcode Fuzzy Hash: 138f4ee88b2fafb67b28f5dc385a4cc4690edae8713fed88fc648e444443d810
              • Instruction Fuzzy Hash: 1851D4B16002009BD710DF26DC81BAB73A5EB84718F54822DF94DCF246EB3DE9059FA1
              Function 00FB4D00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119COMMON
              Download Yara Rule
              APIs
              • _swscanf.LIBCMT ref: 00FB4D36
                • Part of subcall function 00FDFA6E: _vscan_fn.LIBCMT ref: 00FDFA85
              Strings
              • Select failed, xrefs: 00FB4E31
              • OK [UIDVALIDITY %19[0123456789]], xrefs: 00FB4D30
              • Mailbox UIDVALIDITY has changed, xrefs: 00FB4DA8
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _swscanf_vscan_fn
              • String ID: Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$Select failed
              • API String ID: 1942008592-3309259123
              • Opcode ID: 8f5b77daa2c2e256b76a91d3b6b71c5a91fa4beb53536944e1817b44dcc959fa
              • Instruction ID: f76213464b30d332fb6f64eaf4adc8cd5268ecd8579a506ec405dff84a7364ca
              • Opcode Fuzzy Hash: 8f5b77daa2c2e256b76a91d3b6b71c5a91fa4beb53536944e1817b44dcc959fa
              • Instruction Fuzzy Hash: 8A311A72B006005BD614FF39EC9266EB3D5FF8C321FC4453EE1498B302E639A8589B92
              Function 00F16FE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115timeCOMMON
              Download Yara Rule
              APIs
              • GetTimeZoneInformation.KERNEL32(01014D18,01014D18), ref: 00F1705D
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              • swprintf.LIBCMT ref: 00F17110
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: InformationTimeZone_memcpy_sswprintf
              • String ID: %02d:%02d$GMT
              • API String ID: 2755296731-3921161529
              • Opcode ID: ab940c4711130b8ecf3e13cd6836d44fbebf921f2e99b1e543a237cdc9357c3e
              • Instruction ID: 6c585ee2c37d3f72957dc8840d04ee3792909c447420feea3c108cbca1beb5c1
              • Opcode Fuzzy Hash: ab940c4711130b8ecf3e13cd6836d44fbebf921f2e99b1e543a237cdc9357c3e
              • Instruction Fuzzy Hash: 6A41A2716087409BD328DF69CC51B9BB7E6EFC9700F458A2EE04ACB344DB79A5448792
              Function 00FBA930 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strrchr
              • String ID: %s%s%s$LIST$NLST
              • API String ID: 3213747228-959297966
              • Opcode ID: b7521366ec0344f633a3cebe0da349ebedbd2087bc51955c2823e4f9357d39fa
              • Instruction ID: 8db25bef2713b3ef7c7924c330bad9495ad7cb2bd414f6b80b2d80ec871b5aa0
              • Opcode Fuzzy Hash: b7521366ec0344f633a3cebe0da349ebedbd2087bc51955c2823e4f9357d39fa
              • Instruction Fuzzy Hash: C1312B71B04602ABE7249625DC45BFBB799EFC0761F04012DF989C7241E724D845EBA2
              Function 00F2C060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              APIs
              • IsZoomed.USER32(?), ref: 00F2C137
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F2C14A
              • IsZoomed.USER32(?), ref: 00F2C156
                • Part of subcall function 00F4A110: _wcsncpy.LIBCMT ref: 00F4A1A1
                • Part of subcall function 00FDB0A2: __lock.LIBCMT ref: 00FDB0C0
                • Part of subcall function 00FDB0A2: ___sbh_find_block.LIBCMT ref: 00FDB0CB
                • Part of subcall function 00FDB0A2: ___sbh_free_block.LIBCMT ref: 00FDB0DA
                • Part of subcall function 00FDB0A2: RtlFreeHeap.NTDLL(00000000,?,01028420,0000000C,00FE4923,00000000,01028990,0000000C,00FE495D,?,?,?,00FEF11D,00000004,01028BE0,0000000C), ref: 00FDB10A
                • Part of subcall function 00FDB0A2: GetLastError.KERNEL32(?,00FEF11D,00000004,01028BE0,0000000C,00FE429F,?,?,00000000,00000000,00000000,?,00FE58EA,00000001,00000214), ref: 00FDB11B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Zoomed$CallErrorFreeHeapLastProcWindow___sbh_find_block___sbh_free_block__lock_wcsncpy
              • String ID: syscommandclose
              • API String ID: 1480196746-397309504
              • Opcode ID: e099c1917d66bbe6fd930bb7ae028b94413ac698614afe58c5e236f85031226f
              • Instruction ID: 2b6ef06654b06c60305877743e626f3312c6526edf32817a97bd8126ca36d1ad
              • Opcode Fuzzy Hash: e099c1917d66bbe6fd930bb7ae028b94413ac698614afe58c5e236f85031226f
              • Instruction Fuzzy Hash: BB31E476A002209BCB10DF69DC4185FB3A9EF88320F154A1AFC5997242D735FD0497E2
              Function 00F268F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              • IsWindow.USER32(?), ref: 00F269F2
              • PostMessageW.USER32(?,00000010,00000001,00000000), ref: 00F26A05
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessagePostWindow_memcpy_s
              • String ID: Click_Exit$Download_Failed
              • API String ID: 2951890172-778600294
              • Opcode ID: ce62f6bfc8e77b6238573e601273f7a0084a1cee34e312c06d9cc8a433770f76
              • Instruction ID: f36c4b04de12a14eaadc24063fca0fe1e74e2fabc360f74268dad4bd80052fd3
              • Opcode Fuzzy Hash: ce62f6bfc8e77b6238573e601273f7a0084a1cee34e312c06d9cc8a433770f76
              • Instruction Fuzzy Hash: 9231D0719083409BC720DF25C841B5BFBE9AF85B14F004A1EF59897280EB7AE944CB93
              Function 00F5D780 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F00), ref: 00F5D79B
              • SetCursor.USER32(00000000,?,75BF3FC0,?,00F5690F,?), ref: 00F5D7A2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Cursor$Load
              • String ID: menu$timer
              • API String ID: 1675784387-2593718399
              • Opcode ID: 1ebd2edebe9a1431e42a06b10bf4856ffae57f7531de7c43f57c79df6aa23525
              • Instruction ID: f62db0e4150740ca754fe26527f2d76becb2eeb4d6d2a5e1ba94c70cfcc6c9ca
              • Opcode Fuzzy Hash: 1ebd2edebe9a1431e42a06b10bf4856ffae57f7531de7c43f57c79df6aa23525
              • Instruction Fuzzy Hash: 74212B72B051046BD630DB5CAC41FA9F399EBD5332F10026BFF45C7681CA61AC6583E5
              Function 00F3A940 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F1BB00: std::_String_base::_Xlen.LIBCPMT ref: 00F1BB5C
                • Part of subcall function 00F1BB00: _memcpy_s.LIBCMT ref: 00F1BBB6
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F3AA24
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExecuteShellString_base::_Xlen_memcpy_sstd::_
              • String ID: ShowWebAds$open$receivedAdUrl
              • API String ID: 3969413188-545737717
              • Opcode ID: 2abffc23ce9212eb5dd5dee4c9c4945075e67f9dcb6f48a9c6fe8cfd24fee568
              • Instruction ID: 25a3aaebecaafd505601740f1c6c1a3ab0e8624b922e3b5417a0e78b48aa23ea
              • Opcode Fuzzy Hash: 2abffc23ce9212eb5dd5dee4c9c4945075e67f9dcb6f48a9c6fe8cfd24fee568
              • Instruction Fuzzy Hash: E931A0B1108380DFD710EF39C88671BBBE5AB89718F500A2DF1954B282D67AD849DB93
              Function 00F30BE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32 ref: 00F30C45
                • Part of subcall function 00F96740: PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 00F9676E
                • Part of subcall function 00F96740: TranslateMessage.USER32(?), ref: 00F9678A
                • Part of subcall function 00F96740: DispatchMessageW.USER32(?), ref: 00F96791
              • CloseHandle.KERNEL32(00000000), ref: 00F30C65
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Message$CloseCreateDispatchHandlePeekThreadTranslate
              • String ID: netFailed$netOK
              • API String ID: 2582738287-1194257295
              • Opcode ID: de30c7643998bae573fa189f1eab36bcea14911921df6865b18513f9d3517a7c
              • Instruction ID: 97be0279bf56f2569566de81e6c26edf46d19e71b0bce15c74b1cfaf40621fb5
              • Opcode Fuzzy Hash: de30c7643998bae573fa189f1eab36bcea14911921df6865b18513f9d3517a7c
              • Instruction Fuzzy Hash: 5611E770648344AFD311DF199C81B2BBBECF788B58F40061EF4C587741C77A99049B92
              Function 00FA8520 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FA8470: recv.WS2_32(?,?,?,00000000), ref: 00FA84FB
              • send.WS2_32(?,00FD6295,?,00000000), ref: 00FA8544
              • WSAGetLastError.WS2_32 ref: 00FA855C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastrecvsend
              • String ID: 3'$Send failure: %s
              • API String ID: 3418755260-1925326815
              • Opcode ID: e54ff782e29c3a27baab7861704f23a6be1245114f0adc25ee3a66b2985b32af
              • Instruction ID: f964c65eeaae2e3e7714c556a2d49a1f539c0b0444d1bdc2c047dd67fd3d4826
              • Opcode Fuzzy Hash: e54ff782e29c3a27baab7861704f23a6be1245114f0adc25ee3a66b2985b32af
              • Instruction Fuzzy Hash: 5501FCB66002155FD710DF58DC84FAB77A8EB89371F000559F944C7381D77AAC5197A1
              Function 00F162F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Version_memset
              • String ID: home$server
              • API String ID: 963298953-1141258394
              • Opcode ID: 7be96f2c0daab1607ac3f7ddc89ec8269b5eddb3f3da1991f741097517876b5d
              • Instruction ID: ee2c029288402426277b34ea325d9f9004e94607f170629cf3933765847d391c
              • Opcode Fuzzy Hash: 7be96f2c0daab1607ac3f7ddc89ec8269b5eddb3f3da1991f741097517876b5d
              • Instruction Fuzzy Hash: 6A0184706043405BE325DF14D81A7EBBBE5ABC9704F44841CE4C9CB681DB799548C796
              Function 00FB8240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39networkCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WS2_32(00000002,8F2D4ADD), ref: 00FB825A
              • WSACleanup.WS2_32 ref: 00FB8275
              Strings
              • WSAStartup failed (%d), xrefs: 00FB8265
              • insufficient winsock version to support telnet, xrefs: 00FB82A0
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CleanupStartup
              • String ID: WSAStartup failed (%d)$insufficient winsock version to support telnet
              • API String ID: 915672949-1763879679
              • Opcode ID: 87c2e1b4f77735250082566f7c022affe54a54fd0959c0b555930e8f7a5af2c6
              • Instruction ID: 5acf57f04ae69bc432c14661f0ee07e94eaf4b3ca26568951bf4bc7e87dc5529
              • Opcode Fuzzy Hash: 87c2e1b4f77735250082566f7c022affe54a54fd0959c0b555930e8f7a5af2c6
              • Instruction Fuzzy Hash: 98F0F674A106109BDB36AB359C17BFA33DDAF8D781F800019F889C6281EE3E5407DA67
              Function 00F44A70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,?,?,?,00F3B2FC,8F2D4ADD,?,?,?), ref: 00F44A7D
              • GetProcAddress.KERNEL32(00000000), ref: 00F44A84
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: GetNativeSystemInfo$kernel32
              • API String ID: 1646373207-3846845290
              • Opcode ID: d0e2d625c561b0fb39a0ba2e37010e015411a8fbc0ec1a4e2bd4a3c56793eb8c
              • Instruction ID: 70de872c76ff8d88082e33a735d2afee6dda6d96d0c7feb73e6b600ac2e03cd9
              • Opcode Fuzzy Hash: d0e2d625c561b0fb39a0ba2e37010e015411a8fbc0ec1a4e2bd4a3c56793eb8c
              • Instruction Fuzzy Hash: 60F017B480C3019BC71CDF19A48440ABBE1BB88700F84892EF4D9D2304E339C6999B9A
              Function 00FB8440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31networkCOMMON
              Download Yara Rule
              APIs
              • send.WS2_32(?,?,00000003,00000000), ref: 00FB8465
              • WSAGetLastError.WS2_32 ref: 00FB846F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastsend
              • String ID: SENT$Sending data failed (%d)
              • API String ID: 1802528911-3459338696
              • Opcode ID: af4b759edc72715a76a3072d9ac4bf47a67c8d87c482139cf13c2cd6f64336ec
              • Instruction ID: 826e65d31cfe9aae6f7848a2b02bf9e11da77df1fb0f838f86839b9d08b5c84b
              • Opcode Fuzzy Hash: af4b759edc72715a76a3072d9ac4bf47a67c8d87c482139cf13c2cd6f64336ec
              • Instruction Fuzzy Hash: 59F05971309341AFD301DF649C01A8BBB989F85320F08414CF4D4832C2EB29A509CBA3
              Function 00FA85F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 00FA8636
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: AddressProc
              • String ID: InitSecurityInterfaceW$secur32.dll$security.dll
              • API String ID: 190572456-1950755585
              • Opcode ID: a4640e01dc6a2820f23d1158bcb4c2762308747fba47a91294257884ecee0b0f
              • Instruction ID: d35e34387bdf00ccdb51d3b159b609de4874a992a6c0a9f151a47f24829ee84b
              • Opcode Fuzzy Hash: a4640e01dc6a2820f23d1158bcb4c2762308747fba47a91294257884ecee0b0f
              • Instruction Fuzzy Hash: 6AF065F0F8030275FB3156669C07B2636955B12BA5F844025A584D52C6FFEAED01A651
              Function 00FC5830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _strncmp
              • String ID: I32$I64
              • API String ID: 909875538-3980630743
              • Opcode ID: 4fe609d8a1a833ec944f3c9371e5f9a1e5ffc595922d1ad41e2f1957cbff04d1
              • Instruction ID: 4e218b6bdbcaabd8f3c6eba38b5e9f8a0eccdd3e685e609d420336269ddba80d
              • Opcode Fuzzy Hash: 4fe609d8a1a833ec944f3c9371e5f9a1e5ffc595922d1ad41e2f1957cbff04d1
              • Instruction Fuzzy Hash: FDE08C04A80DA216F62292356E13F2931980F13FDAF8D02B5FC85EC2E3F64CD784A0A1
              Function 00F7CE90 Relevance: 6.3, APIs: 4, Instructions: 323COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect
              • String ID:
              • API String ID: 400858303-0
              • Opcode ID: cef82c41fe936b793f27018889ecefeb7a78ea1c6970ecea8b6b97ea5c6c63bd
              • Instruction ID: 3a2c4e04f38f9e6166e5fbeb621dbe6d9e03a261dfad7d94c08bc3af6b6eec4a
              • Opcode Fuzzy Hash: cef82c41fe936b793f27018889ecefeb7a78ea1c6970ecea8b6b97ea5c6c63bd
              • Instruction Fuzzy Hash: A1D14A757006029FC718DF78C490AAAF7E2BFC8310F54872AE96D97741DB31A821DB92
              Function 00F962B0 Relevance: 6.3, APIs: 4, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset
              • String ID:
              • API String ID: 2102423945-0
              • Opcode ID: e1df5051348a7ba1d804936acbc4818e09b4ec4685c9a8b39234a20f7dd74bc9
              • Instruction ID: 6cb2f37c8b4b382c324176b1cc8ba533124ed823d59e82085695fd196a9da646
              • Opcode Fuzzy Hash: e1df5051348a7ba1d804936acbc4818e09b4ec4685c9a8b39234a20f7dd74bc9
              • Instruction Fuzzy Hash: 8FA1BF719083429FEB21DF28D844B5ABBE4EF85354F19052CE8C5CB342E739E959CB92
              Function 00F98A90 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
              Download Yara Rule
              APIs
              • std::_String_base::_Xlen.LIBCPMT ref: 00F98ABC
              • _memmove_s.LIBCMT ref: 00F98B22
              • _memmove_s.LIBCMT ref: 00F98B58
                • Part of subcall function 00FDA084: __EH_prolog3.LIBCMT ref: 00FDA08B
                • Part of subcall function 00FDA084: __CxxThrowException@8.LIBCMT ref: 00FDA0B6
              • _memcpy_s.LIBCMT ref: 00F98B88
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memmove_s$Exception@8H_prolog3String_base::_ThrowXlen_memcpy_sstd::_
              • String ID:
              • API String ID: 3227841680-0
              • Opcode ID: f9f300eca6b53c5c574d2dc483831d698c79f107efb1f8eda9b31c240aa2a296
              • Instruction ID: 055acb388e0ca82d77887f65b670bfd55c90507fca75e64e9ca17b153caeff7f
              • Opcode Fuzzy Hash: f9f300eca6b53c5c574d2dc483831d698c79f107efb1f8eda9b31c240aa2a296
              • Instruction Fuzzy Hash: 6431CA712002059F9B24DF69DCC486AB3B6FFD23A4728461EE04187765DF34E846E7A5
              Function 00FDF473 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FDF489
                • Part of subcall function 00FDC080: __getptd.LIBCMT ref: 00FDC093
              • __iswctype_l.LIBCMT ref: 00FDF4D9
              • _wcslen.LIBCMT ref: 00FDF4EE
              • __fltin2.LIBCMT ref: 00FDF4FA
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Locale$UpdateUpdate::___fltin2__getptd__iswctype_l_wcslen
              • String ID:
              • API String ID: 1398186946-0
              • Opcode ID: 1772f59a2ab1af357d02f5a0b74f0a78a815214a1b3ec1a4dcab6e1426b7f2bd
              • Instruction ID: f0493b98cd35dd00f1b7b7c5c1a7ebe58cc47229d260050184286f2d861d9e5b
              • Opcode Fuzzy Hash: 1772f59a2ab1af357d02f5a0b74f0a78a815214a1b3ec1a4dcab6e1426b7f2bd
              • Instruction Fuzzy Hash: 6431E672D00206E7DB21AF58EC45FAE7BB9BF41320F1C0066E99297391EB35C945E790
              Function 00F15860 Relevance: 6.1, APIs: 4, Instructions: 104registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?,8F2D4ADD), ref: 00F15903
              • _memset.LIBCMT ref: 00F1591D
              • RegQueryValueExW.ADVAPI32(00000200,?,00000000,?,?,00000200), ref: 00F15959
              • RegCloseKey.ADVAPI32(8F2D4ADD), ref: 00F1598F
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CloseOpenQueryValue_memset
              • String ID:
              • API String ID: 3211720786-0
              • Opcode ID: db00afe65826c438ffcd88d9cc4c4a2447d7092cc3b1028614785b09702cb9f0
              • Instruction ID: edfba5abe8ce79333d034851a6a556b1f0f512bdb06ccff6d7f8f479a6be7a90
              • Opcode Fuzzy Hash: db00afe65826c438ffcd88d9cc4c4a2447d7092cc3b1028614785b09702cb9f0
              • Instruction Fuzzy Hash: 14418D71504305DBD720DF55C889B9BB7F8FB88B18F404A1DF4898B240E779E548DBA2
              Function 00FF2DA8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FF2DDC
              • __isleadbyte_l.LIBCMT ref: 00FF2E10
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00FE6BB8,?,00000000,00000000,?,?,?,?,00FE6BB8,00000000,?), ref: 00FF2E41
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00FE6BB8,00000001,00000000,00000000,?,?,?,?,00FE6BB8,00000000,?), ref: 00FF2EAF
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 6adf598cf46bb1836b102d571be3b7d8818fd52f2362f64951b41355810fdd65
              • Instruction ID: a4733578ff2828605c4c09c23ddfd3025ee96414448255f7c8218052ca03c767
              • Opcode Fuzzy Hash: 6adf598cf46bb1836b102d571be3b7d8818fd52f2362f64951b41355810fdd65
              • Instruction Fuzzy Hash: 9C31C531A0024AEFDB60DF64C884ABE3BA5FF01321F248569E5659B1B1E731DD90EB90
              Function 00F4AC00 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset
              • String ID:
              • API String ID: 2102423945-0
              • Opcode ID: c2dbc699ef43b3df4ba9a78e73585351e7c4cf8a52eaf4f84ad892fb1aa47c26
              • Instruction ID: 06804197c0cd8e89ccaacd6306f9611c5aec94a5056d35fb1d470c6d6c53d6fd
              • Opcode Fuzzy Hash: c2dbc699ef43b3df4ba9a78e73585351e7c4cf8a52eaf4f84ad892fb1aa47c26
              • Instruction Fuzzy Hash: E3318FB1A05780DBD364DF3A9C42B97FAE8EB95700F04492FB19BC3391DAB9A4048B55
              Function 00F821F0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • GdipCreateFromHDC.GDIPLUS(?,?), ref: 00F82253
              • GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,?,?), ref: 00F82293
              • GdipImageSelectActiveFrame.GDIPLUS(?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F822AE
              • GdipDeleteGraphics.GDIPLUS(?,?,00000000,?,?,?,?,?,?), ref: 00F822C2
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Gdip$Image$ActiveCreateDeleteDrawFrameFromGraphicsRectSelect
              • String ID:
              • API String ID: 3422746491-0
              • Opcode ID: 9db526a64d6ca18c2bac43a6c88c75d97d3aaefd1003009745ed7d7eee6efaca
              • Instruction ID: 2b6d0d99d6a2de03ec943690d56652b4d7f0b944c5aaf509ff3f1e1b792e91e4
              • Opcode Fuzzy Hash: 9db526a64d6ca18c2bac43a6c88c75d97d3aaefd1003009745ed7d7eee6efaca
              • Instruction Fuzzy Hash: 992136B1608745DFD3A4DF69D980AA7B7E9FBC8300F044A1DE59983210DB39F944CB61
              Function 00F506E0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • __itow.LIBCMT ref: 00F5071D
                • Part of subcall function 00FDCACA: _xtow@16.LIBCMT ref: 00FDCAEA
              • SelectObject.GDI32(?,00000000), ref: 00F5077A
              • GetTextMetricsW.GDI32(?,00000090), ref: 00F50788
              • SelectObject.GDI32(?,?), ref: 00F5079A
                • Part of subcall function 00F4FE00: SelectObject.GDI32(?,060A0EEB), ref: 00F4FE2B
                • Part of subcall function 00F4FE00: GetTextMetricsW.GDI32(?,01037A0C), ref: 00F4FE3B
                • Part of subcall function 00F4FE00: SelectObject.GDI32(?,00000000), ref: 00F4FE49
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ObjectSelect$MetricsText$__itow_xtow@16
              • String ID:
              • API String ID: 2423145084-0
              • Opcode ID: 4317ff867fe7994e363fca7881422ca0b246f588b4bd3b6d30b4651c02e62450
              • Instruction ID: c37c5cf995a2c7f88e2c65e9c180e70ed495951eb47a9096087d5071b337eb10
              • Opcode Fuzzy Hash: 4317ff867fe7994e363fca7881422ca0b246f588b4bd3b6d30b4651c02e62450
              • Instruction Fuzzy Hash: 53214CB56047019FC310DF39D881BABB7E9FB88750F44492DFA98C3241EB35E9488B92
              Function 00F9E8A0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset_strncpy
              • String ID:
              • API String ID: 3140232205-0
              • Opcode ID: c7b8543afa97410a496567bd8ca39ee9e8feeb602525b288dabfa04bb53b63bc
              • Instruction ID: ae22300335fac710f5a078c9e7a68c4463d573210108d1a5080af486a68a923c
              • Opcode Fuzzy Hash: c7b8543afa97410a496567bd8ca39ee9e8feeb602525b288dabfa04bb53b63bc
              • Instruction Fuzzy Hash: 5D110AB29043816FE331EA548CC2FFB739CABD4304F44093DF29982142E638691892A7
              Function 00F357E0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000011,00000000), ref: 00F3582D
              • _memset.LIBCMT ref: 00F35880
              • SHBrowseForFolderW.SHELL32(?), ref: 00F3588D
              • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 00F35899
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Folder$BrowseFromListLocationPathSpecial_memset
              • String ID:
              • API String ID: 1492392336-0
              • Opcode ID: 1ffe2b9faae5f6d63b044d209c3e5feb7cc9fa7bc9ae0dfc30ec89ffb9d2d09f
              • Instruction ID: cf54b849f1a34cce4bf1495f18af262f9221fe689969c50a15fdf58d49a346bc
              • Opcode Fuzzy Hash: 1ffe2b9faae5f6d63b044d209c3e5feb7cc9fa7bc9ae0dfc30ec89ffb9d2d09f
              • Instruction Fuzzy Hash: CE215BB1A083009FD350DF69980575BBBE8EF98B24F004A2EF598D3241E7B5D9048BD6
              Function 00F82F70 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,?,?,?,?,?,00F82E70,?,?), ref: 00F82F81
              • SendMessageW.USER32(?,00001001,00000000,?), ref: 00F82FAF
              • SendMessageW.USER32(?,00000008,?,?), ref: 00F82FF2
              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00F82FFE
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessageSend$ProcWindow
              • String ID:
              • API String ID: 1247960604-0
              • Opcode ID: a10aaee6882c763698c6553887a184e3d3fd6d3a5c87eccbf838c7e724aca47e
              • Instruction ID: d339a72083235d176e19ff0aef3a3917245e144166aa05d10d7fb372917710d1
              • Opcode Fuzzy Hash: a10aaee6882c763698c6553887a184e3d3fd6d3a5c87eccbf838c7e724aca47e
              • Instruction Fuzzy Hash: 2D11F8B9340705BFD214DB68CC85F66B3B9BB88B04F108558F65897291CB76F890CB64
              Function 00F814A0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: From$ProgString_memset_wcsncpy
              • String ID:
              • API String ID: 2240319475-0
              • Opcode ID: 532ffab6ba5e13da2b54810aacf7de2d87c25cafc6011f9c06b6bb77fdf8e53b
              • Instruction ID: 134ac0b5de43f903fe64c3f003a10db7059a3c81b427da341c2ee1c16340f719
              • Opcode Fuzzy Hash: 532ffab6ba5e13da2b54810aacf7de2d87c25cafc6011f9c06b6bb77fdf8e53b
              • Instruction Fuzzy Hash: 54110A719043419FD314EF24C845AABBBE5FFC8710F448A1EB48A9B250EB39D5448B92
              Function 00F88180 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • GetDeviceCaps.GDI32(?,00000058), ref: 00F881B2
              • GetDeviceCaps.GDI32(?,0000005A), ref: 00F881C9
              • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00F881E0
              • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00F881F2
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CapsDevice
              • String ID:
              • API String ID: 328075279-0
              • Opcode ID: 36b089b3e0686c4ad3e779cf15aa04ed2229fbe2aa65fe66213971496d4ffe2a
              • Instruction ID: 31a52970ba8cbfc3c2a6c4a6063f3974164f702a27afab04c099fccebaa22379
              • Opcode Fuzzy Hash: 36b089b3e0686c4ad3e779cf15aa04ed2229fbe2aa65fe66213971496d4ffe2a
              • Instruction Fuzzy Hash: C7119075640B009FD360DB69C984E16B7F9BF8C710B118559E68A8B7A1DA72F801CB10
              Function 00F6B1C0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • GetObjectA.GDI32(?,0000003C,?), ref: 00F6B1E5
              • GdipCreateFontFromLogfontA.GDIPLUS(?,?), ref: 00F6B1F9
              • GdipCreateFontFromDC.GDIPLUS(?), ref: 00F6B206
              • GdipCreateFontFromDC.GDIPLUS(?), ref: 00F6B22B
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CreateFontFromGdip$LogfontObject
              • String ID:
              • API String ID: 3733165904-0
              • Opcode ID: b5592b5759f17b97432c73b6fbfbfb9b1b9a6cbceb7fb0b72669506a45807eff
              • Instruction ID: 2d91a3d62a06b1c05956e540d595317a97cf82465a6a8b35e87ef80ce2967f88
              • Opcode Fuzzy Hash: b5592b5759f17b97432c73b6fbfbfb9b1b9a6cbceb7fb0b72669506a45807eff
              • Instruction Fuzzy Hash: 86011BB46042059BC325EF28C892A2FB7F5BF98740F00491DE2C6C7350E735A941DB56
              Function 00F966D0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00F96D3B,000000FF,00000000,00000000,00000000,00000000,00000008,00000000,?,?,00F96D3B,?), ref: 00F966F5
              • _malloc.LIBCMT ref: 00F96701
              • _memset.LIBCMT ref: 00F9670C
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00F96D3B,000000FF,00000000,00000000,00000000,00000000,?,?,00F96D3B,?), ref: 00F96724
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWide$_malloc_memset
              • String ID:
              • API String ID: 1563474556-0
              • Opcode ID: dab30f1b262daf1a99f367909859568ca887e8095d641eb696082f4704e6a876
              • Instruction ID: 1524ca01f33e7025861f76f9c62bd2c7605cc21c3bf45153541404f918926830
              • Opcode Fuzzy Hash: dab30f1b262daf1a99f367909859568ca887e8095d641eb696082f4704e6a876
              • Instruction Fuzzy Hash: 0DF0823238431536F630365A9C46F97BB5DDB81FB4F344212B628AE1C1D996742052B9
              Function 00F181D0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00F181F7
              • VerSetConditionMask.KERNEL32 ref: 00F18225
              • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00F1822D
              • VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 00F18238
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ConditionMask$InfoVerifyVersion_memset
              • String ID:
              • API String ID: 3299124433-0
              • Opcode ID: 8c42779d31930181e89c991305eabfda57b046cdb18ed96d5dcbfe7bec660f91
              • Instruction ID: 692ae61d8695a1b82f1b427ad8e5d2b8bc866d38d060c1e26272be1ddf82aa81
              • Opcode Fuzzy Hash: 8c42779d31930181e89c991305eabfda57b046cdb18ed96d5dcbfe7bec660f91
              • Instruction Fuzzy Hash: 3B01A9706443046BE230AF70DC0BFAB7BADAB84B14F00450DB6845B1C0DBBA951487D6
              Function 00F709E0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • GetClipBox.GDI32(?,?), ref: 00F709FC
              • CreateRectRgnIndirect.GDI32(?), ref: 00F70A0D
              • CreateRectRgnIndirect.GDI32(?), ref: 00F70A17
              • ExtSelectClipRgn.GDI32(?,00000000,00000001), ref: 00F70A20
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ClipCreateIndirectRect$Select
              • String ID:
              • API String ID: 4223180713-0
              • Opcode ID: 62f7d984f951722428b0b112051dce8146108b29bdb03cfb2c4d5cae7f0bee11
              • Instruction ID: 9f449504e9fed3ccc66349e7a927505c6bec3db35b5d1c245b005c4b5b531eee
              • Opcode Fuzzy Hash: 62f7d984f951722428b0b112051dce8146108b29bdb03cfb2c4d5cae7f0bee11
              • Instruction Fuzzy Hash: CD0160B49047019FD320DF69D88095BBBF5FB88604F508A1EB99993214E779E6448F92
              Function 00FDD6BE Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00FDD6CA
                • Part of subcall function 00FE5938: __getptd_noexit.LIBCMT ref: 00FE593B
                • Part of subcall function 00FE5938: __amsg_exit.LIBCMT ref: 00FE5948
              • __getptd.LIBCMT ref: 00FDD6E1
              • __amsg_exit.LIBCMT ref: 00FDD6EF
              • __lock.LIBCMT ref: 00FDD6FF
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
              • String ID:
              • API String ID: 3521780317-0
              • Opcode ID: 5ada57b4ba1ad6bb07791735af866bc2963ada0e053e7edd19839f7a86cb9334
              • Instruction ID: 9a5c605864f90604e007019992990065b4e2bde590770f7655f4bf1154f514ee
              • Opcode Fuzzy Hash: 5ada57b4ba1ad6bb07791735af866bc2963ada0e053e7edd19839f7a86cb9334
              • Instruction Fuzzy Hash: 4BF06D32942B44CBD720FB75880674D73A16F00B24F48425BE484AB3C2CB3CA941AF91
              Function 00FE215B Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __IsNonwritableInCurrentImage.LIBCMT ref: 00FE216E
                • Part of subcall function 00FF2590: __FindPESection.LIBCMT ref: 00FF25EB
              • __getptd_noexit.LIBCMT ref: 00FE217E
              • __freeptd.LIBCMT ref: 00FE2188
              • ExitThread.KERNEL32 ref: 00FE2191
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
              • String ID:
              • API String ID: 3182216644-0
              • Opcode ID: d76ef977911c9eeeb145a32cdf057033d64fd51e3ae9e3b2eda9e781c8252f77
              • Instruction ID: c7e6cd24e30f5519cb2a761c91d1d4161aa0ec3c3d4e1b3071efe4c314e90787
              • Opcode Fuzzy Hash: d76ef977911c9eeeb145a32cdf057033d64fd51e3ae9e3b2eda9e781c8252f77
              • Instruction Fuzzy Hash: 0FD0C73040068E6BD6603BB3EC0E62A36CDAB80721F280020B640940A2EF2DCA82E221
              Function 00F38C80 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 274stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F12580: _memcpy_s.LIBCMT ref: 00F125FD
              • lstrlenW.KERNEL32(?,00000000,00000000,000000FF,?,?,01017170,00000001,00000000,00000001,?,00000000,000000FF,01014D18,00000000), ref: 00F38E7E
              • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000), ref: 00F38EAC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharMultiWide_memcpy_slstrlen
              • String ID: .exe
              • API String ID: 154246496-4119554291
              • Opcode ID: 0ec4dc3f04c5eba7cddfa94e11bc6db625f2e071d8333dafb2d978d6d1ae2070
              • Instruction ID: 69e5c78753931cc749f21fa9833b4c4d8d2f83c1ec9aa927cde659d5f3b906a3
              • Opcode Fuzzy Hash: 0ec4dc3f04c5eba7cddfa94e11bc6db625f2e071d8333dafb2d978d6d1ae2070
              • Instruction Fuzzy Hash: 78A1B0B1900348EBCB10EFA8CC81BDE7BB5BF04364F144619F915A7281DB79E985DB91
              Function 00F1F480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
              Download Yara Rule
              APIs
              • _localeconv.LIBCMT ref: 00F1F4AE
                • Part of subcall function 00FDB62C: __getptd.LIBCMT ref: 00FDB62C
                • Part of subcall function 00FDA143: ____lc_handle_func.LIBCMT ref: 00FDA146
                • Part of subcall function 00FDA143: ____lc_codepage_func.LIBCMT ref: 00FDA14E
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
              • String ID: false$true
              • API String ID: 679402580-2658103896
              • Opcode ID: 5ec4873523b531e4324f1edba47e5a082fdf708f972ac0c11f93b3e899fe3994
              • Instruction ID: 390c82feeb939ce6986ae2f3299b08b375ced887cc1be66bdfbd5e449316e0b5
              • Opcode Fuzzy Hash: 5ec4873523b531e4324f1edba47e5a082fdf708f972ac0c11f93b3e899fe3994
              • Instruction Fuzzy Hash: 6F716FB1C042499FCB00DFA8C8819EEBBF5FF48300F18856EE559AB301E7799644DBA5
              Function 00F678D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 192COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Rect
              • String ID: itemclick
              • API String ID: 400858303-803468992
              • Opcode ID: ea391a473023dd23885a45278a36eb1bf30d27e9592429fa126c605bc0eeaf61
              • Instruction ID: 30c2bd9ae6b2ceab0e8677fe1e24471a06d43bed6e645dcecfff4365acde66b7
              • Opcode Fuzzy Hash: ea391a473023dd23885a45278a36eb1bf30d27e9592429fa126c605bc0eeaf61
              • Instruction Fuzzy Hash: 5951AE76B043019BCB14EE68DCC0F6973A1AF86324F1486B9E9099F356CA35EC19E790
              Function 00F658F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • IntersectRect.USER32(?,?,?), ref: 00F65A33
              • IntersectRect.USER32(?,?,?), ref: 00F65AB3
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: IntersectRect
              • String ID: Container
              • API String ID: 481094312-1163095736
              • Opcode ID: 5da15813978cc4c08d08df0af801b104263a79659eaedc9095837d1e4697c367
              • Instruction ID: 8bfe76f110a0c929a56b5d5a5ed5553ef8ffa4f324d7e357653c741a460b6dde
              • Opcode Fuzzy Hash: 5da15813978cc4c08d08df0af801b104263a79659eaedc9095837d1e4697c367
              • Instruction Fuzzy Hash: 9D611474604A028FC718DF68C49096AF3E2BFCC720F148A6DE98997355DB34ED45CB82
              Function 00F957B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: %4x
              • API String ID: 0-607344608
              • Opcode ID: 81df35b6cb632c5b31979d4bcb2cee0a0cfcf1e4049c464ce79fbc05f4f2292f
              • Instruction ID: 2cf8fd5262d87199cc905631a132b01a84bb6c0bfae91849a42a8ccb267d72cf
              • Opcode Fuzzy Hash: 81df35b6cb632c5b31979d4bcb2cee0a0cfcf1e4049c464ce79fbc05f4f2292f
              • Instruction Fuzzy Hash: BF513C71808B81CFFF278F18C850368BBD1EB91B30F18996ED1C687242D2798989E752
              Function 00FB1490 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FD3BA0: _memset.LIBCMT ref: 00FD3C00
              • _memset.LIBCMT ref: 00FB155F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _memset
              • String ID: curl$i386-pc-win32
              • API String ID: 2102423945-3250060130
              • Opcode ID: 2da30f058f9b15b72206808a366e922ce53cd0aa412cb2f910294a7a836f147a
              • Instruction ID: 342f93fef2e3a07c36a892a430b9555572c5c827974c03ab6541196d96fae502
              • Opcode Fuzzy Hash: 2da30f058f9b15b72206808a366e922ce53cd0aa412cb2f910294a7a836f147a
              • Instruction Fuzzy Hash: C9717E745083418FC725CF28C490AABB7E6FFCA304F44896DE9C98B356EA35A509CB56
              Function 00F1B520 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: swprintf
              • String ID: %$+
              • API String ID: 233258989-2626897407
              • Opcode ID: e2cb5ecde8701e9621ec8b21552e024c4a290b91e57a2450e24dca99ee9221e3
              • Instruction ID: 067ee364d70c36e882a93827f26976c4189728f9d574d102ee45bfe40f4265ef
              • Opcode Fuzzy Hash: e2cb5ecde8701e9621ec8b21552e024c4a290b91e57a2450e24dca99ee9221e3
              • Instruction Fuzzy Hash: B0517B73E08300DBD7129E18C8947E77BE9EB55350F244988E9C593396E7398D849BD2
              Function 00F1B700 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: swprintf
              • String ID: %$+
              • API String ID: 233258989-2626897407
              • Opcode ID: fe58e2f510e05391374ea220361bfa5a980ed2207d8c9a7184fc75aa9e170c48
              • Instruction ID: 24cf271aeb0ea4d561afed5d7e4ea8e4af3a0d47a1af0efad7b431e6db578167
              • Opcode Fuzzy Hash: fe58e2f510e05391374ea220361bfa5a980ed2207d8c9a7184fc75aa9e170c48
              • Instruction Fuzzy Hash: 18516873E08340DBD7159E18C8847EB7BE8EB85750F24494CF991833D2E7398C859B92
              Function 00FBB8C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136networkCOMMON
              Download Yara Rule
              APIs
              Strings
              • FTP response timeout, xrefs: 00FBBA01
              • FTP response aborted due to select/poll error: %d, xrefs: 00FBBA27
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID: FTP response aborted due to select/poll error: %d$FTP response timeout
              • API String ID: 1452528299-4057338436
              • Opcode ID: a27d0dfd6a69db3924d2084644bdc8220d564da7538ea085f34e3f81f70dec9f
              • Instruction ID: b355aa865ebd7ac8293614ca16be63c10a986928b5052bc4ff2e5782c5335822
              • Opcode Fuzzy Hash: a27d0dfd6a69db3924d2084644bdc8220d564da7538ea085f34e3f81f70dec9f
              • Instruction Fuzzy Hash: 4F41C075A083019BD714DF1ADC41B9BB3E4AF84325F440A2DFD98C6392E7B8D909DE92
              Function 00F374E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F375ED
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExecuteShell
              • String ID: app:openWeb?url=$open
              • API String ID: 587946157-1944791042
              • Opcode ID: 56f10f7c0a850e94631e91b9a249e7a83104dab439b595d1291a028b36c8d746
              • Instruction ID: 3574124b3fba92851452e7f338153dbe947983d116c85c1cae1599028379897d
              • Opcode Fuzzy Hash: 56f10f7c0a850e94631e91b9a249e7a83104dab439b595d1291a028b36c8d746
              • Instruction Fuzzy Hash: B741BCB1508340ABD710EF24CC46B5BB7E5FF88724F440A2DF5859B290D77AE948CB96
              Function 00F9F010 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
              Download Yara Rule
              Strings
              • Use of IPv6 in *_CONNECT_TO without IPv6 support built-in!, xrefs: 00F9F058
              • No valid port number in connect to host string (%s), xrefs: 00F9F0E9
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID:
              • String ID: No valid port number in connect to host string (%s)$Use of IPv6 in *_CONNECT_TO without IPv6 support built-in!
              • API String ID: 0-4034642053
              • Opcode ID: ffe3564231872e0f46f718df85f6330458327ca4c2d7f0dcd6ceaddb1d1ff9d9
              • Instruction ID: 3858a3fd9e4007e889b379f577c6341dde32066a6d160262e5d76502aff5e75b
              • Opcode Fuzzy Hash: ffe3564231872e0f46f718df85f6330458327ca4c2d7f0dcd6ceaddb1d1ff9d9
              • Instruction Fuzzy Hash: 9A310B71A003415BFB219F65EC8072BBB98EF81731F144439F585CA282D73AC859E752
              Function 00F3F710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00F44290: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00F442F0
                • Part of subcall function 00F12BB0: std::_String_base::_Xlen.LIBCPMT ref: 00F12BE7
                • Part of subcall function 00F12BB0: _memcpy_s.LIBCMT ref: 00F12C36
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F3F800
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharExecuteMultiShellString_base::_WideXlen_memcpy_sstd::_
              • String ID: ProductLicenseUrl$open
              • API String ID: 2277037791-3746290764
              • Opcode ID: f3f5552b10b94797c3eba3eff1c77e5da7fc7df7413044de7d9987cdf7ab018f
              • Instruction ID: ad9bc9290217e80b0c0496dffbcedcd6056e6f0b61eb1dac4c98619f3831f055
              • Opcode Fuzzy Hash: f3f5552b10b94797c3eba3eff1c77e5da7fc7df7413044de7d9987cdf7ab018f
              • Instruction Fuzzy Hash: A931A6B1908340AFD714EF64CC82A5BBBE8FB85764F500A2DF5514B281D77AE849CB93
              Function 00F44940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,8F2D4ADD,.ini,00000000), ref: 00F4499A
              • _strrchr.LIBCMT ref: 00F449A7
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: FileModuleName_strrchr
              • String ID: .ini
              • API String ID: 1375183968-3921635435
              • Opcode ID: ce91a33f96403d7aabd5c6e8e1a3394649eddff20854dd4223fde5ace76ecea1
              • Instruction ID: 04b66f2c4f3453a93aae3cc121b59a993dee440dc52aa8c4551717ce3b556b5b
              • Opcode Fuzzy Hash: ce91a33f96403d7aabd5c6e8e1a3394649eddff20854dd4223fde5ace76ecea1
              • Instruction Fuzzy Hash: B531A2B15083809FD321DF24DC45B9BB7E9AB88710F444A2EF08987391DB39A548DB93
              Function 00F14AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • ScreenToClient.USER32(?,?), ref: 00F14AD2
              • GetClientRect.USER32(?,?), ref: 00F14AE1
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: Client$RectScreen
              • String ID: Button
              • API String ID: 67810849-1034594571
              • Opcode ID: 13daae622d1aa9e38f6084673da7d5055c2459b74ea3e7f11508e692332bee38
              • Instruction ID: f47d15f5754e7881c03a3ae98bf6a397839d798fa3eebdd7d45bb8a236e79b35
              • Opcode Fuzzy Hash: 13daae622d1aa9e38f6084673da7d5055c2459b74ea3e7f11508e692332bee38
              • Instruction Fuzzy Hash: EC218E756087018BD724DF28C880AABB3E5EBD8321F044A2DE996C7390E338FD859794
              Function 00F88770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000F4), ref: 00F887F3
              • SendMessageW.USER32(?,0000004E,00000000,?), ref: 00F88826
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: LongMessageSendWindow
              • String ID: textchanged
              • API String ID: 3360111000-1330398090
              • Opcode ID: 3110ec83694190cbc52bfe468399b02a5a21281bc59a3d89de846df905861a72
              • Instruction ID: 178bd09c860b61701a81ffa6b456ae714a393cf5384aaa9186f6ae534d5db9b0
              • Opcode Fuzzy Hash: 3110ec83694190cbc52bfe468399b02a5a21281bc59a3d89de846df905861a72
              • Instruction Fuzzy Hash: C321D571B402049FD730FB58ED84FAEB7E5BB88760F604216E25C87691DB7AE8018B90
              Function 00F4F090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: CountFocusTick
              • String ID: killfocus
              • API String ID: 3897604831-1616503811
              • Opcode ID: 2bcfbf4cdec5ef74577a81dacbffea9f281ce8a648ecd0b8994150581d6c2d41
              • Instruction ID: 1f4b4060de6f697e882a4e1f8756b7f1c7f4cab623f2a4c387e5ff7fb6f5d2c1
              • Opcode Fuzzy Hash: 2bcfbf4cdec5ef74577a81dacbffea9f281ce8a648ecd0b8994150581d6c2d41
              • Instruction Fuzzy Hash: DE312770A04742AFD355CF28C440B9AFBE1BF88704F148A2EE5AC97251D7B5A559CB82
              Function 00FA81E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ErrorLastrecv
              • String ID: Recv failure: %s
              • API String ID: 2514157807-4276829032
              • Opcode ID: ea0793de7b57a3adbb3152fea8985d1045630f3f3662ad5ebf4c0bf0e3780d4b
              • Instruction ID: d16b0ad4431440b4c7b489e45999b48fd8f84e3f9d9c630b98520ee7fae5cdb0
              • Opcode Fuzzy Hash: ea0793de7b57a3adbb3152fea8985d1045630f3f3662ad5ebf4c0bf0e3780d4b
              • Instruction Fuzzy Hash: F011C6B67003045BD7109F59EC80BAAB3E9EBCA3A2F10046EF644C7381CB76A8059B61
              Function 00F33550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F335F7
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExecuteShell
              • String ID: ContrastPageBuyUrl$open
              • API String ID: 587946157-2694527512
              • Opcode ID: ac386a8b07cdcb524c7688becbc8d9d4b2934d80f87d7693214108bdea9dff2f
              • Instruction ID: 7b39fadcfd0838da57bf7501a6e193bd942424de4d3e8b7911e35c712330bfc7
              • Opcode Fuzzy Hash: ac386a8b07cdcb524c7688becbc8d9d4b2934d80f87d7693214108bdea9dff2f
              • Instruction Fuzzy Hash: 32216DB1208380EFD714DF24C846B1BB7E5BB89B18F400A1DF4996A280D7BAE544DB57
              Function 00F40400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000112,0000F020,00000000), ref: 00F40459
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Click_Min$Home_Installer
              • API String ID: 3850602802-577197087
              • Opcode ID: 5ea28d958a4521a2f4c990978752114c577d4a2364d70cbe7d51d6d92e513ecf
              • Instruction ID: 154978a5e039121e88bbdc7710230e8651628c954e51b841a728e8841b649164
              • Opcode Fuzzy Hash: 5ea28d958a4521a2f4c990978752114c577d4a2364d70cbe7d51d6d92e513ecf
              • Instruction Fuzzy Hash: 8F21A231108340AFC310DB54CC45B9AB7E8FB84714F008A1CF598872D1EB79E548DBA2
              Function 00F26830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(?), ref: 00F26861
              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00F26899
                • Part of subcall function 00F11080: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,?,00000001,00F243CD,00000003), ref: 00F11098
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ByteCharExecuteMultiShellWidelstrlen
              • String ID: open
              • API String ID: 1978087685-2758837156
              • Opcode ID: b3b34ab3065b0c008d68ccb306814c16b0ab0830d3fe736becbc07b9a0bebf3e
              • Instruction ID: ad01e0c3af7214baf856b9010aa46a7d813af1c1ab53ac3fc833c6bab4c09029
              • Opcode Fuzzy Hash: b3b34ab3065b0c008d68ccb306814c16b0ab0830d3fe736becbc07b9a0bebf3e
              • Instruction Fuzzy Hash: 1C012831B00354ABDB209F69ECC1BAA73A9EF08721F500129F915DB186CB76EC449750
              Function 00FE35FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00FE2ACB: __getptd.LIBCMT ref: 00FE2AD1
                • Part of subcall function 00FE2ACB: __getptd.LIBCMT ref: 00FE2AE1
              • __getptd.LIBCMT ref: 00FE360D
                • Part of subcall function 00FE5938: __getptd_noexit.LIBCMT ref: 00FE593B
                • Part of subcall function 00FE5938: __amsg_exit.LIBCMT ref: 00FE5948
              • __getptd.LIBCMT ref: 00FE361B
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: __getptd$__amsg_exit__getptd_noexit
              • String ID: csm
              • API String ID: 803148776-1018135373
              • Opcode ID: e19a74ec59e38886b2a6237d80a798923043fadc09895cd27ace22c509c2fcdc
              • Instruction ID: e23226c33dc140f2e265894cd81fb892984b4d062375ef66158434f08325e9e4
              • Opcode Fuzzy Hash: e19a74ec59e38886b2a6237d80a798923043fadc09895cd27ace22c509c2fcdc
              • Instruction Fuzzy Hash: 42012C34C02284AFCF349F36D85CAACB3B5AF10721FA4452EE04257361CB399A91EF95
              Function 00FF6F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetDriveTypeA.KERNEL32(?,?,00FF6FE0,?,00000000,00000007,00000007,?,00FF7125,00000000,?,?,01028DA8,0000000C,00FF0E3C,?), ref: 00FF6FB6
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: DriveType
              • String ID: :$\
              • API String ID: 338552980-1166558509
              • Opcode ID: 6eb2f599bc4c318b67039d000e7ba5ef7f14c0a607cb5be7d5d1b15bf3e9790b
              • Instruction ID: 5a46305cc8ee4f1b10f44b0132bc0c0d854fff126a5d1dd8aee568401de1c668
              • Opcode Fuzzy Hash: 6eb2f599bc4c318b67039d000e7ba5ef7f14c0a607cb5be7d5d1b15bf3e9790b
              • Instruction Fuzzy Hash: F8E0D83070828C5DEF11CE75A4447AA3FDC8F513A8F04C055F95CCE141E631D6158351
              Function 00F49230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: _wcsncpy
              • String ID: Expected start tag
              • API String ID: 1735881322-1525701253
              • Opcode ID: ec737663a66544395df218353d4805d889d7e6ba48d3519f1579badbae41533b
              • Instruction ID: fd3ec085b5493984137971e2cdfc55c3f61ba8497ff96a68b909223c92a55939
              • Opcode Fuzzy Hash: ec737663a66544395df218353d4805d889d7e6ba48d3519f1579badbae41533b
              • Instruction Fuzzy Hash: 0FD05E72F8022533DA256164AC57EAB321D1BB1F10F09022AB800AE385E9DDDA9612E0
              Function 00FDA084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __EH_prolog3.LIBCMT ref: 00FDA08B
              • __CxxThrowException@8.LIBCMT ref: 00FDA0B6
                • Part of subcall function 00FE274B: RaiseException.KERNEL32(?,?,00FDB416,?,?,?,?,?,00FDB416,?,01028E28,010368F0,?,00F12B84,00000000,8F2D4ADD), ref: 00FE278D
              Strings
              • invalid string position, xrefs: 00FDA090
              Memory Dump Source
              • Source File: 00000001.00000002.2889996204.0000000000F11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F10000, based on PE: true
              • Associated: 00000001.00000002.2889967278.0000000000F10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890154973.0000000001006000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890207740.0000000001033000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.2890245982.0000000001039000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_f10000_EDownloader.jbxd
              Similarity
              • API ID: ExceptionException@8H_prolog3RaiseThrow
              • String ID: invalid string position
              • API String ID: 1961742612-1799206989
              • Opcode ID: 5187dfb88ea59550fb4e24c62cf2b8a0fa07c841a14e49647fff6f85d558cfd7
              • Instruction ID: 4263fb8826242dfceac2c6fba0ac5624502dc72766ae965a41887345a846d00c
              • Opcode Fuzzy Hash: 5187dfb88ea59550fb4e24c62cf2b8a0fa07c841a14e49647fff6f85d558cfd7
              • Instruction Fuzzy Hash: A7D01771A1011C9ACB08FBE1CC46FDDB778AF04310F501029F201BA052EBB89A49E764